Ok, thanks! I created https://issues.jboss.org/browse/KEYCLOAK-3576
> On 14 Sep 2016, at 10:20, Marek Posolda <mposolda@redhat.com> wrote:
>
> It seems that for view/update UserFederation, we currently require permissions to "view-users" or "manage-users" . This looks like a bug as admin, who is able just to manage users, shouldn't be allowed to manage user federation providers. It seems this should either be "view-realm" or "manage-realm" or separate dedicated roles for user federation providers.
>
> Could you please create JIRA?
>
> Thanks,
> Marek
>
> On 14/09/16 09:41, Edgar Vonk - Info.nl wrote:
>> Hi Marek,
>>
>> Very sorry, this was our fault. We were using an outdated and customized version of the users.js file from Keycloak in our theme and this was causing the issue.
>>
>> We do now see a somewhat related issue in that our user admin accounts (with the manage-users realm-management role) now also see the ‘Configure - User Federation’ menu item and are actually able to change some (but not all) settings in our user federation (and can even delete them I think). Maybe any ideas on how to make sure these users no longer get access to Configure - User Federation?
>>
>> cheers
>>
>> Edgar
>>
>>
>>> On 08 Sep 2016, at 14:04, Marek Posolda <mposolda@redhat.com> wrote:
>>>
>>> Hi Edgar,
>>>
>>> I was trying to reproduce, but wasn't able. The expected format to invoke this endpoint should be /auth/admin/realms/our-custom-realm/attack-detection/brute- force/users /{userId} so I understand why it fails. But I am not seeing anything in admin console UI, which invokes it from this format.
>>>
>>> Feel free to create JIRA if you find steps to reproduce it from clean KC.
>>>
>>> Marek
>>>
>>> On 07/09/16 13:33, Edgar Vonk - Info.nl wrote:
>>>> Hi Marek,
>>>>
>>>> It’s the brute force detection REST endpoint that is causing the issue.
>>>>
>>>> /auth/admin/realms/our-custom-realm/attack-detection/brute- force/users?username=edgar@ info.nl
>>>>
>>>> gives a: “Failed to load resource: the server responded with a status of 405 (Method Not Allowed)"
>>>>
>>>>
>>>>> On 07 Sep 2016, at 12:27, Edgar Vonk - Info.nl <Edgar@info.nl> wrote:
>>>>>
>>>>> Hi Marek,
>>>>>
>>>>> Thanks for the quick reply. Sorry, forgot to mention that: I did also add the view-users role. However the issue remains unfortunately.
>>>>>
>>>>> Will try to find the endpoint in question and report back!
>>>>>
>>>>> cheers
>>>>>
>>>>>> On 07 Sep 2016, at 11:24, Marek Posolda <mposolda@redhat.com> wrote:
>>>>>>
>>>>>> I guess you need to add "view-users" role as well?
>>>>>>
>>>>>> For tracking, you can try to enable FF plugin like Firebug (or similar in Chrome) and see what REST endpoint exactly returns 405 and what role it requires.
>>>>>>
>>>>>> Marek
>>>>>>
>>>>>> On 07/09/16 10:55, Edgar Vonk - Info.nl wrote:
>>>>>>> Using a specific user admin account that is part of our Keycloak customers realm (not the master realm) with permissions to edit users only (manage-users realm-management role) whenever I click on a user in the Keycloak admin interface (Manage - Users) I get a "Error! An unexpected server error has occurred” with the stacktrace below in the logs. All actions do seem to work properly however. It also happens when I create a user, but also there the user is created just fine it seems.
>>>>>>>
>>>>>>> I am guessing it is a permission issue on some REST endpoint in the admin interface or something?
