On 24/11/14 19:04, Brian Stansberry wrote:
On 11/24/14, 12:37 PM, Darran Lofthouse wrote:
> Hello Alexey / Brian,
>
> Just trying to get to the bottom of a failure where
> :whoami(verbose=true) is being performed by a user in the CLI with no
> roles and the following error is received and looking for some ideas.
>
> "WFLYCTL0313: Unauthorized to execute operation
> 'read-operation-description' for resource '[]' -- "WFLYCTL0332:
> Permission denied""
>
> The call to the :whoami operation would be fine except as there is a
> parameter the CLI is attempting to validate the parameters by making a
> call to read-operation-description and it is that call that is failing.
>
> Personally I think this operation working is important as it enables
> some debugging of role assignment, i.e. if a user has not been granted
> the expected roles this call helps provide some information about that.
>
> So unless we are going to say the user should not be calling whoami we
> broadly have two options: -
>
> 1 - Make a special case in the CLI and skip the
> read-operation-description call.
>
There should be a high level command in the CLI for this anyway. I don't
really like the low level op being handled as a special case, but a high
level command is fine with me.
Thanks - That could work, will look at that option.
> 2 - Access control changes to make it possible to call
> read-operation-description for the whoami operation.
>
-1. I'd much rather not even allow the use of this op than go this route.
Related to this, today isn't good but let's chat some time soon re: how
to make the interactive-mode CLI behavior more user-friendly when the
user has no permissions, e.g. can't read the root resource. For example,
output a message informing the user of this and, if reasonably do-able,
limiting the tab completion list to just a few things. Just the message
would help a lot; something analogous to this message we print when the
user isn't connected:
At the moment the CLI could also use the :whoami operation to check a
user does have at least one role but that will not help much if a
non-role based access control provider is ever installed.
You are disconnected at the moment. Type 'connect' to connect
to the
server or 'help' for the list of supported commands.
> Regards,
> Darran Lofthouse.