Red Hat Bugzilla – Bug 1018738
RBAC Additional scoped role and role mapping integrity checking of the management model.
Last modified: 2014-05-26 21:30:00 EDT
When creating a role mapping through the CLI using a non-formal role name like "AUDITOR", that role name is used as-is in the persistent configuration:
The persistent configuration should map non-formal role names to formal role names, as other management clients (the console) rely on the formal names.
Darran Lofthouse <firstname.lastname@example.org> updated the status of jira WFLY-2295 to Resolved
Darran Lofthouse <email@example.com> made a comment on jira WFLY-2295
For WFLY-2270 the underlying issue there was that role mappings could exist that do not correspond to either a standard role or to a scoped role, the solution on that issue is: -
- Only accept role mappings where the name specified is equal using a case sensitive comparison to either a standard role or to a previously defined scoped role.
- At the same time we will also prevent the removal of a scoped role if the role mapping still exists.
As a result it will no longer be possible to define roles in the CLI that do not use the formal role names.
Darran Lofthouse <firstname.lastname@example.org> made a comment on jira WFLY-2270
Also adding the following checks: -
1 - Ensure a scoped role is not a duplicate, taking into account host scoped roles, server group scoped roles and the standard roles with a case insensitive check.
2 - The base-role for a scoped role needs to be a standard role - if the user entered the role using an alternative case style it should be converted in the model to the formal style.
Proposing that the additional verification is added to EAP 6.2, without the verification it is possible to define configuration that breaks the server by locking out authenticated users.
Yes, Darran, it was my intent that your work on this would be backported as part of this BZ.
Verified with EAP 6.2.0.ER7.