Red Hat Bugzilla – Bug 1017851
Some topics are missing completely in the RBAC documentation
Last modified: 2015-07-07 01:16:21 EDT
Title: About Role-Based Access Control (RBAC)
Filing this under chapter 10.8.1, but it's actually about the entire chapter 10.8.
Describe the issue:
There are some topics that are completely missing from the RBAC documentation. Here's the list (and I know that you are aware of some):
- configuring scoped roles
- configuring constraints
- configuring authorization (assigning groups to users) using properties files and LDAP in management interface (both are new in EAP 6.2, I believe)
We should prioritize documentation for these subjects in the console, not in the CLI.
JMX is not planned as tech preview, it is planned as fully supported.
Regarding the chapter 10.8.9. Managing Roles:
This chapter used to have subchapters that describe how to perform various tasks using CLI. They are now missing and only the subchapters dealing with the console remain.
CLI is a vital tool that is for some users (esp. power users) much easier to use than the web console. Also, it provides for task automation, which is something you just can't achieve with the console, yet is very much needed in the daily life of an administrator.
Therefore, I believe that the CLI informations should be added back.
Darrin agreed to provide the CLI docs for GA, just not for beta, which I'm fine with.
It is mentioned in the bug description, but I'll reiterate, based on the feedback on wildfly-rbac@, that we need some documentation for configuring authorization against LDAP. Here are some details:
1. We should already have documentation for _authentication_ against LDAP (didn't check). It should describe that it's possible to add something like this to the XML (I'm speaking about XML because I believe that it's much more likely to be configured offline rather than online):
<ldap connection="ldap" base-dn="ou=Users,dc=wildfly,dc=org" user-dn="dn">
2. What's new is _authorization_ against LDAP. That should describe these things:
2.1 how to configure username to DN conversion (if the user was authenticated against LDAP too, then the conversion is not necessary as the DN is already known, but it's needed in other cases)
2.2 how to configure searching groups for given user (it's possible to configure two kinds of this lookup: either the group object contains a "member" attribute listing all members of the group, or the user object contains a "group" attribute listing all groups the user is member of)
In XML, it looks like this:
<username-to-dn force="false"> <!-- 2.1 -->
<username-filter base-dn="ou=Users,dc=wildfly,dc=org" user-dn-attribute="dn" attribute="uid" />
<group-search group-name="SIMPLE" group-dn-attribute="dn" group-name-attribute="cn"> <!-- 2.2 -->
<!-- EITHER THIS ONE -->
<group-to-principal base-dn="ou=Groups,dc=wildfly,dc=org" search-by="DISTINGUISHED_NAME"> <!-- 2.2, first possibility -->
<!-- OR THIS ONE -->
<principal-to-group group-attribute="group"/> <!-- 2.2, second possibility -->
These are examples I used for testing. Community documentation is at https://community.jboss.org/wiki/LDAPSecurityRealmExamples (the Authorization section is missing at the moment, but Darran said he's working on it now, so it should be available soon).