>>>>>>>
>>>>>>>
>>>>>>> [0m [31m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-40) RESTEASY002010: Failed to execute: javax.ws.rs. NotAllowedException: RESTEASY003650: No resource method found for GET, return 405 with Allow header
>>>>>>> at org.jboss.resteasy.core.registry.SegmentNode.match( SegmentNode.java:377)
>>>>>>> at org.jboss.resteasy.core.registry.SegmentNode.match( SegmentNode.java:116)
>>>>>>> at org.jboss.resteasy.core.registry.RootNode.match( RootNode.java:43)
>>>>>>> at org.jboss.resteasy.core.LocatorRegistry. getResourceInvoker( LocatorRegistry.java:79)
>>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker. invokeOnTargetObject( ResourceLocatorInvoker.java: 129)
>>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( ResourceLocatorInvoker.java: 107)
>>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker. invokeOnTargetObject( ResourceLocatorInvoker.java: 133)
>>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( ResourceLocatorInvoker.java: 107)
>>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker. invokeOnTargetObject( ResourceLocatorInvoker.java: 133)
>>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( ResourceLocatorInvoker.java: 101)
>>>>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java: 395)
>>>>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java: 202)
>>>>>>> at org.jboss.resteasy.plugins.server.servlet. ServletContainerDispatcher. service( ServletContainerDispatcher. java:221)
>>>>>>> at org.jboss.resteasy.plugins.server.servlet. HttpServletDispatcher.service( HttpServletDispatcher.java:56)
>>>>>>> at org.jboss.resteasy.plugins.server.servlet. HttpServletDispatcher.service( HttpServletDispatcher.java:51)
>>>>>>> at javax.servlet.http.HttpServlet.service( HttpServlet.java:790)
>>>>>>> at io.undertow.servlet.handlers.ServletHandler.handleRequest( ServletHandler.java:85)
>>>>>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. doFilter(FilterHandler.java: 129)
>>>>>>> at org.keycloak.services.filters.KeycloakSessionServletFilter. doFilter( KeycloakSessionServletFilter. java:90)
>>>>>>> at io.undertow.servlet.core.ManagedFilter.doFilter( ManagedFilter.java:60)
>>>>>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. doFilter(FilterHandler.java: 131)
>>>>>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest( FilterHandler.java:84)
>>>>>>> at io.undertow.servlet.handlers.security. ServletSecurityRoleHandler. handleRequest( ServletSecurityRoleHandler. java:62)
>>>>>>> at io.undertow.servlet.handlers.ServletDispatchingHandler. handleRequest( ServletDispatchingHandler. java:36)
>>>>>>> at org.wildfly.extension.undertow.security. SecurityContextAssociationHand ler.handleRequest( SecurityContextAssociationHand ler.java:78)
>>>>>>> at io.undertow.server.handlers.PredicateHandler. handleRequest( PredicateHandler.java:43)
>>>>>>> at io.undertow.servlet.handlers.security. SSLInformationAssociationHandl er.handleRequest( SSLInformationAssociationHandl er.java:131)
>>>>>>> at io.undertow.servlet.handlers.security. ServletAuthenticationCallHandl er.handleRequest( ServletAuthenticationCallHandl er.java:57)
>>>>>>> at io.undertow.server.handlers.PredicateHandler. handleRequest( PredicateHandler.java:43)
>>>>>>> at io.undertow.security.handlers.AbstractConfidentialityHandler .handleRequest( AbstractConfidentialityHandler .java:46)
>>>>>>> at io.undertow.servlet.handlers.security. ServletConfidentialityConstrai ntHandler.handleRequest( ServletConfidentialityConstrai ntHandler.java:64)
>>>>>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle r.handleRequest( AuthenticationMechanismsHandle r.java:60)
>>>>>>> at io.undertow.servlet.handlers.security. CachedAuthenticatedSessionHand ler.handleRequest( CachedAuthenticatedSessionHand ler.java:77)
>>>>>>> at io.undertow.security.handlers.NotificationReceiverHandler. handleRequest( NotificationReceiverHandler. java:50)
>>>>>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia tionHandler.handleRequest( AbstractSecurityContextAssocia tionHandler.java:43)
>>>>>>> at io.undertow.server.handlers.PredicateHandler. handleRequest( PredicateHandler.java:43)
>>>>>>> at org.wildfly.extension.undertow.security.jacc. JACCContextIdHandler. handleRequest( JACCContextIdHandler.java:61)
>>>>>>> at io.undertow.server.handlers.PredicateHandler. handleRequest( PredicateHandler.java:43)
>>>>>>> at io.undertow.server.handlers.PredicateHandler. handleRequest( PredicateHandler.java:43)
>>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler. handleFirstRequest( ServletInitialHandler.java: 284)
>>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler. dispatchRequest( ServletInitialHandler.java: 263)
>>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$ 000(ServletInitialHandler. java:81)
>>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1. handleRequest( ServletInitialHandler.java: 174)
>>>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors. java:202)
>>>>>>> at io.undertow.server.HttpServerExchange$1.run( HttpServerExchange.java:793)
>>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1142)
>>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run( ThreadPoolExecutor.java:617)
>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user@lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user@lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user