Bug 1018738 - RBAC Additional scoped role and role mapping integrity checking of the management model.
RBAC Additional scoped role and role mapping integrity checking of the manage...
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ER7
: EAP 6.2.0
Assigned To: Darran Lofthouse
Ladislav Thon
Russell Dickenson
Depends On:
  Show dependency treegraph
Reported: 2013-10-14 06:40 EDT by Harald Pehl
Modified: 2014-05-26 21:30 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
Causes: Consequence: Workaround (if any): Result:
Story Points: ---
Clone Of:
Last Closed: 2013-12-15 11:18:36 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-2270 Major Resolved Lack of model integrity checking regarding role mappings, standard role names and scoped role names. 2017-09-04 20:43 EDT

  None (edit)
Description Harald Pehl 2013-10-14 06:40:36 EDT
When creating a role mapping through the CLI using a non-formal role name like "AUDITOR", that role name is used as-is in the persistent configuration: 

cd /core-service=management/access=authorization

The persistent configuration should map non-formal role names to formal role names, as other management clients (the console) rely on the formal names.
Comment 1 JBoss JIRA Server 2013-10-14 06:46:25 EDT
Darran Lofthouse <darran.lofthouse@jboss.com> updated the status of jira WFLY-2295 to Resolved
Comment 2 JBoss JIRA Server 2013-10-14 06:46:25 EDT
Darran Lofthouse <darran.lofthouse@jboss.com> made a comment on jira WFLY-2295

For WFLY-2270 the underlying issue there was that role mappings could exist that do not correspond to either a standard role or to a scoped role, the solution on that issue is: -
 - Only accept role mappings where the name specified is equal using a case sensitive comparison to either a standard role or to a previously defined scoped role.
 - At the same time we will also prevent the removal of a scoped role if the role mapping still exists.

As a result it will no longer be possible to define roles in the CLI that do not use the formal role names.
Comment 3 JBoss JIRA Server 2013-10-14 13:54:45 EDT
Darran Lofthouse <darran.lofthouse@jboss.com> made a comment on jira WFLY-2270

Also adding the following checks: - 
 1 - Ensure a scoped role is not a duplicate, taking into account host scoped roles, server group scoped roles and the standard roles with a case insensitive check.
 2 - The base-role for a scoped role needs to be a standard role - if the user entered the role using an alternative case style it should be converted in the model to the formal style.
Comment 4 Darran Lofthouse 2013-10-15 08:54:28 EDT
Proposing that the additional verification is added to EAP 6.2, without the verification it is possible to define configuration that breaks the server by locking out authenticated users.
Comment 5 Brian Stansberry 2013-10-15 10:17:58 EDT
Yes, Darran, it was my intent that your work on this would be backported as part of this BZ.
Comment 7 Ladislav Thon 2013-11-06 06:42:24 EST
Verified with EAP 6.2.0.ER7.

Note You need to log in before you can comment on or make changes to this bug.