On 11/24/14, 12:37 PM, Darran Lofthouse wrote:
Hello Alexey / Brian,
Just trying to get to the bottom of a failure where
:whoami(verbose=true) is being performed by a user in the CLI with no
roles and the following error is received and looking for some ideas.
"WFLYCTL0313: Unauthorized to execute operation
'read-operation-description' for resource '[]' -- "WFLYCTL0332:
Permission denied""
The call to the :whoami operation would be fine except as there is a
parameter the CLI is attempting to validate the parameters by making a
call to read-operation-description and it is that call that is failing.
Personally I think this operation working is important as it enables
some debugging of role assignment, i.e. if a user has not been granted
the expected roles this call helps provide some information about that.
So unless we are going to say the user should not be calling whoami we
broadly have two options: -
1 - Make a special case in the CLI and skip the
read-operation-description call.
There should be a high level command in the CLI for this anyway. I don't
really like the low level op being handled as a special case, but a high
level command is fine with me.
2 - Access control changes to make it possible to call
read-operation-description for the whoami operation.
-1. I'd much rather not even allow the use of this op than go this route.
Related to this, today isn't good but let's chat some time soon re: how
to make the interactive-mode CLI behavior more user-friendly when the
user has no permissions, e.g. can't read the root resource. For example,
output a message informing the user of this and, if reasonably do-able,
limiting the tab completion list to just a few things. Just the message
would help a lot; something analogous to this message we print when the
user isn't connected:
You are disconnected at the moment. Type 'connect' to connect to the
server or 'help' for the list of supported commands.
Regards,
Darran Lofthouse.
--
Brian Stansberry
Senior Principal Software Engineer
JBoss by Red Hat