[jboss-jira] [JBoss JIRA] (WFCORE-832) Access control exceptions missing for non-existent resources
Kabir Khan (JIRA)
issues at jboss.org
Tue Sep 29 16:36:00 EDT 2015
[ https://issues.jboss.org/browse/WFCORE-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13113527#comment-13113527 ]
Kabir Khan commented on WFCORE-832:
-----------------------------------
They are each listed when there are several deployments. The following sequence of CLI commands starts with no deployments:
{code}
[domain at localhost:9990 /] /server-group=*/deployment=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
{
"outcome" => "success",
"result" => [{
"address" => [
("server-group" => "*"),
("deployment" => "*")
],
"outcome" => "success",
"result" => {
"description" => undefined,
"access-constraints" => {"application" => {"deployment" => {"type" => "core"}}},
"attributes" => undefined,
"operations" => undefined,
"notifications" => undefined,
"children" => {},
"access-control" => {
"default" => {
"read" => true,
"write" => false,
"attributes" => {
"enabled" => {
"read" => true,
"write" => false
},
"name" => {
"read" => true,
"write" => false
},
"runtime-name" => {
"read" => true,
"write" => false
}
},
"operations" => {
"read-children-types" => {"execute" => true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => false},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" => false},
"remove" => {"execute" => false},
"deploy" => {"execute" => false},
"list-add" => {"execute" => false},
"map-put" => {"execute" => false},
"read-attribute-group-names" => {"execute" => true},
"redeploy" => {"execute" => false},
"read-resource-description" => {"execute" => true},
"read-resource" => {"execute" => true},
"add" => {"execute" => false},
"query" => {"execute" => true},
"read-operation-description" => {"execute" => true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => false},
"read-attribute" => {"execute" => true},
"map-remove" => {"execute" => false},
"read-attribute-group" => {"execute" => true},
"undefine-attribute" => {"execute" => false},
"read-children-names" => {"execute" => true},
"read-operation-names" => {"execute" => true},
"list-remove" => {"execute" => false},
"read-children-resources" => {"execute" => true},
"undeploy" => {"execute" => false}
}
},
"exceptions" => {"[(\"server-group\" => \"main-server-group\"),(\"deployment\" => \"*\")]" => {
"read" => true,
"write" => true,
"attributes" => {
"enabled" => {
"read" => true,
"write" => true
},
"name" => {
"read" => true,
"write" => true
},
"runtime-name" => {
"read" => true,
"write" => true
}
},
"operations" => {
"read-children-types" => {"execute" => true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => true},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" => true},
"remove" => {"execute" => true},
"deploy" => {"execute" => true},
"list-add" => {"execute" => true},
"map-put" => {"execute" => true},
"read-attribute-group-names" => {"execute" => true},
"redeploy" => {"execute" => true},
"read-resource-description" => {"execute" => true},
"read-resource" => {"execute" => true},
"add" => {"execute" => true},
"query" => {"execute" => true},
"read-operation-description" => {"execute" => true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => true},
"read-attribute" => {"execute" => true},
"map-remove" => {"execute" => true},
"read-attribute-group" => {"execute" => true},
"undefine-attribute" => {"execute" => true},
"read-children-names" => {"execute" => true},
"read-operation-names" => {"execute" => true},
"list-remove" => {"execute" => true},
"read-children-resources" => {"execute" => true},
"undeploy" => {"execute" => true}
},
"address" => [
("server-group" => "main-server-group"),
("deployment" => "*")
]
}}
}
}
}]
}
[domain at localhost:9990 /] deploy ~/temp/Calendar.war
One of --disabled, --all-server-groups or --server-groups is missing.
