Bug 1018738
Summary: | RBAC Additional scoped role and role mapping integrity checking of the management model. | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Harald Pehl <hpehl> |
Component: | Domain Management | Assignee: | Darran Lofthouse <darran.lofthouse> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ladislav Thon <lthon> |
Severity: | unspecified | Docs Contact: | Russell Dickenson <rdickens> |
Priority: | unspecified | ||
Version: | 6.1.0 | CC: | brian.stansberry, darran.lofthouse, emuckenh, jcechace, lthon |
Target Milestone: | ER7 | ||
Target Release: | EAP 6.2.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
Causes:
Consequence:
Workaround (if any):
Result:
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-12-15 16:18:36 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Harald Pehl
2013-10-14 10:40:36 UTC
Darran Lofthouse <darran.lofthouse> updated the status of jira WFLY-2295 to Resolved Darran Lofthouse <darran.lofthouse> made a comment on jira WFLY-2295 For WFLY-2270 the underlying issue there was that role mappings could exist that do not correspond to either a standard role or to a scoped role, the solution on that issue is: - - Only accept role mappings where the name specified is equal using a case sensitive comparison to either a standard role or to a previously defined scoped role. - At the same time we will also prevent the removal of a scoped role if the role mapping still exists. As a result it will no longer be possible to define roles in the CLI that do not use the formal role names. Darran Lofthouse <darran.lofthouse> made a comment on jira WFLY-2270 Also adding the following checks: - 1 - Ensure a scoped role is not a duplicate, taking into account host scoped roles, server group scoped roles and the standard roles with a case insensitive check. 2 - The base-role for a scoped role needs to be a standard role - if the user entered the role using an alternative case style it should be converted in the model to the formal style. Proposing that the additional verification is added to EAP 6.2, without the verification it is possible to define configuration that breaks the server by locking out authenticated users. Yes, Darran, it was my intent that your work on this would be backported as part of this BZ. Verified with EAP 6.2.0.ER7. |