Bug 1012588

Summary: RBAC: Authorization error on access to JNDI View
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Jakub Cechacek <jcechace>
Component: Web ConsoleAssignee: Heiko Braun <hbraun>
Status: CLOSED CURRENTRELEASE QA Contact: Jakub Cechacek <jcechace>
Severity: urgent Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.2.0CC: brian.stansberry, dosoudil, hpehl, jkudrnac
Target Milestone: ER4   
Target Release: EAP 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-15 16:18:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1014047    

Description Jakub Cechacek 2013-09-26 16:56:18 UTC 
Accessing Runtime - Subsystems - JNDI View will raise an Auth error for roles with lower permissions than administrator (or scoped version)
Comment 1 Brian Stansberry 2013-09-26 17:10:03 UTC 
Note that this is deliberate on the server side. JNDI bindings reveal sensitive information, such as security domain names.

There is a sensitivity classification for this:

[standalone@localhost:9999 /] cd /core-service=management/access=authorization/constraint=sensitivity-classification/type=naming/classification=jndi-view
[standalone@localhost:9999 classification=jndi-view] :read-resource(recursive=true)
{
    "outcome" => "success",
    "result" => {
        "configured-requires-addressable" => undefined,
        "configured-requires-read" => undefined,
        "configured-requires-write" => undefined,
        "default-requires-addressable" => false,
        "default-requires-read" => true,
        "default-requires-write" => true,
        "applies-to" => {"/subsystem=naming" => {
            "address" => "/subsystem=naming",
            "attributes" => [],
            "entire-resource" => false,
            "operations" => ["jndi-view"]
        }}
    }
}
Comment 2 Jakub Cechacek 2013-09-26 17:44:53 UTC 
@Brian: However user should not be informed about that in form of server error. Either make the page inaccessible for him or (as on other restricted pages) inform about it through the usual popup
Comment 3 Brian Stansberry 2013-09-26 22:05:17 UTC 
@Jakub: Agreed. My Comment #1 was intended as background info only.
Comment 4 Heiko Braun 2013-09-27 05:34:38 UTC 
@Jakub That's someting I'll look into
Comment 5 JBoss JIRA Server 2013-09-27 11:57:56 UTC 
Heiko Braun <ike.braun> made a comment on jira HAL-219

{noformat}
[domain@localhost:9999 /] /host=master/server=server-one/subsystem=naming:jndi-view(){roles=operator}
{
    "outcome" => "failed",
    "result" => undefined,
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'jndi-view' for resource '[(\"subsystem\" => \"naming\")]' -- \"JBAS013475: Permission denied\"",
    "rolled-back" => true
}
{noformat}
Comment 6 JBoss JIRA Server 2013-09-27 11:58:17 UTC 
Heiko Braun <ike.braun> made a comment on jira HAL-219

Seems to be a real permission problem, not a UI issue:


{noformat}
[domain@localhost:9999 /] /host=master/server=server-one/subsystem=naming:jndi-view(){roles=operator}
{
    "outcome" => "failed",
    "result" => undefined,
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'jndi-view' for resource '[(\"subsystem\" => \"naming\")]' -- \"JBAS013475: Permission denied\"",
    "rolled-back" => true
}
{noformat}
Comment 7 JBoss JIRA Server 2013-09-27 11:59:06 UTC 
Heiko Braun <ike.braun> made a comment on jira HAL-219

Jakub: 

However user should not be informed about that in form of server error.
Either make the page inaccessible for him or (as on other restricted pages)
inform about it through the usual popup
Comment 8 JBoss JIRA Server 2013-09-27 13:48:52 UTC 
Brian Stansberry <brian.stansberry> made a comment on jira HAL-219

Heiko:

Operator should not be expected to be able to use this op without a change to the settings on the naming subsystem's sensitivity classification "jndi-view". JNDI bindings reveal sensitive information, such as security domain names.

The sensitivity classification for this:

[standalone@localhost:9999 /] cd /core-service=management/access=authorization/constraint=sensitivity-classification/type=naming/classification=jndi-view
[standalone@localhost:9999 classification=jndi-view] :read-resource(recursive=true)
{
    "outcome" => "success",
    "result" => {
        "configured-requires-addressable" => undefined,
        "configured-requires-read" => undefined,
        "configured-requires-write" => undefined,
        "default-requires-addressable" => false,
        "default-requires-read" => true,
        "default-requires-write" => true,
        "applies-to" => {"/subsystem=naming" => {
            "address" => "/subsystem=naming",
            "attributes" => [],
            "entire-resource" => false,
            "operations" => ["jndi-view"]
        }}
    }
}
Comment 9 JBoss JIRA Server 2013-09-30 12:44:46 UTC 
Heiko Braun <ike.braun> updated the status of jira HAL-219 to Resolved
Comment 10 Vladimir Dosoudil 2013-10-01 12:07:18 UTC 
Moving back to ASSIGNED (https://docspace.corp.redhat.com/docs/DOC-154626).
There's no PR to eap 6.x github repo https://github.com/jbossas/jboss-eap/
Comment 11 Vladimir Dosoudil 2013-10-01 12:48:59 UTC 
The umbrella issue 1014047 is available now.
Comment 15 Jakub Cechacek 2013-10-09 08:00:49 UTC 
Verified 6.2.0.ER5