[domain at localhost:9990 /] deploy ~/temp/Calendar.war --all-server-groups
[domain at localhost:9990 /] /server-group=*/deployment=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
{
"outcome" => "success",
"result" => [{
"address" => [
("server-group" => "*"),
("deployment" => "*")
],
"outcome" => "success",
"result" => {
"description" => undefined,
"access-constraints" => {"application" => {"deployment" => {"type" => "core"}}},
"attributes" => undefined,
"operations" => undefined,
"notifications" => undefined,
"children" => {},
"access-control" => {
"default" => {
"read" => true,
"write" => false,
"attributes" => {
"enabled" => {
"read" => true,
"write" => false
},
"name" => {
"read" => true,
"write" => false
},
"runtime-name" => {
"read" => true,
"write" => false
}
},
"operations" => {
"read-children-types" => {"execute" => true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => false},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" => false},
"remove" => {"execute" => false},
"deploy" => {"execute" => false},
"list-add" => {"execute" => false},
"map-put" => {"execute" => false},
"read-attribute-group-names" => {"execute" => true},
"redeploy" => {"execute" => false},
"read-resource-description" => {"execute" => true},
"read-resource" => {"execute" => true},
"add" => {"execute" => false},
"query" => {"execute" => true},
"read-operation-description" => {"execute" => true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => false},
"read-attribute" => {"execute" => true},
"map-remove" => {"execute" => false},
"read-attribute-group" => {"execute" => true},
"undefine-attribute" => {"execute" => false},
"read-children-names" => {"execute" => true},
"read-operation-names" => {"execute" => true},
"list-remove" => {"execute" => false},
"read-children-resources" => {"execute" => true},
"undeploy" => {"execute" => false}
}
},
"exceptions" => {"[(\"server-group\" => \"main-server-group\"),(\"deployment\" => \"Calendar.war\")]" => {
"read" => true,
"write" => true,
"attributes" => {
"enabled" => {
"read" => true,
"write" => true
},
"name" => {
"read" => true,
"write" => true
},
"runtime-name" => {
"read" => true,
"write" => true
}
},
"operations" => {
"read-children-types" => {"execute" => true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => true},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" => true},
"remove" => {"execute" => true},
"deploy" => {"execute" => true},
"list-add" => {"execute" => true},
"map-put" => {"execute" => true},
"read-attribute-group-names" => {"execute" => true},
"redeploy" => {"execute" => true},
"read-resource-description" => {"execute" => true},
"read-resource" => {"execute" => true},
"add" => {"execute" => true},
"query" => {"execute" => true},
"read-operation-description" => {"execute" => true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => true},
"read-attribute" => {"execute" => true},
"map-remove" => {"execute" => true},
"read-attribute-group" => {"execute" => true},
"undefine-attribute" => {"execute" => true},
"read-children-names" => {"execute" => true},
"read-operation-names" => {"execute" => true},
"list-remove" => {"execute" => true},
"read-children-resources" => {"execute" => true},
"undeploy" => {"execute" => true}
},
"address" => [
("server-group" => "main-server-group"),
("deployment" => "Calendar.war")
]
}}
}
}
}]
}
[domain at localhost:9990 /] deploy ~/temp/Calendar2.war --all-server-groups
[domain at localhost:9990 /] /server-group=*/deployment=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
{
"outcome" => "success",
"result" => [{
"address" => [
("server-group" => "*"),
("deployment" => "*")
],
"outcome" => "success",
"result" => {
"description" => undefined,
"access-constraints" => {"application" => {"deployment" => {"type" => "core"}}},
"attributes" => undefined,
"operations" => undefined,
"notifications" => undefined,
"children" => {},
"access-control" => {
"default" => {
"read" => true,
"write" => false,
"attributes" => {
"enabled" => {
"read" => true,
"write" => false
},
"name" => {
"read" => true,
"write" => false
},
"runtime-name" => {
"read" => true,
"write" => false
}
},
"operations" => {
"read-children-types" => {"execute" => true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => false},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" => false},
"remove" => {"execute" => false},
"deploy" => {"execute" => false},
