]
Brian Stansberry commented on WFCORE-832:
-----------------------------------------
[~kabirkhan] with your WFCORE-994 branch, what's the result for this?
{code}
/server-group=*/deployment=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
{code}
Access control exceptions missing for non-existent resources
------------------------------------------------------------
Key: WFCORE-832
URL:
https://issues.jboss.org/browse/WFCORE-832
Project: WildFly Core
Issue Type: Bug
Components: Domain Management
Reporter: Harald Pehl
Assignee: Kabir Khan
When asking for the access control metadata using (r-r-d) on *existing* resources I get
an exceptions block:
{code}
/server-group=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
{
"outcome" => "success",
"result" => [{
"address" => [("server-group" => "*")],
"outcome" => "success",
"result" => {
"description" => undefined,
"attributes" => undefined,
"operations" => undefined,
"notifications" => undefined,
"children" => {
"deployment" => {"model-description" =>
undefined},
"jvm" => {"model-description" => undefined},
"deployment-overlay" => {"model-description" =>
undefined},
"system-property" => {"model-description" =>
undefined}
},
"access-control" => {
"default" => {
"read" => true,
"write" => false,
"attributes" => {
"management-subsystem-endpoint" => {
"read" => true,
"write" => false
},
"profile" => {
"read" => true,
"write" => false
},
"socket-binding-default-interface" => {
"read" => true,
"write" => false
},
"socket-binding-group" => {
"read" => true,
"write" => false
},
"socket-binding-port-offset" => {
"read" => true,
"write" => false
}
},
"operations" => {
"read-children-types" => {"execute" =>
true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => false},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" =>
false},
"replace-deployment" => {"execute" =>
false},
"stop-servers" => {"execute" =>
false},
"remove" => {"execute" => false},
"list-add" => {"execute" => false},
"map-put" => {"execute" => false},
"read-attribute-group-names" => {"execute"
=> true},
"restart-servers" => {"execute" =>
false},
"resume-servers" => {"execute" =>
false},
"read-resource-description" => {"execute"
=> true},
"read-resource" => {"execute" =>
true},
"add" => {"execute" => false},
"suspend-servers" => {"execute" =>
false},
"reload-servers" => {"execute" =>
false},
"query" => {"execute" => true},
"read-operation-description" => {"execute"
=> true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => false},
"read-attribute" => {"execute" =>
true},
"map-remove" => {"execute" => false},
"read-attribute-group" => {"execute" =>
true},
"undefine-attribute" => {"execute" =>
false},
"read-children-names" => {"execute" =>
true},
"start-servers" => {"execute" =>
false},
"read-operation-names" => {"execute" =>
true},
"list-remove" => {"execute" => false},
"read-children-resources" => {"execute"
=> true}
}
},
"exceptions" => {"[(\"server-group\" =>
\"main-server-group\")]" => {
"read" => true,
"write" => true,
"attributes" => {
"management-subsystem-endpoint" => {
"read" => true,
"write" => false
},
"profile" => {
"read" => true,
"write" => true
},
"socket-binding-default-interface" => {
"read" => true,
"write" => false
},
"socket-binding-group" => {
"read" => true,
"write" => true
},
"socket-binding-port-offset" => {
"read" => true,
"write" => false
}
},
"operations" => {
"read-children-types" => {"execute" =>
true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => true},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" =>
true},
"replace-deployment" => {"execute" =>
true},
"stop-servers" => {"execute" => true},
"remove" => {"execute" => false},
"list-add" => {"execute" => true},
"map-put" => {"execute" => true},
"read-attribute-group-names" => {"execute"
=> true},
"restart-servers" => {"execute" =>
true},
"resume-servers" => {"execute" =>
true},
"read-resource-description" => {"execute"
=> true},
"read-resource" => {"execute" =>
true},
"add" => {"execute" => false},
"suspend-servers" => {"execute" =>
true},
"reload-servers" => {"execute" =>
true},
"query" => {"execute" => true},
"read-operation-description" => {"execute"
=> true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => true},
"read-attribute" => {"execute" =>
true},
"map-remove" => {"execute" => true},
"read-attribute-group" => {"execute" =>
true},
"undefine-attribute" => {"execute" =>
true},
"read-children-names" => {"execute" =>
true},
"start-servers" => {"execute" =>
true},
"read-operation-names" => {"execute" =>
true},
"list-remove" => {"execute" => true},
"read-children-resources" => {"execute"
=> true}
},
"address" => [("server-group" =>
"main-server-group")]
}}
}
}
}]
}
{code}
However when using the same operation on *non-existng* resources I don't see an
exception block:
{code}
/server-group=*/deployment=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
{
"outcome" => "success",
"result" => [{
"address" => [
("server-group" => "*"),
("deployment" => "*")
],
"outcome" => "success",
"result" => {
"description" => undefined,
"access-constraints" => {"application" =>
{"deployment" => {"type" => "core"}}},
"attributes" => undefined,
"operations" => undefined,
"notifications" => undefined,
"children" => {},
"access-control" => {
"default" => {
"read" => true,
"write" => false,
"attributes" => {
"enabled" => {
"read" => true,
"write" => false
},
"name" => {
"read" => true,
"write" => false
},
"runtime-name" => {
"read" => true,
"write" => false
}
},
"operations" => {
"read-children-types" => {"execute" =>
true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => false},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" =>
false},
"remove" => {"execute" => false},
"deploy" => {"execute" => false},
"list-add" => {"execute" => false},
"map-put" => {"execute" => false},
"read-attribute-group-names" => {"execute"
=> true},
"redeploy" => {"execute" => false},
"read-resource-description" => {"execute"
=> true},
"read-resource" => {"execute" =>
true},
"add" => {"execute" => false},
"query" => {"execute" => true},
"read-operation-description" => {"execute"
=> true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => false},
"read-attribute" => {"execute" =>
true},
"map-remove" => {"execute" => false},
"read-attribute-group" => {"execute" =>
true},
"undefine-attribute" => {"execute" =>
false},
"read-children-names" => {"execute" =>
true},
"read-operation-names" => {"execute" =>
true},
"list-remove" => {"execute" => false},
"read-children-resources" => {"execute"
=> true},
"undeploy" => {"execute" => false}
}
},
"exceptions" => {}
}
}
}]
}
{code}
Some notes on the domain:
- Built from WildFly 10 master
- No deployments present
- Role {{main-maintainer}} is a server group scoped role based on Maintainer and scoped
to main-server-group
- Role {{other-monitor}} is a server group scoped role based on Monitor and scoped to
other-server-group
What we would need is a way to *always* get the exceptions no matter whether the resource
exists. In the console we create a so-called security context which uses wildcard r-r-d
operations like the ones above. This security context is used later on to show / hide UI
controls.