Bug 1092203

Summary: Not authorized write operation does not get audit logged if log-read-only="false"
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Brian Stansberry <brian.stansberry>
Component: Domain ManagementAssignee: Brian Stansberry <brian.stansberry>
Status: CLOSED CURRENTRELEASE QA Contact: Ondrej Lukas <olukas>
Severity: unspecified Docs Contact: Nidhi <nsriniva>
Priority: unspecified    
Version: 6.2.0CC: emuckenh, kkhan, myarboro, nsriniva, smumford, zroubali
Target Milestone: ER4   
Target Release: EAP 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previous versions of JBoss EAP 6 contained a bug that prevented the logging of a "write" operation invoked by an unauthorized user if the "log-read-only attribute" on the management audit-logging resource was set as `false`. This was because the model controller used "acquisition of controller lock" as a condition to determine whether an operation should be reported as a "write" operation in the log . When role based access control (RBAC) was enabled and an unauthorized operation was performed the error occurred before the controller lock is taken. As a result, unauthorized write operations were not reported in the audit log if "log-read-only" was set as `false`. If "log-read-only" was set as `true`, the log record incorrectly stated the operation as a "read" operation. This issue has been resolved in this release of the product.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-28 15:42:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian Stansberry 2014-04-29 01:07:43 UTC 
Description of problem:

If the log-read-only attribute on the management audit-logging resource is set to 'false' and user attempts to invoke a write operation but is not authorized, the attempted operation is not logged.

How reproducible:

Always

Steps to Reproduce:
1. Turn on management audit logging.
2. Set the log-read-only attribute on the core-service=management/access=audit resource to 'false'
3. Switch the access control provider to 'rbac'
4. Log in as a user that maps to the 'Monitor' role
5. Invoke the 'write-attribute' operation for some writable attribute. The operation will fail due to insufficient permissions.
6. Check the audit log.

Actual results:

The attempted write will not appear in the log.

Expected results:

The attempted write appears in the log.

Additional info:

This is because audit logging uses the controller lock to find out if the model was a write operation. If rbac is enabled and an operation is not authorized, the error happens before the controller lock is taken. So if audit log log-read-only="false" the failed operation does not get logged.
Comment 4 Scott Mumford 2014-05-14 02:17:23 UTC 
Refactored release note text for this as a Known Issue (ER4 fixes will not be picked up in the 6.3.0 Beta release)

Original note included here for use at 6.3.0 GA:

Previous versions of JBoss EAP 6 did not log a "write" operation invoked by an unauthorized user if the "log-read-only attribute" on the management audit-logging resource was set as 'false'.

This was because the audit-logging resource used a controller lock to determine whether an operation should be reported as a "write" operation in the log. When role based access control (RBAC) was enabled and an unauthorized operation was performed the error happened before the controller lock was taken. 

As a result unauthorized write operations were not reported in the audit log if "log-read-only" was set as false. If "log-read-only" was set as true, the log record  incorrectly stated the operation as a "read" operation.

In this release, the controller lock is not used with the indication that the operation is a "write" operation.

This results in correct logging of all unauthorized "write" operations in management audit log.
Comment 6 Zbyněk Roubalík 2014-05-16 10:12:01 UTC 
Verified on EAP 6.3.0.ER4