"list-add" => {"execute" => false},
"map-put" => {"execute" => false},
"read-attribute-group-names" => {"execute" => true},
"redeploy" => {"execute" => false},
"read-resource-description" => {"execute" => true},
"read-resource" => {"execute" => true},
"add" => {"execute" => false},
"query" => {"execute" => true},
"read-operation-description" => {"execute" => true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => false},
"read-attribute" => {"execute" => true},
"map-remove" => {"execute" => false},
"read-attribute-group" => {"execute" => true},
"undefine-attribute" => {"execute" => false},
"read-children-names" => {"execute" => true},
"read-operation-names" => {"execute" => true},
"list-remove" => {"execute" => false},
"read-children-resources" => {"execute" => true},
"undeploy" => {"execute" => false}
}
},
"exceptions" => {
"[(\"server-group\" => \"main-server-group\"),(\"deployment\" => \"Calendar2.war\")]" => {
"read" => true,
"write" => true,
"attributes" => {
"enabled" => {
"read" => true,
"write" => true
},
"name" => {
"read" => true,
"write" => true
},
"runtime-name" => {
"read" => true,
"write" => true
}
},
"operations" => {
"read-children-types" => {"execute" => true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => true},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" => true},
"remove" => {"execute" => true},
"deploy" => {"execute" => true},
"list-add" => {"execute" => true},
"map-put" => {"execute" => true},
"read-attribute-group-names" => {"execute" => true},
"redeploy" => {"execute" => true},
"read-resource-description" => {"execute" => true},
"read-resource" => {"execute" => true},
"add" => {"execute" => true},
"query" => {"execute" => true},
"read-operation-description" => {"execute" => true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => true},
"read-attribute" => {"execute" => true},
"map-remove" => {"execute" => true},
"read-attribute-group" => {"execute" => true},
"undefine-attribute" => {"execute" => true},
"read-children-names" => {"execute" => true},
"read-operation-names" => {"execute" => true},
"list-remove" => {"execute" => true},
"read-children-resources" => {"execute" => true},
"undeploy" => {"execute" => true}
},
"address" => [
("server-group" => "main-server-group"),
("deployment" => "Calendar2.war")
]
},
"[(\"server-group\" => \"main-server-group\"),(\"deployment\" => \"Calendar.war\")]" => {
"read" => true,
"write" => true,
"attributes" => {
"enabled" => {
"read" => true,
"write" => true
},
"name" => {
"read" => true,
"write" => true
},
"runtime-name" => {
"read" => true,
"write" => true
}
},
"operations" => {
"read-children-types" => {"execute" => true},
"whoami" => {"execute" => true},
"map-clear" => {"execute" => true},
"list-get" => {"execute" => true},
"write-attribute" => {"execute" => true},
"remove" => {"execute" => true},
"deploy" => {"execute" => true},
"list-add" => {"execute" => true},
"map-put" => {"execute" => true},
"read-attribute-group-names" => {"execute" => true},
"redeploy" => {"execute" => true},
"read-resource-description" => {"execute" => true},
"read-resource" => {"execute" => true},
"add" => {"execute" => true},
"query" => {"execute" => true},
"read-operation-description" => {"execute" => true},
"map-get" => {"execute" => true},
"list-clear" => {"execute" => true},
"read-attribute" => {"execute" => true},
"map-remove" => {"execute" => true},
"read-attribute-group" => {"execute" => true},
"undefine-attribute" => {"execute" => true},
"read-children-names" => {"execute" => true},
"read-operation-names" => {"execute" => true},
"list-remove" => {"execute" => true},
"read-children-resources" => {"execute" => true},
"undeploy" => {"execute" => true}
},
"address" => [
("server-group" => "main-server-group"),
("deployment" => "Calendar.war")
]
}
}
}
}
}]
}
[domain at localhost:9990 /]
{code}
The following is a bit half-digested.... While I see what you are saying regarding folding Calendar.war and Calendar2.war together into deployment=x, I am also not sure if that is feasible when there are actual children. The main worry is if we have say 4 deployments, if three of them have the same exception and the fourth not, do we roll 3 of them together as deployment=x, and the last as deployment=unique? Also this could affect other things in other places? At the same time, it seems that things under server-group are slightly special due to the server scoped roles.
