[jboss-jira] [JBoss JIRA] (WFLY-4976) Access control exceptions missing for non-existent resources
Harald Pehl (JIRA)
issues at jboss.org
Tue Jul 21 10:27:04 EDT 2015
[ https://issues.jboss.org/browse/WFLY-4976?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Harald Pehl updated WFLY-4976:
------------------------------
Description:
When asking for the access control metadata using (r-r-d) on *existing* resources I get an exceptions block:
{code}
/server-group=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
{
"outcome" => "success",
"result" => [{
"address" => [("server-group" => "*")],
"outcome" => "success",
"result" => {
"description" => undefined,
"attributes" => undefined,
"operations" => undefined,
"notifications" => undefined,
"children" => {
"deployment" => {"model-description" => undefined},
"jvm" => {"model-description" => undefined},
"deployment-overlay" => {"model-description" => undefined},
"system-property" => {"model-description" => undefined}
},
"access-control" => {
"default" => {
"read" => true,
"write" => false,
"attributes" => {
"management-subsystem-endpoint" => {
"read" => true,
"write" => false
},
"profile" => {
"read" => true,
"write" => false
},
"socket-binding-default-interface" => {
"read" => true,
"write" => false
},
"socket-binding-group" => {
"read" => true,
"write" => false
},
"socket-binding-port-offset" => {
"read" => true,
"write" => false
}
},
"operations" => {
"read-children-types" => {"execute" => true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => false},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" => false},
"replace-deployment" => {"execute" => false},
"stop-servers" => {"execute" => false},
"remove" => {"execute" => false},
"list-add" => {"execute" => false},
"map-put" => {"execute" => false},
"read-attribute-group-names" => {"execute" => true},
"restart-servers" => {"execute" => false},
"resume-servers" => {"execute" => false},
"read-resource-description" => {"execute" => true},
"read-resource" => {"execute" => true},
"add" => {"execute" => false},
"suspend-servers" => {"execute" => false},
"reload-servers" => {"execute" => false},
"query" => {"execute" => true},
"read-operation-description" => {"execute" => true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => false},
"read-attribute" => {"execute" => true},
"map-remove" => {"execute" => false},
"read-attribute-group" => {"execute" => true},
"undefine-attribute" => {"execute" => false},
"read-children-names" => {"execute" => true},
"start-servers" => {"execute" => false},
"read-operation-names" => {"execute" => true},
"list-remove" => {"execute" => false},
"read-children-resources" => {"execute" => true}
}
},
"exceptions" => {"[(\"server-group\" => \"main-server-group\")]" => {
"read" => true,
"write" => true,
"attributes" => {
"management-subsystem-endpoint" => {
"read" => true,
"write" => false
},
"profile" => {
"read" => true,
"write" => true
},
"socket-binding-default-interface" => {
"read" => true,
"write" => false
},
"socket-binding-group" => {
"read" => true,
"write" => true
},
"socket-binding-port-offset" => {
"read" => true,
"write" => false
}
},
"operations" => {
"read-children-types" => {"execute" => true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => true},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" => true},
"replace-deployment" => {"execute" => true},
"stop-servers" => {"execute" => true},
"remove" => {"execute" => false},
"list-add" => {"execute" => true},
"map-put" => {"execute" => true},
"read-attribute-group-names" => {"execute" => true},
"restart-servers" => {"execute" => true},
"resume-servers" => {"execute" => true},
"read-resource-description" => {"execute" => true},
"read-resource" => {"execute" => true},
"add" => {"execute" => false},
"suspend-servers" => {"execute" => true},
"reload-servers" => {"execute" => true},
"query" => {"execute" => true},
"read-operation-description" => {"execute" => true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => true},
"read-attribute" => {"execute" => true},
"map-remove" => {"execute" => true},
"read-attribute-group" => {"execute" => true},
"undefine-attribute" => {"execute" => true},
"read-children-names" => {"execute" => true},
"start-servers" => {"execute" => true},
"read-operation-names" => {"execute" => true},
"list-remove" => {"execute" => true},
"read-children-resources" => {"execute" => true}
},
"address" => [("server-group" => "main-server-group")]
}}
}
}
}]
}
{code}
However when using the same operation on *non-existng* resources I don't see an exception block:
{code}
/server-group=*/deployment=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
{
"outcome" => "success",
"result" => [{
"address" => [
("server-group" => "*"),
("deployment" => "*")
],
"outcome" => "success",
"result" => {
"description" => undefined,
"access-constraints" => {"application" => {"deployment" => {"type" => "core"}}},
"attributes" => undefined,
"operations" => undefined,
"notifications" => undefined,
"children" => {},
"access-control" => {
"default" => {
