Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1092203 - Not authorized write operation does not get audit logged if log-read-only="false"
Not authorized write operation does not get audit logged if log-read-only="fa...
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management (Show other bugs)
6.2.0
Unspecified Unspecified
unspecified Severity unspecified
: ER4
: EAP 6.3.0
Assigned To: Brian Stansberry
Ondrej Lukas
Nidhi
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-28 21:07 EDT by Brian Stansberry
Modified: 2014-07-03 22:51 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previous versions of JBoss EAP 6 contained a bug that prevented the logging of a "write" operation invoked by an unauthorized user if the "log-read-only attribute" on the management audit-logging resource was set as `false`. This was because the model controller used "acquisition of controller lock" as a condition to determine whether an operation should be reported as a "write" operation in the log . When role based access control (RBAC) was enabled and an unauthorized operation was performed the error occurred before the controller lock is taken. As a result, unauthorized write operations were not reported in the audit log if "log-read-only" was set as `false`. If "log-read-only" was set as `true`, the log record incorrectly stated the operation as a "read" operation. This issue has been resolved in this release of the product.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-28 11:42:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-2891 Major Resolved Not authorised write operation does not get audit logged if log-read-only="false" 2015-09-15 01:36:05 EDT

  None (edit)
Description Brian Stansberry 2014-04-28 21:07:43 EDT 
Description of problem:

If the log-read-only attribute on the management audit-logging resource is set to 'false' and user attempts to invoke a write operation but is not authorized, the attempted operation is not logged.

How reproducible:

Always

Steps to Reproduce:
1. Turn on management audit logging.
2. Set the log-read-only attribute on the core-service=management/access=audit resource to 'false'
3. Switch the access control provider to 'rbac'
4. Log in as a user that maps to the 'Monitor' role
5. Invoke the 'write-attribute' operation for some writable attribute. The operation will fail due to insufficient permissions.
6. Check the audit log.

Actual results:

The attempted write will not appear in the log.

Expected results:

The attempted write appears in the log.

Additional info:

This is because audit logging uses the controller lock to find out if the model was a write operation. If rbac is enabled and an operation is not authorized, the error happens before the controller lock is taken. So if audit log log-read-only="false" the failed operation does not get logged.
Comment 4 Scott Mumford 2014-05-13 22:17:23 EDT 
Refactored release note text for this as a Known Issue (ER4 fixes will not be picked up in the 6.3.0 Beta release)

Original note included here for use at 6.3.0 GA:

Previous versions of JBoss EAP 6 did not log a "write" operation invoked by an unauthorized user if the "log-read-only attribute" on the management audit-logging resource was set as 'false'.

This was because the audit-logging resource used a controller lock to determine whether an operation should be reported as a "write" operation in the log. When role based access control (RBAC) was enabled and an unauthorized operation was performed the error happened before the controller lock was taken. 

As a result unauthorized write operations were not reported in the audit log if "log-read-only" was set as false. If "log-read-only" was set as true, the log record  incorrectly stated the operation as a "read" operation.

In this release, the controller lock is not used with the indication that the operation is a "write" operation.

This results in correct logging of all unauthorized "write" operations in management audit log.
Comment 6 Zbyněk Roubalík 2014-05-16 06:12:01 EDT 
Verified on EAP 6.3.0.ER4
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.