[jboss-jira] [JBoss JIRA] (WFLY-2278) Deployer can't modify data source when datasources set as application resources
[
https://issues.jboss.org/browse/WFLY-2278?page=com.atlassian.jira.plugin....
]
RH Bugzilla Integration commented on WFLY-2278:
-----------------------------------------------
Harald Pehl <hpehl(a)redhat.com> made a comment on [bug
1017786|https://bugzilla.redhat.com/show_bug.cgi?id=1017786]
The console uses @AccessControl annotations to bind 1-n resources to presenters.
Presenters are the "P" in the MVP architecture used in the console. Most
presenters are addressable using an URL like
http://localhost:9990/console/App.html#datasources.
When the presenter is shown for the first time, the console reads the access control
metadata of its configured resources to decide whether operations can be executed or
attributes are readable/writable.
The datasource presenter is configured using the following resources:
@AccessControl(resources = {
"/{selected.profile}/subsystem=datasources/data-source=*",
"/{selected.profile}/subsystem=datasources/xa-data-source=*"
})
The current implementation uses an "all-or-nothing" rule: If not all resources
are writable, none will be writable. To cut a long story short. Making also the
xa-data-source an application resource will give the deployer the permissions to edit both
the data-source and the xa-data-source resource:
/core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=data-source:write-attribute(name=configured-application,
value=true)
/core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=xa-data-source:write-attribute(name=configured-application,
value=true)
Deployer can't modify data source when datasources set as
application resources
-------------------------------------------------------------------------------
Key: WFLY-2278
URL: https://issues.jboss.org/browse/WFLY-2278
Project: WildFly
Issue Type: Sub-task
Security Level: Public(Everyone can see)
Components: Domain Management
Reporter: Ladislav Thon
Assignee: Brian Stansberry
Labels: rbac-filed-by-qa
Fix For: 8.0.0.CR1
When data sources are made application resources, deployer should be able to modify them.
This doesn't work, as opposed to e.g. mail sessions. For example:
{code}
/core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=data-source:write-attribute(name=configured-application,
value=true)
{"outcome" => "success"}
[standalone@localhost:9990 /]
/subsystem=datasources/data-source=ExampleDS:write-attribute(name=jndi-name,
value="java:jboss/datasources/ExampleDS_XXX"){roles=deployer}
{
"outcome" => "failed",
"failure-description" => "JBAS013456: Unauthorized to execute
operation 'write-attribute' for resource '[
(\"subsystem\" => \"datasources\"),
(\"data-source\" => \"ExampleDS\")
]' -- \"JBAS013475: Permission denied\"",
"rolled-back" => true
}
[standalone@localhost:9990 /]
/core-service=management/access=authorization/constraint=application-classification/type=mail/classification=mail-session:write-attribute(name=configured-application,
value=true)
{"outcome" => "success"}
[standalone@localhost:9990 /]
/subsystem=mail/mail-session=java\:jboss\/mail\/Default:write-attribute(name=jndi-name,
value="java:jboss/mail/Default_XXX"){roles=deployer}
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
{code}
I have a test case for this as a last commit in my branch
https://github.com/Ladicek/wildfly/commits/rbac (that is the commit called _RBAC test case
for application types_).
Brian, in case you are not the right assignee, please reassign.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira