[keycloak-user] Permission related issues in 3.2.0
Dmitry Telegin
mitya at cargosoft.ru
Wed Jul 5 16:54:19 EDT 2017
Hi,
After upgrade to 3.2.0, I've noticed the following issues that may all
be permissions-related:
* in 3.2.0, if you create a (non-master) realm, add a user, assign
realm-management.realm-admin client role, click impersonate (or simply
relogin) to access the account page - in the Applications tab you'll
see only Account itself, and neither Security Admin Console nor Admin
CLI like in 3.1.0. This is a bit confusing since the user actually is
able to access admin console and CLI;
* in 3.2.0, if you log in as a master realm admin, create a role in a
non-master realm, turn it into composite and try to add roles to it,
you'll get an exception:
23:12:52,654 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-12) RESTEASY002005: Failed executing POST
/admin/realms/foobar/roles-by-id/3e38af68-5aef-482c-868e-
461f12e11592/composites: org.keycloak.services.ForbiddenException
at
org.keycloak.services.resources.admin.permissions.RolePermissions.requi
reMapComposite(RolePermissions.java:383) at
org.keycloak.services.resources.admin.RoleResource.addComposites(RoleRe
source.java:70) at
org.keycloak.services.resources.admin.RoleByIdResource.addComposites(Ro
leByIdResource.java:161)
I didn't manage to find a working combination of permissions to solve
this. Anyway, one might expect this to work out of the box, like it
used to in 3.1.0.
Dmitry
More information about the keycloak-user
mailing list