"read" => true,
"write" => false,
"attributes" => {
"enabled" => {
"read" => true,
"write" => false
},
"name" => {
"read" => true,
"write" => false
},
"runtime-name" => {
"read" => true,
"write" => false
}
},
"operations" => {
"read-children-types" => {"execute" => true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => false},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" => false},
"remove" => {"execute" => false},
"deploy" => {"execute" => false},
"list-add" => {"execute" => false},
"map-put" => {"execute" => false},
"read-attribute-group-names" => {"execute" => true},
"redeploy" => {"execute" => false},
"read-resource-description" => {"execute" => true},
"read-resource" => {"execute" => true},
"add" => {"execute" => false},
"query" => {"execute" => true},
"read-operation-description" => {"execute" => true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => false},
"read-attribute" => {"execute" => true},
"map-remove" => {"execute" => false},
"read-attribute-group" => {"execute" => true},
"undefine-attribute" => {"execute" => false},
"read-children-names" => {"execute" => true},
"read-operation-names" => {"execute" => true},
"list-remove" => {"execute" => false},
"read-children-resources" => {"execute" => true},
"undeploy" => {"execute" => false}
}
},
"exceptions" => {}
}
}
}]
}
{code}
Some notes on the domain:
- Built from WildFly 10 master
- No deployments present
- Role {{main-maintainer}} is a server group scoped role based on Maintainer and scoped to main-server-group
- Role {{other-monitor}} is a server group scoped role based on Monitor and scoped to other-server-group
What we would need is a way to *always* get the exceptions no matter whether the resource exists. In the console we create a so-called security context which uses wildcard r-r-d operations like the ones above. This security context is used later on to show / hide UI controls.
was:
When asking for the access control metadata using (r-r-d) on *existing* resources I get an exceptions block:
{code}
/server-group=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
{code}
However when using the same operation on *non-existng* resources I don't see an exception block:
{code}
/server-group=*/deployment=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
{code}
What we would need is a way to *always* get the exceptions no matter whether the resource exists. In the console we create a so-called security context which uses wildcard r-r-d operations like the ones above. This security context is used later on to show / hide UI controls.
> Access control exceptions missing for non-existent resources
> ------------------------------------------------------------
>
> Key: WFLY-4976
> URL: https://issues.jboss.org/browse/WFLY-4976
> Project: WildFly
> Issue Type: Bug
> Components: Domain Management
> Reporter: Harald Pehl
> Assignee: Brian Stansberry
> Fix For: 10.0.0.Beta1
>
>
> When asking for the access control metadata using (r-r-d) on *existing* resources I get an exceptions block:
> {code}
> /server-group=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
> {
> "outcome" => "success",
> "result" => [{
> "address" => [("server-group" => "*")],
> "outcome" => "success",
> "result" => {
> "description" => undefined,
> "attributes" => undefined,
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {
> "deployment" => {"model-description" => undefined},
> "jvm" => {"model-description" => undefined},
> "deployment-overlay" => {"model-description" => undefined},
> "system-property" => {"model-description" => undefined}
> },
> "access-control" => {
> "default" => {
> "read" => true,
> "write" => false,
> "attributes" => {
> "management-subsystem-endpoint" => {
> "read" => true,
> "write" => false
> },
> "profile" => {
> "read" => true,
> "write" => false
> },
> "socket-binding-default-interface" => {
> "read" => true,
> "write" => false
> },
> "socket-binding-group" => {
> "read" => true,
> "write" => false
> },
> "socket-binding-port-offset" => {
> "read" => true,
> "write" => false
> }
> },
> "operations" => {
> "read-children-types" => {"execute" => true},
> "whoami" => {"execute" => true},
> "map-clear" => {"execute" => false},
> "list-get" => {"execute" => true},
> "write-attribute" => {"execute" => false},
> "replace-deployment" => {"execute" => false},
> "stop-servers" => {"execute" => false},
> "remove" => {"execute" => false},
> "list-add" => {"execute" => false},
> "map-put" => {"execute" => false},
> "read-attribute-group-names" => {"execute" => true},
> "restart-servers" => {"execute" => false},
> "resume-servers" => {"execute" => false},
> "read-resource-description" => {"execute" => true},
> "read-resource" => {"execute" => true},
> "add" => {"execute" => false},
> "suspend-servers" => {"execute" => false},
> "reload-servers" => {"execute" => false},
> "query" => {"execute" => true},
> "read-operation-description" => {"execute" => true},
> "map-get" => {"execute" => true},
> "list-clear" => {"execute" => false},
> "read-attribute" => {"execute" => true},
