[jboss-jira] [JBoss JIRA] (WFCORE-504) RBAC does not let server-group scoped roles read all hosts
Brian Stansberry (JIRA)
issues at jboss.org
Wed Jan 14 23:59:49 EST 2015
Brian Stansberry created WFCORE-504:
---------------------------------------
Summary: RBAC does not let server-group scoped roles read all hosts
Key: WFCORE-504
URL: https://issues.jboss.org/browse/WFCORE-504
Project: WildFly Core
Issue Type: Bug
Components: Domain Management
Affects Versions: 1.0.0.Alpha15
Reporter: Brian Stansberry
Assignee: Brian Stansberry
The RBAC implementation is not allowing a server-group scoped role to read resources in the host=* tree unless one of these is true:
1) the host only contains a server mapped to the server group
2) the host doesn't contain any servers.
This is consistent with handling of other "mappable" things but is contrary to the docs, which declare
"In addition to these privileges, users in a server-group scoped role will have non-sensitive read privileges (equivalent to the Monitor role) for resources other than those listed above."
but don't list these host resources.
It's also unintuitive, as the s-g-s-r is actually allowed to add a server on the host, but can't read the other host resources before doing so.
Also, asking the DC for the list of host names will include the host, but trying to read its root resource will result in a NoSuchResourceException.
The issue dates back to 8.0, but recent changes to the console have resulted in this breaking console behavior.
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
More information about the jboss-jira
mailing list