[jboss-jira] [JBoss JIRA] (WFCORE-504) RBAC does not let server-group scoped roles read all hosts

RH Bugzilla Integration (JIRA) issues at jboss.org
Mon Jan 26 06:43:49 EST 2015 

    [ https://issues.jboss.org/browse/WFCORE-504?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13034824#comment-13034824 ] 

RH Bugzilla Integration commented on WFCORE-504:
------------------------------------------------

Kabir Khan <kkhan at redhat.com> changed the Status of [bug 1178810|https://bugzilla.redhat.com/show_bug.cgi?id=1178810] from POST to MODIFIED

> RBAC does not let server-group scoped roles read all hosts
> ----------------------------------------------------------
>
>                 Key: WFCORE-504
>                 URL: https://issues.jboss.org/browse/WFCORE-504
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Domain Management
>    Affects Versions: 1.0.0.Alpha15
>            Reporter: Brian Stansberry
>            Assignee: Brian Stansberry
>             Fix For: 1.0.0.Alpha16
>
>
> The RBAC implementation is not allowing a server-group scoped role to read resources in the host=* tree unless one of these is true:
> 1) the host only contains a server mapped to the server group
> 2) the host doesn't contain any servers.
> This is consistent with handling of other "mappable" things but is contrary to the docs, which declare
> "In addition to these privileges, users in a server-group scoped role will have non-sensitive read privileges (equivalent to the Monitor role) for resources other than those listed above."
> but don't list these host resources.
> It's also unintuitive, as the s-g-s-r is actually allowed to add a server on the host, but can't read the other host resources before doing so.
> Also, asking the DC for the list of host names will include the host, but trying to read its root resource will result in a NoSuchResourceException.
> The issue dates back to 8.0, but recent changes to the console have resulted in this breaking console behavior.



--
This message was sent by Atlassian JIRA
(v6.3.11#6341)

More information about the jboss-jira mailing list