Description of problem: If the log-read-only attribute on the management audit-logging resource is set to 'false' and user attempts to invoke a write operation but is not authorized, the attempted operation is not logged. How reproducible: Always Steps to Reproduce: 1. Turn on management audit logging. 2. Set the log-read-only attribute on the core-service=management/access=audit resource to 'false' 3. Switch the access control provider to 'rbac' 4. Log in as a user that maps to the 'Monitor' role 5. Invoke the 'write-attribute' operation for some writable attribute. The operation will fail due to insufficient permissions. 6. Check the audit log. Actual results: The attempted write will not appear in the log. Expected results: The attempted write appears in the log. Additional info: This is because audit logging uses the controller lock to find out if the model was a write operation. If rbac is enabled and an operation is not authorized, the error happens before the controller lock is taken. So if audit log log-read-only="false" the failed operation does not get logged.
Refactored release note text for this as a Known Issue (ER4 fixes will not be picked up in the 6.3.0 Beta release) Original note included here for use at 6.3.0 GA: Previous versions of JBoss EAP 6 did not log a "write" operation invoked by an unauthorized user if the "log-read-only attribute" on the management audit-logging resource was set as 'false'. This was because the audit-logging resource used a controller lock to determine whether an operation should be reported as a "write" operation in the log. When role based access control (RBAC) was enabled and an unauthorized operation was performed the error happened before the controller lock was taken. As a result unauthorized write operations were not reported in the audit log if "log-read-only" was set as false. If "log-read-only" was set as true, the log record incorrectly stated the operation as a "read" operation. In this release, the controller lock is not used with the indication that the operation is a "write" operation. This results in correct logging of all unauthorized "write" operations in management audit log.
Verified on EAP 6.3.0.ER4