Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1017851

Summary: Some topics are missing completely in the RBAC documentation
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Ladislav Thon <lthon>
Component: DocumentationAssignee: David Michael <dmichael>
Status: CLOSED WONTFIX QA Contact: Ladislav Thon <lthon>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: dmichael, hbraun, jdoyle
Target Milestone: post-GAKeywords: Documentation, Triaged
Target Release: EAP 6.4.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Build Name: 14874, Administration and Configuration Guide-6.2-1 Build Date: 10-10-2013 14:56:59 Topic ID: 23145-541286 [Latest]
Last Closed: 2015-07-07 05:16:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1013506    

Description Ladislav Thon 2013-10-10 15:43:40 UTC 
Title: About Role-Based Access Control (RBAC)

Filing this under chapter 10.8.1, but it's actually about the entire chapter 10.8.

Describe the issue:

There are some topics that are completely missing from the RBAC documentation. Here's the list (and I know that you are aware of some):

- configuring scoped roles
- configuring constraints
- configuring authorization (assigning groups to users) using properties files and LDAP in management interface (both are new in EAP 6.2, I believe)
- JMX?
Comment 2 John Doyle 2013-10-14 14:50:41 UTC 
We should prioritize documentation for these subjects in the console, not in the CLI.

JMX is not planned as tech preview, it is planned as fully supported.
Comment 5 Ladislav Thon 2013-10-16 07:23:22 UTC 
Regarding the chapter 10.8.9. Managing Roles:

This chapter used to have subchapters that describe how to perform various tasks using CLI. They are now missing and only the subchapters dealing with the console remain.

CLI is a vital tool that is for some users (esp. power users) much easier to use than the web console. Also, it provides for task automation, which is something you just can't achieve with the console, yet is very much needed in the daily life of an administrator.

Therefore, I believe that the CLI informations should be added back.

Darrin agreed to provide the CLI docs for GA, just not for beta, which I'm fine with.
Comment 6 Ladislav Thon 2013-11-04 13:01:41 UTC 
It is mentioned in the bug description, but I'll reiterate, based on the feedback on wildfly-rbac@, that we need some documentation for configuring authorization against LDAP. Here are some details:

1. We should already have documentation for _authentication_ against LDAP (didn't check). It should describe that it's possible to add something like this to the XML (I'm speaking about XML because I believe that it's much more likely to be configured offline rather than online):

    <authentication>
        <local .../>
        <ldap connection="ldap" base-dn="ou=Users,dc=wildfly,dc=org" user-dn="dn">
            <username-filter attribute="uid"/>
        </ldap>
    </authentication>

2. What's new is _authorization_ against LDAP. That should describe these things:

2.1 how to configure username to DN conversion (if the user was authenticated against LDAP too, then the conversion is not necessary as the DN is already known, but it's needed in other cases)

2.2 how to configure searching groups for given user (it's possible to configure two kinds of this lookup: either the group object contains a "member" attribute listing all members of the group, or the user object contains a "group" attribute listing all groups the user is member of)

In XML, it looks like this:

    <authorization>
        <ldap connection="ldap">
            <username-to-dn force="false"> <!-- 2.1 -->
                <username-filter base-dn="ou=Users,dc=wildfly,dc=org" user-dn-attribute="dn" attribute="uid" />
            </username-to-dn>
            <group-search group-name="SIMPLE" group-dn-attribute="dn" group-name-attribute="cn"> <!-- 2.2 -->
                <!-- EITHER THIS ONE -->
                <group-to-principal base-dn="ou=Groups,dc=wildfly,dc=org" search-by="DISTINGUISHED_NAME"> <!-- 2.2, first possibility -->
                    <membership-filter principal-attribute="member"/>
                </group-to-principal>
                <!-- OR THIS ONE -->
                <principal-to-group group-attribute="group"/> <!-- 2.2, second possibility -->
            </group-search>
        </ldap>
    </authorization>

These are examples I used for testing. Community documentation is at https://community.jboss.org/wiki/LDAPSecurityRealmExamples (the Authorization section is missing at the moment, but Darran said he's working on it now, so it should be available soon).