> Access control exceptions missing for non-existent resources
> ------------------------------------------------------------
>
> Key: WFCORE-832
> URL: https://issues.jboss.org/browse/WFCORE-832
> Project: WildFly Core
> Issue Type: Bug
> Components: Domain Management
> Reporter: Harald Pehl
> Assignee: Kabir Khan
>
> When asking for the access control metadata using (r-r-d) on *existing* resources I get an exceptions block:
> {code}
> /server-group=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
> {
> "outcome" => "success",
> "result" => [{
> "address" => [("server-group" => "*")],
> "outcome" => "success",
> "result" => {
> "description" => undefined,
> "attributes" => undefined,
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {
> "deployment" => {"model-description" => undefined},
> "jvm" => {"model-description" => undefined},
> "deployment-overlay" => {"model-description" => undefined},
> "system-property" => {"model-description" => undefined}
> },
> "access-control" => {
> "default" => {
> "read" => true,
> "write" => false,
> "attributes" => {
> "management-subsystem-endpoint" => {
> "read" => true,
> "write" => false
> },
> "profile" => {
> "read" => true,
> "write" => false
> },
> "socket-binding-default-interface" => {
> "read" => true,
> "write" => false
> },
> "socket-binding-group" => {
> "read" => true,
> "write" => false
> },
> "socket-binding-port-offset" => {
> "read" => true,
> "write" => false
> }
> },
> "operations" => {
> "read-children-types" => {"execute" => true},
> "whoami" => {"execute" => true},
> "map-clear" => {"execute" => false},
> "list-get" => {"execute" => true},
> "write-attribute" => {"execute" => false},
> "replace-deployment" => {"execute" => false},
> "stop-servers" => {"execute" => false},
> "remove" => {"execute" => false},
> "list-add" => {"execute" => false},
> "map-put" => {"execute" => false},
> "read-attribute-group-names" => {"execute" => true},
> "restart-servers" => {"execute" => false},
> "resume-servers" => {"execute" => false},
> "read-resource-description" => {"execute" => true},
> "read-resource" => {"execute" => true},
> "add" => {"execute" => false},
> "suspend-servers" => {"execute" => false},
> "reload-servers" => {"execute" => false},
> "query" => {"execute" => true},
> "read-operation-description" => {"execute" => true},
> "map-get" => {"execute" => true},
> "list-clear" => {"execute" => false},
> "read-attribute" => {"execute" => true},
> "map-remove" => {"execute" => false},
> "read-attribute-group" => {"execute" => true},
> "undefine-attribute" => {"execute" => false},
> "read-children-names" => {"execute" => true},
> "start-servers" => {"execute" => false},
> "read-operation-names" => {"execute" => true},
> "list-remove" => {"execute" => false},
> "read-children-resources" => {"execute" => true}
> }
> },
> "exceptions" => {"[(\"server-group\" => \"main-server-group\")]" => {
> "read" => true,
> "write" => true,
> "attributes" => {
> "management-subsystem-endpoint" => {
> "read" => true,
> "write" => false
> },
> "profile" => {
> "read" => true,
> "write" => true
> },
> "socket-binding-default-interface" => {
> "read" => true,
> "write" => false
> },
> "socket-binding-group" => {
> "read" => true,
> "write" => true
> },
> "socket-binding-port-offset" => {
> "read" => true,
> "write" => false
> }
> },
> "operations" => {
> "read-children-types" => {"execute" => true},
> "whoami" => {"execute" => true},
> "map-clear" => {"execute" => true},
> "list-get" => {"execute" => true},
> "write-attribute" => {"execute" => true},
> "replace-deployment" => {"execute" => true},
> "stop-servers" => {"execute" => true},
> "remove" => {"execute" => false},
> "list-add" => {"execute" => true},
> "map-put" => {"execute" => true},
