]
RH Bugzilla Integration commented on WFCORE-504:
------------------------------------------------
Kabir Khan <kkhan(a)redhat.com> changed the Status of [bug
RBAC does not let server-group scoped roles read all hosts
----------------------------------------------------------
Key: WFCORE-504
URL:
https://issues.jboss.org/browse/WFCORE-504
Project: WildFly Core
Issue Type: Bug
Components: Domain Management
Affects Versions: 1.0.0.Alpha15
Reporter: Brian Stansberry
Assignee: Brian Stansberry
Fix For: 1.0.0.Alpha16
The RBAC implementation is not allowing a server-group scoped role to read resources in
the host=* tree unless one of these is true:
1) the host only contains a server mapped to the server group
2) the host doesn't contain any servers.
This is consistent with handling of other "mappable" things but is contrary to
the docs, which declare
"In addition to these privileges, users in a server-group scoped role will have
non-sensitive read privileges (equivalent to the Monitor role) for resources other than
those listed above."
but don't list these host resources.
It's also unintuitive, as the s-g-s-r is actually allowed to add a server on the
host, but can't read the other host resources before doing so.
Also, asking the DC for the list of host names will include the host, but trying to read
its root resource will result in a NoSuchResourceException.
The issue dates back to 8.0, but recent changes to the console have resulted in this
breaking console behavior.