[jboss-jira] [JBoss JIRA] (WFLY-2010) RBAC: read-resource-description is wrong about the ability to :add in the datasources subsystem
Ladislav Thon (JIRA)
jira-events at lists.jboss.org
Thu Sep 5 09:27:04 EDT 2013
[ https://issues.jboss.org/browse/WFLY-2010?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ladislav Thon updated WFLY-2010:
--------------------------------
Parent: WFLY-490
Issue Type: Sub-task (was: Bug)
> RBAC: read-resource-description is wrong about the ability to :add in the datasources subsystem
> -----------------------------------------------------------------------------------------------
>
> Key: WFLY-2010
> URL: https://issues.jboss.org/browse/WFLY-2010
> Project: WildFly
> Issue Type: Sub-task
> Components: Domain Management
> Reporter: Ladislav Thon
> Assignee: Brian Stansberry
> Labels: rbac-filed-by-qa
>
> This is the issue Jakub has been talking about for quite some time now.
> If I do {{/subsystem=datasources:read-resource-description(operations=true, access-control=trim-descriptions)}} as a user that has the {{Maintainer}} role, the response says that I can {{:add}} a new datasource.
> {code}
> [standalone at localhost:9990 /] /subsystem=datasources:read-resource-description(operations=true, access-control=trim-descriptions)
> {
> "outcome" => "success",
> "result" => {
> "description" => undefined,
> "attributes" => undefined,
> "operations" => undefined,
> "children" => {
> "jdbc-driver" => {"model-description" => undefined},
> "data-source" => {"model-description" => undefined},
> "xa-data-source" => {"model-description" => undefined}
> },
> "access-control" => {
> "default" => {
> "read" => true,
> "write" => true,
> "attributes" => {"installed-drivers" => {
> "read" => true,
> "write" => true
> }},
> "operations" => {
> "read-children-names" => {"execute" => true},
> "read-operation-description" => {"execute" => true},
> "remove" => {"execute" => true},
> "get-installed-driver" => {"execute" => true},
> "read-resource-description" => {"execute" => true},
> "read-resource" => {"execute" => true},
> "add" => {"execute" => true},
> "read-attribute" => {"execute" => true},
> "whoami" => {"execute" => true},
> "installed-drivers-list" => {"execute" => true},
> "read-children-types" => {"execute" => true},
> "read-operation-names" => {"execute" => true},
> "undefine-attribute" => {"execute" => true},
> "read-children-resources" => {"execute" => true},
> "write-attribute" => {"execute" => true}
> }
> },
> "exceptions" => {}
> }
> }
> }
> {code}
> Yet if I try to do that, it fails:
> {code}
> /subsystem=datasources/data-source=TestDS:add(connection-url="jdbc:h2:mem:test;DB_CLOSE_DELAY=-1", jndi-name="java:jboss/datasources/TestDS", driver-name="h2")
> {
> "outcome" => "failed",
> "failure-description" => "JBAS013456: Unauthorized to execute operation 'add' for resource '[
> (\"subsystem\" => \"datasources\"),
> (\"data-source\" => \"TestDS\")
> ]' -- \"Permission denied\"",
> "rolled-back" => true
> }
> {code}
> I have a test case for this that I will submit in a pull request in few minutes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list