[jboss-jira] [JBoss JIRA] (WFCORE-832) Access control exceptions missing for non-existent resources
Brian Stansberry (JIRA)
issues at jboss.org
Tue Jul 21 13:07:02 EDT 2015
[ https://issues.jboss.org/browse/WFCORE-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13091419#comment-13091419 ]
Brian Stansberry edited comment on WFCORE-832 at 7/21/15 1:06 PM:
------------------------------------------------------------------
This comment is largely notes to myself / thinking out loud.
The handling of these ops is a bit of an unholy mess, due to the dual meaning of the 'star' character when dealing with 'read-resource-description'. The 'start' means "give me results for all the descriptions that match this pattern", which is why the result of the first op is a list, while the result of /server-group=main-server-group:read-resource-description will not be a list. But then then 'star' is also the value in the address element where the resource definition is actually registered. There it indicates the actual resource instances that use the definition can have arbitrary names.
This will take a bit of thought.
The good news is the value of the keys underneath 'exceptions' is the string form of a full path address, not just a single element. So without changing structure its possible to include {code}"exceptions"=> "[(\"server-group\" => \"main-server-group\"),("deployment"=>"*"]"{code}as part of the result list item for
{code}
"result" => [{
"address" => [
("server-group" => "*"),
("deployment" => "*")
],
"outcome" => "success",
"result" =>
{code}
I'll need to check whether that {code}"exceptions"=> "[(\"server-group\" => \"main-server-group\"),("deployment"=>"*"]"{code} value is meant to be an absolute address or relative though. Hopefully absolute; if so there's no compatibility issue involved with fixing this; it just becomes a question of getting the correct data to the correct spot so it can be output.
was (Author: brian.stansberry):
This comment is largely notes to myself / thinking out loud.
The handling of these ops is a bit of an unholy mess, due to the dual meaning of the '*' character when dealing with 'read-resource-description'. The '*' means "give me results for all the descriptions that match this pattern", which is why the result of the first op is a list, while the result of /server-group=main-server-group:read-resource-description will not be a list. But then then '*' is also the value in the address element where the resource definition is actually registered. There it indicates the actual resource instances that use the definition can have arbitrary names.
This will take a bit of thought.
The good news is the value of the keys underneath 'exceptions' is the string form of a full path address, not just a single element. So without changing structure its possible to include "exceptions"=> "[(\"server-group\" => \"main-server-group\"),("deployment"=>"*"]" as part of the result list item for
{code}
"result" => [{
"address" => [
("server-group" => "*"),
("deployment" => "*")
],
"outcome" => "success",
"result" =>
{code}
I'll need to check whether that "exceptions"=> "[(\"server-group\" => \"main-server-group\"),("deployment"=>"*"]" value is meant to be an absolute address or relative though. Hopefully absolute; if so there's no compatibility issue involved with fixing this; it just becomes a question of getting the correct data to the correct spot so it can be output.
> Access control exceptions missing for non-existent resources
> ------------------------------------------------------------
>
> Key: WFCORE-832
> URL: https://issues.jboss.org/browse/WFCORE-832
> Project: WildFly Core
> Issue Type: Bug
> Components: Domain Management
> Reporter: Harald Pehl
> Assignee: Brian Stansberry
>
> When asking for the access control metadata using (r-r-d) on *existing* resources I get an exceptions block:
> {code}
> /server-group=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
> {
> "outcome" => "success",
> "result" => [{
> "address" => [("server-group" => "*")],
> "outcome" => "success",
> "result" => {
> "description" => undefined,
> "attributes" => undefined,
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {
> "deployment" => {"model-description" => undefined},
> "jvm" => {"model-description" => undefined},
> "deployment-overlay" => {"model-description" => undefined},
> "system-property" => {"model-description" => undefined}
> },
> "access-control" => {
> "default" => {
> "read" => true,
> "write" => false,
> "attributes" => {
> "management-subsystem-endpoint" => {
> "read" => true,
> "write" => false
> },
> "profile" => {
> "read" => true,
> "write" => false
> },
> "socket-binding-default-interface" => {
> "read" => true,
> "write" => false
> },
> "socket-binding-group" => {
> "read" => true,
> "write" => false
> },
> "socket-binding-port-offset" => {
> "read" => true,
> "write" => false
> }
> },
> "operations" => {
> "read-children-types" => {"execute" => true},
> "whoami" => {"execute" => true},
> "map-clear" => {"execute" => false},
> "list-get" => {"execute" => true},
> "write-attribute" => {"execute" => false},
> "replace-deployment" => {"execute" => false},
> "stop-servers" => {"execute" => false},
> "remove" => {"execute" => false},
> "list-add" => {"execute" => false},
> "map-put" => {"execute" => false},
> "read-attribute-group-names" => {"execute" => true},
> "restart-servers" => {"execute" => false},
> "resume-servers" => {"execute" => false},