> "map-remove" => {"execute" => false},
> "read-attribute-group" => {"execute" => true},
> "undefine-attribute" => {"execute" => false},
> "read-children-names" => {"execute" => true},
> "start-servers" => {"execute" => false},
> "read-operation-names" => {"execute" => true},
> "list-remove" => {"execute" => false},
> "read-children-resources" => {"execute" => true}
> }
> },
> "exceptions" => {"[(\"server-group\" => \"main-server-group\")]" => {
> "read" => true,
> "write" => true,
> "attributes" => {
> "management-subsystem-endpoint" => {
> "read" => true,
> "write" => false
> },
> "profile" => {
> "read" => true,
> "write" => true
> },
> "socket-binding-default-interface" => {
> "read" => true,
> "write" => false
> },
> "socket-binding-group" => {
> "read" => true,
> "write" => true
> },
> "socket-binding-port-offset" => {
> "read" => true,
> "write" => false
> }
> },
> "operations" => {
> "read-children-types" => {"execute" => true},
> "whoami" => {"execute" => true},
> "map-clear" => {"execute" => true},
> "list-get" => {"execute" => true},
> "write-attribute" => {"execute" => true},
> "replace-deployment" => {"execute" => true},
> "stop-servers" => {"execute" => true},
> "remove" => {"execute" => false},
> "list-add" => {"execute" => true},
> "map-put" => {"execute" => true},
> "read-attribute-group-names" => {"execute" => true},
> "restart-servers" => {"execute" => true},
> "resume-servers" => {"execute" => true},
> "read-resource-description" => {"execute" => true},
> "read-resource" => {"execute" => true},
> "add" => {"execute" => false},
> "suspend-servers" => {"execute" => true},
> "reload-servers" => {"execute" => true},
> "query" => {"execute" => true},
> "read-operation-description" => {"execute" => true},
> "map-get" => {"execute" => true},
> "list-clear" => {"execute" => true},
> "read-attribute" => {"execute" => true},
> "map-remove" => {"execute" => true},
> "read-attribute-group" => {"execute" => true},
> "undefine-attribute" => {"execute" => true},
> "read-children-names" => {"execute" => true},
> "start-servers" => {"execute" => true},
> "read-operation-names" => {"execute" => true},
> "list-remove" => {"execute" => true},
> "read-children-resources" => {"execute" => true}
> },
> "address" => [("server-group" => "main-server-group")]
> }}
> }
> }
> }]
> }
> {code}
> However when using the same operation on *non-existng* resources I don't see an exception block:
> {code}
> /server-group=*/deployment=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
> {
> "outcome" => "success",
> "result" => [{
> "address" => [
> ("server-group" => "*"),
> ("deployment" => "*")
> ],
> "outcome" => "success",
> "result" => {
> "description" => undefined,
> "access-constraints" => {"application" => {"deployment" => {"type" => "core"}}},
> "attributes" => undefined,
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {},
> "access-control" => {
> "default" => {
> "read" => true,
> "write" => false,
> "attributes" => {
> "enabled" => {
> "read" => true,
> "write" => false
> },
> "name" => {
> "read" => true,
> "write" => false
> },
> "runtime-name" => {
> "read" => true,
> "write" => false
> }
> },
> "operations" => {
> "read-children-types" => {"execute" => true},
> "whoami" => {"execute" => true},
> "map-clear" => {"execute" => false},
> "list-get" => {"execute" => true},
> "write-attribute" => {"execute" => false},
> "remove" => {"execute" => false},
> "deploy" => {"execute" => false},
> "list-add" => {"execute" => false},
> "map-put" => {"execute" => false},
> "read-attribute-group-names" => {"execute" => true},
> "redeploy" => {"execute" => false},
> "read-resource-description" => {"execute" => true},
> "read-resource" => {"execute" => true},
> "add" => {"execute" => false},
> "query" => {"execute" => true},
> "read-operation-description" => {"execute" => true},
> "map-get" => {"execute" => true},
> "list-clear" => {"execute" => false},
> "read-attribute" => {"execute" => true},
> "map-remove" => {"execute" => false},
> "read-attribute-group" => {"execute" => true},
> "undefine-attribute" => {"execute" => false},
> "read-children-names" => {"execute" => true},
> "read-operation-names" => {"execute" => true},
> "list-remove" => {"execute" => false},
> "read-children-resources" => {"execute" => true},
> "undeploy" => {"execute" => false}
> }
> },
> "exceptions" => {}
> }
> }
> }]
> }
> {code}
> Some notes on the domain:
> - Built from WildFly 10 master
> - No deployments present
> - Role {{main-maintainer}} is a server group scoped role based on Maintainer and scoped to main-server-group
> - Role {{other-monitor}} is a server group scoped role based on Monitor and scoped to other-server-group
> What we would need is a way to *always* get the exceptions no matter whether the resource exists. In the console we create a so-called security context which uses wildcard r-r-d operations like the ones above. This security context is used later on to show / hide UI controls.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
More information about the jboss-jira
mailing list