Bug 1012588 - RBAC: Authorization error on access to JNDI View
RBAC: Authorization error on access to JNDI View
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Console (Show other bugs)
6.2.0
Unspecified Unspecified
unspecified Severity urgent
: ER4
: EAP 6.2.0
Assigned To: Heiko Braun
Jakub Cechacek
Russell Dickenson
:
Depends On:
Blocks: 1014047
  Show dependency treegraph
 
Reported: 2013-09-26 12:56 EDT by Jakub Cechacek
Modified: 2013-12-15 11:18 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-15 11:18:29 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker HAL-219 Major Resolved Authorization error on access to JNDI View 2013-11-21 17:47:41 EST

  None (edit)
Description Jakub Cechacek 2013-09-26 12:56:18 EDT
Accessing Runtime - Subsystems - JNDI View will raise an Auth error for roles with lower permissions than administrator (or scoped version)
Comment 1 Brian Stansberry 2013-09-26 13:10:03 EDT
Note that this is deliberate on the server side. JNDI bindings reveal sensitive information, such as security domain names.

There is a sensitivity classification for this:

[standalone@localhost:9999 /] cd /core-service=management/access=authorization/constraint=sensitivity-classification/type=naming/classification=jndi-view
[standalone@localhost:9999 classification=jndi-view] :read-resource(recursive=true)
{
    "outcome" => "success",
    "result" => {
        "configured-requires-addressable" => undefined,
        "configured-requires-read" => undefined,
        "configured-requires-write" => undefined,
        "default-requires-addressable" => false,
        "default-requires-read" => true,
        "default-requires-write" => true,
        "applies-to" => {"/subsystem=naming" => {
            "address" => "/subsystem=naming",
            "attributes" => [],
            "entire-resource" => false,
            "operations" => ["jndi-view"]
        }}
    }
}
Comment 2 Jakub Cechacek 2013-09-26 13:44:53 EDT
@Brian: However user should not be informed about that in form of server error. Either make the page inaccessible for him or (as on other restricted pages) inform about it through the usual popup
Comment 3 Brian Stansberry 2013-09-26 18:05:17 EDT
@Jakub: Agreed. My Comment #1 was intended as background info only.
Comment 4 Heiko Braun 2013-09-27 01:34:38 EDT
@Jakub That's someting I'll look into
Comment 5 JBoss JIRA Server 2013-09-27 07:57:56 EDT
Heiko Braun <ike.braun@googlemail.com> made a comment on jira HAL-219

{noformat}
[domain@localhost:9999 /] /host=master/server=server-one/subsystem=naming:jndi-view(){roles=operator}
{
    "outcome" => "failed",
    "result" => undefined,
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'jndi-view' for resource '[(\"subsystem\" => \"naming\")]' -- \"JBAS013475: Permission denied\"",
    "rolled-back" => true
}
{noformat}
Comment 6 JBoss JIRA Server 2013-09-27 07:58:17 EDT
Heiko Braun <ike.braun@googlemail.com> made a comment on jira HAL-219

Seems to be a real permission problem, not a UI issue:


{noformat}
[domain@localhost:9999 /] /host=master/server=server-one/subsystem=naming:jndi-view(){roles=operator}
{
    "outcome" => "failed",
    "result" => undefined,
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'jndi-view' for resource '[(\"subsystem\" => \"naming\")]' -- \"JBAS013475: Permission denied\"",
    "rolled-back" => true
}
{noformat}
Comment 7 JBoss JIRA Server 2013-09-27 07:59:06 EDT
Heiko Braun <ike.braun@googlemail.com> made a comment on jira HAL-219

Jakub: 

However user should not be informed about that in form of server error.
Either make the page inaccessible for him or (as on other restricted pages)
inform about it through the usual popup
Comment 8 JBoss JIRA Server 2013-09-27 09:48:52 EDT
Brian Stansberry <brian.stansberry@redhat.com> made a comment on jira HAL-219

Heiko:

Operator should not be expected to be able to use this op without a change to the settings on the naming subsystem's sensitivity classification "jndi-view". JNDI bindings reveal sensitive information, such as security domain names.

The sensitivity classification for this:

[standalone@localhost:9999 /] cd /core-service=management/access=authorization/constraint=sensitivity-classification/type=naming/classification=jndi-view
[standalone@localhost:9999 classification=jndi-view] :read-resource(recursive=true)
{
    "outcome" => "success",
    "result" => {
        "configured-requires-addressable" => undefined,
        "configured-requires-read" => undefined,
        "configured-requires-write" => undefined,
        "default-requires-addressable" => false,
        "default-requires-read" => true,
        "default-requires-write" => true,
        "applies-to" => {"/subsystem=naming" => {
            "address" => "/subsystem=naming",
            "attributes" => [],
            "entire-resource" => false,
            "operations" => ["jndi-view"]
        }}
    }
}
Comment 9 JBoss JIRA Server 2013-09-30 08:44:46 EDT
Heiko Braun <ike.braun@googlemail.com> updated the status of jira HAL-219 to Resolved
Comment 10 Vladimir Dosoudil 2013-10-01 08:07:18 EDT
Moving back to ASSIGNED (https://docspace.corp.redhat.com/docs/DOC-154626).
There's no PR to eap 6.x github repo https://github.com/jbossas/jboss-eap/
Comment 11 Vladimir Dosoudil 2013-10-01 08:48:59 EDT
The umbrella issue 1014047 is available now.
Comment 15 Jakub Cechacek 2013-10-09 04:00:49 EDT
Verified 6.2.0.ER5

Note You need to log in before you can comment on or make changes to this bug.