> "read-resource-description" => {"execute" => true},
> "read-resource" => {"execute" => true},
> "add" => {"execute" => false},
> "suspend-servers" => {"execute" => false},
> "reload-servers" => {"execute" => false},
> "query" => {"execute" => true},
> "read-operation-description" => {"execute" => true},
> "map-get" => {"execute" => true},
> "list-clear" => {"execute" => false},
> "read-attribute" => {"execute" => true},
> "map-remove" => {"execute" => false},
> "read-attribute-group" => {"execute" => true},
> "undefine-attribute" => {"execute" => false},
> "read-children-names" => {"execute" => true},
> "start-servers" => {"execute" => false},
> "read-operation-names" => {"execute" => true},
> "list-remove" => {"execute" => false},
> "read-children-resources" => {"execute" => true}
> }
> },
> "exceptions" => {"[(\"server-group\" => \"main-server-group\")]" => {
> "read" => true,
> "write" => true,
> "attributes" => {
> "management-subsystem-endpoint" => {
> "read" => true,
> "write" => false
> },
> "profile" => {
> "read" => true,
> "write" => true
> },
> "socket-binding-default-interface" => {
> "read" => true,
> "write" => false
> },
> "socket-binding-group" => {
> "read" => true,
> "write" => true
> },
> "socket-binding-port-offset" => {
> "read" => true,
> "write" => false
> }
> },
> "operations" => {
> "read-children-types" => {"execute" => true},
> "whoami" => {"execute" => true},
> "map-clear" => {"execute" => true},
> "list-get" => {"execute" => true},
> "write-attribute" => {"execute" => true},
> "replace-deployment" => {"execute" => true},
> "stop-servers" => {"execute" => true},
> "remove" => {"execute" => false},
> "list-add" => {"execute" => true},
> "map-put" => {"execute" => true},
> "read-attribute-group-names" => {"execute" => true},
> "restart-servers" => {"execute" => true},
> "resume-servers" => {"execute" => true},
> "read-resource-description" => {"execute" => true},
> "read-resource" => {"execute" => true},
> "add" => {"execute" => false},
> "suspend-servers" => {"execute" => true},
> "reload-servers" => {"execute" => true},
> "query" => {"execute" => true},
> "read-operation-description" => {"execute" => true},
> "map-get" => {"execute" => true},
> "list-clear" => {"execute" => true},
> "read-attribute" => {"execute" => true},
> "map-remove" => {"execute" => true},
> "read-attribute-group" => {"execute" => true},
> "undefine-attribute" => {"execute" => true},
> "read-children-names" => {"execute" => true},
> "start-servers" => {"execute" => true},
> "read-operation-names" => {"execute" => true},
> "list-remove" => {"execute" => true},
> "read-children-resources" => {"execute" => true}
> },
> "address" => [("server-group" => "main-server-group")]
> }}
> }
> }
> }]
> }
> {code}
> However when using the same operation on *non-existng* resources I don't see an exception block:
> {code}
> /server-group=*/deployment=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
> {
> "outcome" => "success",
> "result" => [{
> "address" => [
> ("server-group" => "*"),
> ("deployment" => "*")
> ],
> "outcome" => "success",
> "result" => {
> "description" => undefined,
> "access-constraints" => {"application" => {"deployment" => {"type" => "core"}}},
> "attributes" => undefined,
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {},
> "access-control" => {
> "default" => {
> "read" => true,
> "write" => false,
> "attributes" => {
> "enabled" => {
> "read" => true,
> "write" => false
> },
> "name" => {
> "read" => true,
> "write" => false
> },
> "runtime-name" => {
> "read" => true,
> "write" => false
> }
> },
> "operations" => {
> "read-children-types" => {"execute" => true},
> "whoami" => {"execute" => true},
> "map-clear" => {"execute" => false},
> "list-get" => {"execute" => true},
> "write-attribute" => {"execute" => false},
> "remove" => {"execute" => false},
> "deploy" => {"execute" => false},
> "list-add" => {"execute" => false},
> "map-put" => {"execute" => false},
> "read-attribute-group-names" => {"execute" => true},
> "redeploy" => {"execute" => false},
> "read-resource-description" => {"execute" => true},
> "read-resource" => {"execute" => true},
> "add" => {"execute" => false},
> "query" => {"execute" => true},
> "read-operation-description" => {"execute" => true},
> "map-get" => {"execute" => true},
> "list-clear" => {"execute" => false},
> "read-attribute" => {"execute" => true},
> "map-remove" => {"execute" => false},
> "read-attribute-group" => {"execute" => true},
> "undefine-attribute" => {"execute" => false},
> "read-children-names" => {"execute" => true},
> "read-operation-names" => {"execute" => true},
> "list-remove" => {"execute" => false},
> "read-children-resources" => {"execute" => true},
> "undeploy" => {"execute" => false}
> }
> },
> "exceptions" => {}
> }
> }
> }]
> }
> {code}
> Some notes on the domain:
> - Built from WildFly 10 master
> - No deployments present
> - Role {{main-maintainer}} is a server group scoped role based on Maintainer and scoped to main-server-group
> - Role {{other-monitor}} is a server group scoped role based on Monitor and scoped to other-server-group
> What we would need is a way to *always* get the exceptions no matter whether the resource exists. In the console we create a so-called security context which uses wildcard r-r-d operations like the ones above. This security context is used later on to show / hide UI controls.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
More information about the jboss-jira
mailing list