Bug 1092203 - Not authorized write operation does not get audit logged if log-read-only="false"
Summary: Not authorized write operation does not get audit logged if log-read-only="fa...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ER4
: EAP 6.3.0
Assignee: Brian Stansberry
QA Contact: Ondrej Lukas
Nidhi
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-04-29 01:07 UTC by Brian Stansberry
Modified: 2014-07-04 02:51 UTC (History)
6 users (show)

(edit)
Previous versions of JBoss EAP 6 contained a bug that prevented the logging of a "write" operation invoked by an unauthorized user if the "log-read-only attribute" on the management audit-logging resource was set as `false`.

This was because the model controller used "acquisition of controller lock" as a condition to determine whether an operation should be reported as a "write" operation in the log . When role based access control (RBAC) was enabled and an unauthorized operation was performed the error occurred before the controller lock is taken. 

As a result, unauthorized write operations were not reported in the audit log if "log-read-only" was set as `false`. If "log-read-only" was set as `true`, the log record incorrectly stated the operation as a "read" operation.

This issue has been resolved in this release of the product.
Clone Of:
(edit)
Last Closed: 2014-06-28 15:42:14 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-2891 Major Resolved Not authorised write operation does not get audit logged if log-read-only="false" 2015-09-15 05:36:05 UTC

Description Brian Stansberry 2014-04-29 01:07:43 UTC
Description of problem:

If the log-read-only attribute on the management audit-logging resource is set to 'false' and user attempts to invoke a write operation but is not authorized, the attempted operation is not logged.

How reproducible:

Always

Steps to Reproduce:
1. Turn on management audit logging.
2. Set the log-read-only attribute on the core-service=management/access=audit resource to 'false'
3. Switch the access control provider to 'rbac'
4. Log in as a user that maps to the 'Monitor' role
5. Invoke the 'write-attribute' operation for some writable attribute. The operation will fail due to insufficient permissions.
6. Check the audit log.

Actual results:

The attempted write will not appear in the log.

Expected results:

The attempted write appears in the log.

Additional info:

This is because audit logging uses the controller lock to find out if the model was a write operation. If rbac is enabled and an operation is not authorized, the error happens before the controller lock is taken. So if audit log log-read-only="false" the failed operation does not get logged.

Comment 4 Scott Mumford 2014-05-14 02:17:23 UTC
Refactored release note text for this as a Known Issue (ER4 fixes will not be picked up in the 6.3.0 Beta release)

Original note included here for use at 6.3.0 GA:

Previous versions of JBoss EAP 6 did not log a "write" operation invoked by an unauthorized user if the "log-read-only attribute" on the management audit-logging resource was set as 'false'.

This was because the audit-logging resource used a controller lock to determine whether an operation should be reported as a "write" operation in the log. When role based access control (RBAC) was enabled and an unauthorized operation was performed the error happened before the controller lock was taken. 

As a result unauthorized write operations were not reported in the audit log if "log-read-only" was set as false. If "log-read-only" was set as true, the log record  incorrectly stated the operation as a "read" operation.

In this release, the controller lock is not used with the indication that the operation is a "write" operation.

This results in correct logging of all unauthorized "write" operations in management audit log.

Comment 6 Zbyněk Roubalík 2014-05-16 10:12:01 UTC
Verified on EAP 6.3.0.ER4


Note You need to log in before you can comment on or make changes to this bug.