> "read-attribute-group-names" => {"execute" => true},
> "restart-servers" => {"execute" => true},
> "resume-servers" => {"execute" => true},
> "read-resource-description" => {"execute" => true},
> "read-resource" => {"execute" => true},
> "add" => {"execute" => false},
> "suspend-servers" => {"execute" => true},
> "reload-servers" => {"execute" => true},
> "query" => {"execute" => true},
> "read-operation-description" => {"execute" => true},
> "map-get" => {"execute" => true},
> "list-clear" => {"execute" => true},
> "read-attribute" => {"execute" => true},
> "map-remove" => {"execute" => true},
> "read-attribute-group" => {"execute" => true},
> "undefine-attribute" => {"execute" => true},
> "read-children-names" => {"execute" => true},
> "start-servers" => {"execute" => true},
> "read-operation-names" => {"execute" => true},
> "list-remove" => {"execute" => true},
> "read-children-resources" => {"execute" => true}
> },
> "address" => [("server-group" => "main-server-group")]
> }}
> }
> }
> }]
> }
> {code}
> However when using the same operation on *non-existng* resources I don't see an exception block:
> {code}
> /server-group=*/deployment=*:read-resource-description(access-control=trim-descriptions,operations=true){roles=[main-maintainer,other-monitor]}
> {
> "outcome" => "success",
> "result" => [{
> "address" => [
> ("server-group" => "*"),
> ("deployment" => "*")
> ],
> "outcome" => "success",
> "result" => {
> "description" => undefined,
> "access-constraints" => {"application" => {"deployment" => {"type" => "core"}}},
> "attributes" => undefined,
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {},
> "access-control" => {
> "default" => {
> "read" => true,
> "write" => false,
> "attributes" => {
> "enabled" => {
> "read" => true,
> "write" => false
> },
> "name" => {
> "read" => true,
> "write" => false
> },
> "runtime-name" => {
> "read" => true,
> "write" => false
> }
> },
> "operations" => {
> "read-children-types" => {"execute" => true},
> "whoami" => {"execute" => true},
> "map-clear" => {"execute" => false},
> "list-get" => {"execute" => true},
> "write-attribute" => {"execute" => false},
> "remove" => {"execute" => false},
> "deploy" => {"execute" => false},
> "list-add" => {"execute" => false},
> "map-put" => {"execute" => false},
> "read-attribute-group-names" => {"execute" => true},
> "redeploy" => {"execute" => false},
> "read-resource-description" => {"execute" => true},
> "read-resource" => {"execute" => true},
> "add" => {"execute" => false},
> "query" => {"execute" => true},
> "read-operation-description" => {"execute" => true},
> "map-get" => {"execute" => true},
> "list-clear" => {"execute" => false},
> "read-attribute" => {"execute" => true},
> "map-remove" => {"execute" => false},
> "read-attribute-group" => {"execute" => true},
> "undefine-attribute" => {"execute" => false},
> "read-children-names" => {"execute" => true},
> "read-operation-names" => {"execute" => true},
> "list-remove" => {"execute" => false},
> "read-children-resources" => {"execute" => true},
> "undeploy" => {"execute" => false}
> }
> },
> "exceptions" => {}
> }
> }
> }]
> }
> {code}
> Some notes on the domain:
> - Built from WildFly 10 master
> - No deployments present
> - Role {{main-maintainer}} is a server group scoped role based on Maintainer and scoped to main-server-group
> - Role {{other-monitor}} is a server group scoped role based on Monitor and scoped to other-server-group
> What we would need is a way to *always* get the exceptions no matter whether the resource exists. In the console we create a so-called security context which uses wildcard r-r-d operations like the ones above. This security context is used later on to show / hide UI controls.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list