Bug 1092203
Summary: | Not authorized write operation does not get audit logged if log-read-only="false" | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Brian Stansberry <brian.stansberry> |
Component: | Domain Management | Assignee: | Brian Stansberry <brian.stansberry> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ondrej Lukas <olukas> |
Severity: | unspecified | Docs Contact: | Nidhi <nsriniva> |
Priority: | unspecified | ||
Version: | 6.2.0 | CC: | emuckenh, kkhan, myarboro, nsriniva, smumford, zroubali |
Target Milestone: | ER4 | ||
Target Release: | EAP 6.3.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Previous versions of JBoss EAP 6 contained a bug that prevented the logging of a "write" operation invoked by an unauthorized user if the "log-read-only attribute" on the management audit-logging resource was set as `false`.
This was because the model controller used "acquisition of controller lock" as a condition to determine whether an operation should be reported as a "write" operation in the log . When role based access control (RBAC) was enabled and an unauthorized operation was performed the error occurred before the controller lock is taken.
As a result, unauthorized write operations were not reported in the audit log if "log-read-only" was set as `false`. If "log-read-only" was set as `true`, the log record incorrectly stated the operation as a "read" operation.
This issue has been resolved in this release of the product.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-28 15:42:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Brian Stansberry
2014-04-29 01:07:43 UTC
Refactored release note text for this as a Known Issue (ER4 fixes will not be picked up in the 6.3.0 Beta release) Original note included here for use at 6.3.0 GA: Previous versions of JBoss EAP 6 did not log a "write" operation invoked by an unauthorized user if the "log-read-only attribute" on the management audit-logging resource was set as 'false'. This was because the audit-logging resource used a controller lock to determine whether an operation should be reported as a "write" operation in the log. When role based access control (RBAC) was enabled and an unauthorized operation was performed the error happened before the controller lock was taken. As a result unauthorized write operations were not reported in the audit log if "log-read-only" was set as false. If "log-read-only" was set as true, the log record incorrectly stated the operation as a "read" operation. In this release, the controller lock is not used with the indication that the operation is a "write" operation. This results in correct logging of all unauthorized "write" operations in management audit log. Verified on EAP 6.3.0.ER4 |