[HAL-1859] Insufficient logging while RBAC is used for HAL console secured by OIDC

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 3.6.8.Final
Affects Version/s: None
Component/s: None
Labels:
None

Steps to Reproduce:

Hide

Follow the steps in Keycloak’s getting started guide to add a new realm called wildfly-infra.

Then, create a new OpenID Connect client called wildfly-console. Set the Valid Redirect URIs using the URI used to access the WildFly management console, e.g., http://localhost:9990/console/. Similarly, you’ll also need to set *Web Origins using the management port for your WildFly instance, e.g., http://localhost:9990.

Next, create a second OpenID Connect client called wildfly-management. This will be a bearer-only client so in the Capability configuration, be sure to uncheck the Standard flow and Direct access grants.

Configuring WildFly to enable Role Based Access Control (RBAC), And don't create ADMINISTRATOR role.

Elytron OIDC Client Subsystem Configuration
We need to add a secure-deployment resource that references the wildfly-management client that was created in the previous section.

A secure-server that references the wildfly-console client is also needed.

Some example CLI commands that add these resources can be seen here:
Configure the Keycloak provider

/subsystem=elytron-oidc-client/provider=keycloak:add(provider-url=http://localhost:8180/realms/wildfly-infra)

Create a secure-deployment in order to protect mgmt interface

/subsystem=elytron-oidc-client/secure-deployment=wildfly-management:add(provider=keycloak,client-id=wildfly-management,principal-attribute=preferred_username,bearer-only=true,ssl-required=EXTERNAL)

Enable RBAC where roles are obtained from the identity

/core-service=management/access=authorization:write-attribute(name=provider,value=rbac)
/core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true)

Create a secure-server in order to publish the management console configuration via mgmt interface

/subsystem=elytron-oidc-client/secure-server=wildfly-console:add(provider=keycloak,client-id=wildfly-console,public-client=true)

Reload

reload

Show
Follow the steps in Keycloak’s getting started guide to add a new realm called wildfly-infra. Then, create a new OpenID Connect client called wildfly-console. Set the Valid Redirect URIs using the URI used to access the WildFly management console, e.g., http://localhost:9990/console/ . Similarly, you’ll also need to set *Web Origins using the management port for your WildFly instance, e.g., http://localhost:9990 . Next, create a second OpenID Connect client called wildfly-management. This will be a bearer-only client so in the Capability configuration, be sure to uncheck the Standard flow and Direct access grants. Configuring WildFly to enable Role Based Access Control (RBAC), And don't create ADMINISTRATOR role. Elytron OIDC Client Subsystem Configuration We need to add a secure-deployment resource that references the wildfly-management client that was created in the previous section. A secure-server that references the wildfly-console client is also needed. Some example CLI commands that add these resources can be seen here: Configure the Keycloak provider /subsystem=elytron-oidc-client/provider=keycloak:add(provider-url= http://localhost:8180/realms/wildfly-infra ) Create a secure-deployment in order to protect mgmt interface /subsystem=elytron-oidc-client/secure-deployment=wildfly-management:add(provider=keycloak,client-id=wildfly-management,principal-attribute=preferred_username,bearer-only=true,ssl-required=EXTERNAL) Enable RBAC where roles are obtained from the identity /core-service=management/access=authorization:write-attribute(name=provider,value=rbac) /core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true) Create a secure-server in order to publish the management console configuration via mgmt interface /subsystem=elytron-oidc-client/secure-server=wildfly-console:add(provider=keycloak,client-id=wildfly-console,public-client=true) Reload reload
Git Pull Request:
https://github.com/hal/console/pull/880

If a user with insufficient role is authenticated. Then is produced only debug message in log of server:

17:58:56,684 DEBUG [org.jboss.as.controller.management-operation] (External Management Request Threads – 1) WFLYCTL0017: Operation ("read-resource") failed - address: ([]) - failure description: "WFLYCTL0313: Unauthorized to execute operation 'read-resource' for resource '[]' – \"WFLYCTL0332: Permission denied\""

And the HAL console page is blank without any text, warning or error.

When the debug mode isn't enabled then it doesn't provide enough information what is wrong.

clones

JBEAP-24884 Insufficient logging while RBAC is used for HAL console secured by OIDC

Closed

relates to

HAL-1862 Update SSO article on HAL community site

Open

Krystof Stekovic added a comment - 2023/06/09 11:28 AM

Thank you hpehl@redhat.com, I confirm the web-consele show the Status 403 - Forbidden when a user doesn't have required role.

