Description of problem:
If the log-read-only attribute on the management audit-logging resource is set to 'false' and user attempts to invoke a write operation but is not authorized, the attempted operation is not logged.
Steps to Reproduce:
1. Turn on management audit logging.
2. Set the log-read-only attribute on the core-service=management/access=audit resource to 'false'
3. Switch the access control provider to 'rbac'
4. Log in as a user that maps to the 'Monitor' role
5. Invoke the 'write-attribute' operation for some writable attribute. The operation will fail due to insufficient permissions.
6. Check the audit log.
The attempted write will not appear in the log.
The attempted write appears in the log.
This is because audit logging uses the controller lock to find out if the model was a write operation. If rbac is enabled and an operation is not authorized, the error happens before the controller lock is taken. So if audit log log-read-only="false" the failed operation does not get logged.
Refactored release note text for this as a Known Issue (ER4 fixes will not be picked up in the 6.3.0 Beta release)
Original note included here for use at 6.3.0 GA:
Previous versions of JBoss EAP 6 did not log a "write" operation invoked by an unauthorized user if the "log-read-only attribute" on the management audit-logging resource was set as 'false'.
This was because the audit-logging resource used a controller lock to determine whether an operation should be reported as a "write" operation in the log. When role based access control (RBAC) was enabled and an unauthorized operation was performed the error happened before the controller lock was taken.
As a result unauthorized write operations were not reported in the audit log if "log-read-only" was set as false. If "log-read-only" was set as true, the log record incorrectly stated the operation as a "read" operation.
In this release, the controller lock is not used with the indication that the operation is a "write" operation.
This results in correct logging of all unauthorized "write" operations in management audit log.
Verified on EAP 6.3.0.ER4