Details
-
Bug
-
Resolution: Won't Do
-
Critical
-
None
-
7.1.0.DR19
Description
Using identity from other security domain should be possible without need to exists in the target domain in Elytron.
Currently the identity from a source security domain(s) must exist in the target domain even if the identity outflow and domain trusts are configured in Elytron.
For instance when the /core-service=management/access=identity defines the target domain and other domains (the source ones) are used in /core-service=management/management-interface=* configuration. Then IMO it's not valid to force the target to contain all the identities from sources.
Such a configuration with "ManagementDomain" as the target domain and "KerberosDomain" as the source (e.g. mapped in a sasl-authentication-factory to native management interface):
<management> <identity security-domain="ManagementDomain"/> ... <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper" trusted-security-domains="KerberosDomain" security-event-listener="local-audit"> <realm name="ManagementRealm" role-decoder="groups-to-roles"/> <realm name="local" role-mapper="super-user-mapper"/> </security-domain> <security-domain name="KerberosDomain" default-realm="LdapRealm" permission-mapper="default-permission-mapper" outflow-security-domains="ManagementDomain"> <realm name="LdapRealm"/> </security-domain>
Forcing identities to exist in the target realm just complicates Elytron configuration.