Krystof Stekovic added a comment - 2023/06/09 11:28 AM Thank you hpehl@redhat.com , I confirm the web-consele show the Status 403 - Forbidden when a user doesn't have required role.

Harald Pehl added a comment - 2023/06/07 9:44 AM

The RBAC failed page is now also shown in case SSO is enabled, RBAC provider is active, but no roles have been defined in Keycloack.

Harald Pehl added a comment - 2023/06/07 9:44 AM The RBAC failed page is now also shown in case SSO is enabled, RBAC provider is active, but no roles have been defined in Keycloack.

Farah Juma added a comment - 2023/06/06 6:53 PM

Great, thanks for the update, hpehl@redhat.com!

Farah Juma added a comment - 2023/06/06 6:53 PM Great, thanks for the update, hpehl@redhat.com !

Harald Pehl added a comment - 2023/06/06 6:36 PM - edited

Thanks, fjuma1@redhat.com, for your fix. That is very close to the final solution. I've done a bit of refactoring, but basically, your solution is what it takes to fix the issue. I'll need to do more regression tests tomorrow, and then I think we can resolve this.

Harald Pehl added a comment - 2023/06/06 6:36 PM - edited Thanks, fjuma1@redhat.com , for your fix . That is very close to the final solution. I've done a bit of refactoring, but basically, your solution is what it takes to fix the issue. I'll need to do more regression tests tomorrow, and then I think we can resolve this.

Farah Juma added a comment - 2023/05/29 8:06 PM - edited

When the management console is not being secured with OIDC and when RBAC has been enabled, attempting to log into the management console using a user that does not have sufficient permissions results in the RbacProviderFailed page being displayed which shows an appropriate error message in this case. The 403 error in this case gets handled here.

When the management console is being secured with OIDC and when RBAC has been enabled, attempting to log into the management console using a user that does not have sufficient permissions results in a blank page. Inspecting the error messages from the Console page using the browser's Developer Tools shows that after the OIDC authentication succeeds, we then get a 403 when attempting to access /management, as expected. This error gets set by the Dispatcher here but nothing detects this.

We need to update the HAL code to detect the 403 in the OIDC case in order to display the RbacProviderFailed page in this case too.

As a quick check, I tried adding detection code in HalBootstrapper as shown here and that did seem to work but I'd like to check with hpehl@redhat.com when he's back from PTO to determine the best place this type of logic should be added.

rhn-support-kstekovi ^ FYI.

Farah Juma added a comment - 2023/05/29 8:06 PM - edited When the management console is not being secured with OIDC and when RBAC has been enabled, attempting to log into the management console using a user that does not have sufficient permissions results in the RbacProviderFailed page being displayed which shows an appropriate error message in this case. The 403 error in this case gets handled here . When the management console is being secured with OIDC and when RBAC has been enabled, attempting to log into the management console using a user that does not have sufficient permissions results in a blank page. Inspecting the error messages from the Console page using the browser's Developer Tools shows that after the OIDC authentication succeeds, we then get a 403 when attempting to access /management , as expected. This error gets set by the Dispatcher here but nothing detects this. We need to update the HAL code to detect the 403 in the OIDC case in order to display the RbacProviderFailed page in this case too. As a quick check, I tried adding detection code in HalBootstrapper as shown here and that did seem to work but I'd like to check with hpehl@redhat.com when he's back from PTO to determine the best place this type of logic should be added. rhn-support-kstekovi ^ FYI.

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Krystof Stekovic added a comment - 2023/06/09 11:28 AM

Expand comment: Krystof Stekovic added a comment - 2023/06/09 11:28 AM

Collapse comment: Harald Pehl added a comment - 2023/06/07 9:44 AM

Expand comment: Harald Pehl added a comment - 2023/06/07 9:44 AM

Collapse comment: Farah Juma added a comment - 2023/06/06 6:53 PM

Expand comment: Farah Juma added a comment - 2023/06/06 6:53 PM

Collapse comment: Harald Pehl added a comment - 2023/06/06 6:36 PM, Edited by Harald Pehl - 2023/06/06 6:37 PM

Expand comment: Harald Pehl added a comment - 2023/06/06 6:36 PM, Edited by Harald Pehl - 2023/06/06 6:37 PM

Collapse comment: Farah Juma added a comment - 2023/05/29 8:06 PM, Edited by Farah Juma - 2023/05/29 8:08 PM

Expand comment: Farah Juma added a comment - 2023/05/29 8:06 PM, Edited by Farah Juma - 2023/05/29 8:08 PM

People

Dates