[jboss-jira] [JBoss JIRA] (WFLY-2005) Host scoped role adding JVM config

Brian Stansberry (JIRA) jira-events at lists.jboss.org
Thu Sep 5 19:09:03 EDT 2013 

    [ https://issues.jboss.org/browse/WFLY-2005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802101#comment-12802101 ] 

Brian Stansberry commented on WFLY-2005:
----------------------------------------

Looks like this is a case like datasources, where authz is being denied because of sensitive attributes, but ones that are not actually required. I don't think this will work for Maintainer regardless of the host-scoped role aspect.

There's a bug in the r-r-d impl though, because it says "add" => {"execute" => true}.  Ladislav has already filed a JIRA for that though. It's possible that r-r-d has implemented the bit about ignoring non-required sensitive attributes.

I'll use this one for dealing with the enforcement side of the general use case -- failing non-required sensitive attributes. The other JIRA will be for r-r-d.
                
> Host scoped role adding JVM config
> ----------------------------------
>
>                 Key: WFLY-2005
>                 URL: https://issues.jboss.org/browse/WFLY-2005
>             Project: WildFly
>          Issue Type: Bug
>          Components: Domain Management
>            Reporter: Heiko Braun
>            Assignee: Brian Stansberry
>             Fix For: 8.0.0.Beta1
>
>
> Although the operation permissions for add() are given, a host scoped fails to create a new JVM on a specific the role is scoped to:
> {noformat}
> [domain at localhost:9990 /] /core-service=management/access=authorization/host-scoped-role=stage_hosts:read-resource
> {
>     "outcome" => "success",
>     "result" => {
>         "base-role" => "maintainer",
>         "hosts" => ["slave"]
>     }
> }
> [domain at localhost:9990 /] /host=slave/jvm=small:add(){roles=STAGE_HOSTS}
> {
>     "outcome" => "failed",
>     "result" => undefined,
>     "failure-description" => {"host-failure-descriptions" => [("slave" => "JBAS013456: Unauthorized to execute operation 'add' for resource '[
>     (\"host\" => \"slave\"),
>     (\"jvm\" => \"small\")
> ]' -- \"Permission denied\"")]},
>     "rolled-back" => true
> }
> {noformat}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list