This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1017851 - Some topics are missing completely in the RBAC documentation
Some topics are missing completely in the RBAC documentation
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Documentation (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: post-GA
: EAP 6.4.2
Assigned To: David Michael
Ladislav Thon
: Documentation, Triaged
Depends On:
Blocks: 1013506
  Show dependency treegraph
Reported: 2013-10-10 11:43 EDT by Ladislav Thon
Modified: 2015-07-07 01:16 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Build Name: 14874, Administration and Configuration Guide-6.2-1 Build Date: 10-10-2013 14:56:59 Topic ID: 23145-541286 [Latest]
Last Closed: 2015-07-07 01:16:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ladislav Thon 2013-10-10 11:43:40 EDT
Title: About Role-Based Access Control (RBAC)

Filing this under chapter 10.8.1, but it's actually about the entire chapter 10.8.

Describe the issue:

There are some topics that are completely missing from the RBAC documentation. Here's the list (and I know that you are aware of some):

- configuring scoped roles
- configuring constraints
- configuring authorization (assigning groups to users) using properties files and LDAP in management interface (both are new in EAP 6.2, I believe)
- JMX?
Comment 2 John Doyle 2013-10-14 10:50:41 EDT
We should prioritize documentation for these subjects in the console, not in the CLI.

JMX is not planned as tech preview, it is planned as fully supported.
Comment 5 Ladislav Thon 2013-10-16 03:23:22 EDT
Regarding the chapter 10.8.9. Managing Roles:

This chapter used to have subchapters that describe how to perform various tasks using CLI. They are now missing and only the subchapters dealing with the console remain.

CLI is a vital tool that is for some users (esp. power users) much easier to use than the web console. Also, it provides for task automation, which is something you just can't achieve with the console, yet is very much needed in the daily life of an administrator.

Therefore, I believe that the CLI informations should be added back.

Darrin agreed to provide the CLI docs for GA, just not for beta, which I'm fine with.
Comment 6 Ladislav Thon 2013-11-04 08:01:41 EST
It is mentioned in the bug description, but I'll reiterate, based on the feedback on wildfly-rbac@, that we need some documentation for configuring authorization against LDAP. Here are some details:

1. We should already have documentation for _authentication_ against LDAP (didn't check). It should describe that it's possible to add something like this to the XML (I'm speaking about XML because I believe that it's much more likely to be configured offline rather than online):

        <local .../>
        <ldap connection="ldap" base-dn="ou=Users,dc=wildfly,dc=org" user-dn="dn">
            <username-filter attribute="uid"/>

2. What's new is _authorization_ against LDAP. That should describe these things:

2.1 how to configure username to DN conversion (if the user was authenticated against LDAP too, then the conversion is not necessary as the DN is already known, but it's needed in other cases)

2.2 how to configure searching groups for given user (it's possible to configure two kinds of this lookup: either the group object contains a "member" attribute listing all members of the group, or the user object contains a "group" attribute listing all groups the user is member of)

In XML, it looks like this:

        <ldap connection="ldap">
            <username-to-dn force="false"> <!-- 2.1 -->
                <username-filter base-dn="ou=Users,dc=wildfly,dc=org" user-dn-attribute="dn" attribute="uid" />
            <group-search group-name="SIMPLE" group-dn-attribute="dn" group-name-attribute="cn"> <!-- 2.2 -->
                <!-- EITHER THIS ONE -->
                <group-to-principal base-dn="ou=Groups,dc=wildfly,dc=org" search-by="DISTINGUISHED_NAME"> <!-- 2.2, first possibility -->
                    <membership-filter principal-attribute="member"/>
                <!-- OR THIS ONE -->
                <principal-to-group group-attribute="group"/> <!-- 2.2, second possibility -->

These are examples I used for testing. Community documentation is at (the Authorization section is missing at the moment, but Darran said he's working on it now, so it should be available soon).

Note You need to log in before you can comment on or make changes to this bug.