]
Brian Stansberry commented on WFCORE-832:
-----------------------------------------
Thanks.
I agree that rolling them up would be both difficult and could lead to other bugs.
I think what you have is ok, so long as there is a clear pattern that always applies and
can be documented. Something like:
"If in the exceptions section there is an entry with a wildcard value in an element
of its address, this indicates there is resource type definition registered under that
exact element, but that there are no actual resource instances of that type. If there are
actual resource instances of a type, there will be individual exceptions entries for those
resources."
Access control exceptions missing for non-existent resources
------------------------------------------------------------
Key: WFCORE-832
URL:
https://issues.jboss.org/browse/WFCORE-832
Project: WildFly Core
Issue Type: Bug
Components: Domain Management
Reporter: Harald Pehl
Assignee: Kabir Khan
When asking for the access control metadata using (r-r-d) on *existing* resources I get
an exceptions block:
{code}
/server-group=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
{
"outcome" => "success",
"result" => [{
"address" => [("server-group" => "*")],
"outcome" => "success",
"result" => {
"description" => undefined,
"attributes" => undefined,
"operations" => undefined,
"notifications" => undefined,
"children" => {
"deployment" => {"model-description" =>
undefined},
"jvm" => {"model-description" => undefined},
"deployment-overlay" => {"model-description" =>
undefined},
"system-property" => {"model-description" =>
undefined}
},
"access-control" => {
"default" => {
"read" => true,
"write" => false,
"attributes" => {
"management-subsystem-endpoint" => {
"read" => true,
"write" => false
},
"profile" => {
"read" => true,
"write" => false
},
"socket-binding-default-interface" => {
"read" => true,
"write" => false
},
"socket-binding-group" => {
"read" => true,
"write" => false
},
"socket-binding-port-offset" => {
"read" => true,
"write" => false
}
},
"operations" => {
"read-children-types" => {"execute" =>
true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => false},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" =>
false},
"replace-deployment" => {"execute" =>
false},
"stop-servers" => {"execute" =>
false},
"remove" => {"execute" => false},
"list-add" => {"execute" => false},
"map-put" => {"execute" => false},
"read-attribute-group-names" => {"execute"
=> true},
"restart-servers" => {"execute" =>
false},
"resume-servers" => {"execute" =>
false},
"read-resource-description" => {"execute"
=> true},
"read-resource" => {"execute" =>
true},
"add" => {"execute" => false},
"suspend-servers" => {"execute" =>
false},
"reload-servers" => {"execute" =>
false},
"query" => {"execute" => true},
"read-operation-description" => {"execute"
=> true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => false},
"read-attribute" => {"execute" =>
true},
"map-remove" => {"execute" => false},
"read-attribute-group" => {"execute" =>
true},
"undefine-attribute" => {"execute" =>
false},
"read-children-names" => {"execute" =>
true},
"start-servers" => {"execute" =>
false},
"read-operation-names" => {"execute" =>
true},
"list-remove" => {"execute" => false},
"read-children-resources" => {"execute"
=> true}
}
},
"exceptions" => {"[(\"server-group\" =>
\"main-server-group\")]" => {
"read" => true,
"write" => true,
"attributes" => {
"management-subsystem-endpoint" => {
"read" => true,
"write" => false
},
"profile" => {
"read" => true,
"write" => true
},
"socket-binding-default-interface" => {
"read" => true,
"write" => false
},
"socket-binding-group" => {
"read" => true,
"write" => true
},
"socket-binding-port-offset" => {
"read" => true,
"write" => false
}
},
"operations" => {
"read-children-types" => {"execute" =>
true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => true},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" =>
true},
"replace-deployment" => {"execute" =>
true},
"stop-servers" => {"execute" => true},
"remove" => {"execute" => false},
"list-add" => {"execute" => true},
"map-put" => {"execute" => true},
"read-attribute-group-names" => {"execute"
=> true},
"restart-servers" => {"execute" =>
true},
"resume-servers" => {"execute" =>
true},
"read-resource-description" => {"execute"
=> true},
"read-resource" => {"execute" =>
true},
"add" => {"execute" => false},
"suspend-servers" => {"execute" =>
true},
"reload-servers" => {"execute" =>
true},
"query" => {"execute" => true},
"read-operation-description" => {"execute"
=> true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => true},
"read-attribute" => {"execute" =>
true},
"map-remove" => {"execute" => true},
"read-attribute-group" => {"execute" =>
true},
"undefine-attribute" => {"execute" =>
true},
"read-children-names" => {"execute" =>
true},
"start-servers" => {"execute" =>
true},
"read-operation-names" => {"execute" =>
true},
"list-remove" => {"execute" => true},
"read-children-resources" => {"execute"
=> true}
},
"address" => [("server-group" =>
"main-server-group")]
}}
}
}
}]
}
{code}
However when using the same operation on *non-existng* resources I don't see an
exception block:
{code}
/server-group=*/deployment=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
{
"outcome" => "success",
"result" => [{
"address" => [
("server-group" => "*"),
("deployment" => "*")
],
"outcome" => "success",
"result" => {
"description" => undefined,
"access-constraints" => {"application" =>
{"deployment" => {"type" => "core"}}},
"attributes" => undefined,
"operations" => undefined,
"notifications" => undefined,
"children" => {},
"access-control" => {
"default" => {
"read" => true,
"write" => false,
"attributes" => {
"enabled" => {
"read" => true,
"write" => false
},
"name" => {
"read" => true,
"write" => false
},
"runtime-name" => {
"read" => true,
"write" => false
}
},
"operations" => {
"read-children-types" => {"execute" =>
true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => false},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" =>
false},
"remove" => {"execute" => false},
"deploy" => {"execute" => false},
"list-add" => {"execute" => false},
"map-put" => {"execute" => false},
"read-attribute-group-names" => {"execute"
=> true},
"redeploy" => {"execute" => false},
"read-resource-description" => {"execute"
=> true},
"read-resource" => {"execute" =>
true},
"add" => {"execute" => false},
"query" => {"execute" => true},
"read-operation-description" => {"execute"
=> true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => false},
"read-attribute" => {"execute" =>
true},
"map-remove" => {"execute" => false},
"read-attribute-group" => {"execute" =>
true},
"undefine-attribute" => {"execute" =>
false},
"read-children-names" => {"execute" =>
true},
"read-operation-names" => {"execute" =>
true},
"list-remove" => {"execute" => false},
"read-children-resources" => {"execute"
=> true},
"undeploy" => {"execute" => false}
}
},
"exceptions" => {}
}
}
}]
}
{code}
Some notes on the domain:
- Built from WildFly 10 master
- No deployments present
- Role {{main-maintainer}} is a server group scoped role based on Maintainer and scoped
to main-server-group
- Role {{other-monitor}} is a server group scoped role based on Monitor and scoped to
other-server-group
What we would need is a way to *always* get the exceptions no matter whether the resource
exists. In the console we create a so-called security context which uses wildcard r-r-d
operations like the ones above. This security context is used later on to show / hide UI
controls.