Accessing Runtime - Subsystems - JNDI View will raise an Auth error for roles with lower permissions than administrator (or scoped version)
Note that this is deliberate on the server side. JNDI bindings reveal sensitive information, such as security domain names. There is a sensitivity classification for this: [standalone@localhost:9999 /] cd /core-service=management/access=authorization/constraint=sensitivity-classification/type=naming/classification=jndi-view [standalone@localhost:9999 classification=jndi-view] :read-resource(recursive=true) { "outcome" => "success", "result" => { "configured-requires-addressable" => undefined, "configured-requires-read" => undefined, "configured-requires-write" => undefined, "default-requires-addressable" => false, "default-requires-read" => true, "default-requires-write" => true, "applies-to" => {"/subsystem=naming" => { "address" => "/subsystem=naming", "attributes" => [], "entire-resource" => false, "operations" => ["jndi-view"] }} } }
@Brian: However user should not be informed about that in form of server error. Either make the page inaccessible for him or (as on other restricted pages) inform about it through the usual popup
@Jakub: Agreed. My Comment #1 was intended as background info only.
@Jakub That's someting I'll look into
Heiko Braun <ike.braun> made a comment on jira HAL-219 {noformat} [domain@localhost:9999 /] /host=master/server=server-one/subsystem=naming:jndi-view(){roles=operator} { "outcome" => "failed", "result" => undefined, "failure-description" => "JBAS013456: Unauthorized to execute operation 'jndi-view' for resource '[(\"subsystem\" => \"naming\")]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true } {noformat}
Heiko Braun <ike.braun> made a comment on jira HAL-219 Seems to be a real permission problem, not a UI issue: {noformat} [domain@localhost:9999 /] /host=master/server=server-one/subsystem=naming:jndi-view(){roles=operator} { "outcome" => "failed", "result" => undefined, "failure-description" => "JBAS013456: Unauthorized to execute operation 'jndi-view' for resource '[(\"subsystem\" => \"naming\")]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true } {noformat}
Heiko Braun <ike.braun> made a comment on jira HAL-219 Jakub: However user should not be informed about that in form of server error. Either make the page inaccessible for him or (as on other restricted pages) inform about it through the usual popup
Brian Stansberry <brian.stansberry> made a comment on jira HAL-219 Heiko: Operator should not be expected to be able to use this op without a change to the settings on the naming subsystem's sensitivity classification "jndi-view". JNDI bindings reveal sensitive information, such as security domain names. The sensitivity classification for this: [standalone@localhost:9999 /] cd /core-service=management/access=authorization/constraint=sensitivity-classification/type=naming/classification=jndi-view [standalone@localhost:9999 classification=jndi-view] :read-resource(recursive=true) { "outcome" => "success", "result" => { "configured-requires-addressable" => undefined, "configured-requires-read" => undefined, "configured-requires-write" => undefined, "default-requires-addressable" => false, "default-requires-read" => true, "default-requires-write" => true, "applies-to" => {"/subsystem=naming" => { "address" => "/subsystem=naming", "attributes" => [], "entire-resource" => false, "operations" => ["jndi-view"] }} } }
Heiko Braun <ike.braun> updated the status of jira HAL-219 to Resolved
Moving back to ASSIGNED (https://docspace.corp.redhat.com/docs/DOC-154626). There's no PR to eap 6.x github repo https://github.com/jbossas/jboss-eap/
The umbrella issue 1014047 is available now.
Verified 6.2.0.ER5