[wildfly-dev] WFCORE-276 - :whoami(verbose=true) Fails for user with no roles.

Mon Nov 24 14:31:13 EST 2014

After a further check we have the contributed high level command handler 
for 'connection-info' which amongst other things outputs the output from 
:whoami(verbose=true) so in that case I don't think I need to duplicate 
this with another high level whoami operation.

I will resolve the Jira I think, if anyone searches for the error they 
will find it now and I will comment that they should use connection-info 
instead.

Regards,
Darran Lofthouse.

On 24/11/14 19:08, Darran Lofthouse wrote:
>
>
> On 24/11/14 19:04, Brian Stansberry wrote:
>> On 11/24/14, 12:37 PM, Darran Lofthouse wrote:
>>> Hello Alexey / Brian,
>>>
>>> Just trying to get to the bottom of a failure where
>>> :whoami(verbose=true) is being performed by a user in the CLI with no
>>> roles and the following error is received and looking for some ideas.
>>>
>>> "WFLYCTL0313: Unauthorized to execute operation
>>> 'read-operation-description' for resource '[]' -- "WFLYCTL0332:
>>> Permission denied""
>>>
>>> The call to the :whoami operation would be fine except as there is a
>>> parameter the CLI is attempting to validate the parameters by making a
>>> call to read-operation-description and it is that call that is failing.
>>>
>>> Personally I think this operation working is important as it enables
>>> some debugging of role assignment, i.e. if a user has not been granted
>>> the expected roles this call helps provide some information about that.
>>>
>>> So unless we are going to say the user should not be calling whoami we
>>> broadly have two options: -
>>>
>>> 1 - Make a special case in the CLI and skip the
>>> read-operation-description call.
>>>
>>
>> There should be a high level command in the CLI for this anyway. I don't
>> really like the low level op being handled as a special case, but a high
>> level command is fine with me.
>
> Thanks - That could work, will look at that option.
>
>>> 2 - Access control changes to make it possible to call
>>> read-operation-description for the whoami operation.
>>>
>>
>> -1. I'd much rather not even allow the use of this op than go this route.
>>
>> Related to this, today isn't good but let's chat some time soon re: how
>> to make the interactive-mode CLI behavior more user-friendly when the
>> user has no permissions, e.g. can't read the root resource. For example,
>> output a message informing the user of this and, if reasonably do-able,
>> limiting the tab completion list to just a few things. Just the message
>> would help a lot; something analogous to this message we print when the
>> user isn't connected:
>
> At the moment the CLI could also use the :whoami operation to check a
> user does have at least one role but that will not help much if a
> non-role based access control provider is ever installed.
>
>> You are disconnected at the moment. Type 'connect' to connect to the
>> server or 'help' for the list of supported commands.
>>
>>> Regards,
>>> Darran Lofthouse.
>>
>>