Bug 1018738

Summary: RBAC Additional scoped role and role mapping integrity checking of the management model.
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Harald Pehl <hpehl>
Component: Domain ManagementAssignee: Darran Lofthouse <darran.lofthouse>
Status: CLOSED CURRENTRELEASE QA Contact: Ladislav Thon <lthon>
Severity: unspecified Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.1.0CC: brian.stansberry, darran.lofthouse, emuckenh, jcechace, lthon
Target Milestone: ER7   
Target Release: EAP 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
Causes: Consequence: Workaround (if any): Result:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-15 16:18:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Harald Pehl 2013-10-14 10:40:36 UTC
When creating a role mapping through the CLI using a non-formal role name like "AUDITOR", that role name is used as-is in the persistent configuration: 

{code}
cd /core-service=management/access=authorization
./role-mapping=AUDITOR:add
./role-mapping=AUDITOR/include=johndoe:add(name=johndoe,type=user)
{code}

The persistent configuration should map non-formal role names to formal role names, as other management clients (the console) rely on the formal names.

Comment 1 JBoss JIRA Server 2013-10-14 10:46:25 UTC
Darran Lofthouse <darran.lofthouse> updated the status of jira WFLY-2295 to Resolved

Comment 2 JBoss JIRA Server 2013-10-14 10:46:25 UTC
Darran Lofthouse <darran.lofthouse> made a comment on jira WFLY-2295

For WFLY-2270 the underlying issue there was that role mappings could exist that do not correspond to either a standard role or to a scoped role, the solution on that issue is: -
 - Only accept role mappings where the name specified is equal using a case sensitive comparison to either a standard role or to a previously defined scoped role.
 - At the same time we will also prevent the removal of a scoped role if the role mapping still exists.

As a result it will no longer be possible to define roles in the CLI that do not use the formal role names.

Comment 3 JBoss JIRA Server 2013-10-14 17:54:45 UTC
Darran Lofthouse <darran.lofthouse> made a comment on jira WFLY-2270

Also adding the following checks: - 
 1 - Ensure a scoped role is not a duplicate, taking into account host scoped roles, server group scoped roles and the standard roles with a case insensitive check.
 2 - The base-role for a scoped role needs to be a standard role - if the user entered the role using an alternative case style it should be converted in the model to the formal style.

Comment 4 Darran Lofthouse 2013-10-15 12:54:28 UTC
Proposing that the additional verification is added to EAP 6.2, without the verification it is possible to define configuration that breaks the server by locking out authenticated users.

Comment 5 Brian Stansberry 2013-10-15 14:17:58 UTC
Yes, Darran, it was my intent that your work on this would be backported as part of this BZ.

Comment 7 Ladislav Thon 2013-11-06 11:42:24 UTC
Verified with EAP 6.2.0.ER7.