[jboss-jira] [JBoss JIRA] (WFLY-2010) RBAC: read-resource-description is wrong about the ability to :add in the datasources subsystem
Ladislav Thon (JIRA)
jira-events at lists.jboss.org
Thu Sep 5 09:27:04 EDT 2013
Ladislav Thon created WFLY-2010:
-----------------------------------
Summary: RBAC: read-resource-description is wrong about the ability to :add in the datasources subsystem
Key: WFLY-2010
URL: https://issues.jboss.org/browse/WFLY-2010
Project: WildFly
Issue Type: Bug
Components: Domain Management
Reporter: Ladislav Thon
Assignee: Brian Stansberry
This is the issue Jakub has been talking about for quite some time now.
If I do {{/subsystem=datasources:read-resource-description(operations=true, access-control=trim-descriptions)}} as a user that has the {{Maintainer}} role, the response says that I can {{:add}} a new datasource.
{code}
[standalone at localhost:9990 /] /subsystem=datasources:read-resource-description(operations=true, access-control=trim-descriptions)
{
"outcome" => "success",
"result" => {
"description" => undefined,
"attributes" => undefined,
"operations" => undefined,
"children" => {
"jdbc-driver" => {"model-description" => undefined},
"data-source" => {"model-description" => undefined},
"xa-data-source" => {"model-description" => undefined}
},
"access-control" => {
"default" => {
"read" => true,
"write" => true,
"attributes" => {"installed-drivers" => {
"read" => true,
"write" => true
}},
"operations" => {
"read-children-names" => {"execute" => true},
"read-operation-description" => {"execute" => true},
"remove" => {"execute" => true},
"get-installed-driver" => {"execute" => true},
"read-resource-description" => {"execute" => true},
"read-resource" => {"execute" => true},
"add" => {"execute" => true},
"read-attribute" => {"execute" => true},
"whoami" => {"execute" => true},
"installed-drivers-list" => {"execute" => true},
"read-children-types" => {"execute" => true},
"read-operation-names" => {"execute" => true},
"undefine-attribute" => {"execute" => true},
"read-children-resources" => {"execute" => true},
"write-attribute" => {"execute" => true}
}
},
"exceptions" => {}
}
}
}
{code}
Yet if I try to do that, it fails:
{code}
/subsystem=datasources/data-source=TestDS:add(connection-url="jdbc:h2:mem:test;DB_CLOSE_DELAY=-1", jndi-name="java:jboss/datasources/TestDS", driver-name="h2")
{
"outcome" => "failed",
"failure-description" => "JBAS013456: Unauthorized to execute operation 'add' for resource '[
(\"subsystem\" => \"datasources\"),
(\"data-source\" => \"TestDS\")
]' -- \"Permission denied\"",
"rolled-back" => true
}
{code}
I have a test case for this that I will submit in a pull request in few minutes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list