Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-4125

Release Notes: RBAC: The two kinds of non-addressability

    Details

      Description

      In EAP 6 release notes, we had the following entry in the Known Issues section of the Release Notes:

      RBAC: The two kinds of non-addressability

      Some resources are non-addressable to server-group and host scoped roles in order to provide a simplified view of the management model to improve usability. This is distinct from resources that are non-addressable to protect sensitive data.

      For server-group scoped roles this means that resources in the `profile`, `socket binding group`, `deployment`, `deployment override`, `server group`, `server config` and `server` portions of the management model will not be visible if they are not related to the server-groups specified for the role.

      For host-scoped roles this means that resources in the `/host=*` portion of the management model will not be visible if they are not related to the server groups specified for the role.

      However in some cases this simplified view can hide information that while it is outside the scope of what the user is managing, it can provide guidance to the user as to a course of action. An example of this is http://bugzilla.redhat.com/show_bug.cgi?id=1015524[BZ# 1015524].

      In a future release, some of these non-addressable resources might be changed to be addressable but non-readable. This will not affect the security of the server because they were not non-addressable for security reasons. Red Hat recommends that you do not rely on the non-addressability of resources to hide information unless the non-addressability is defined in a sensitivity constraint.

      The EAP 6 BZ is https://bugzilla.redhat.com/show_bug.cgi?id=1021607

      I've confirmed with Brian Stansberry that this still applies to EAP 7, so I believe we want to have it documented in EAP 7 Release Notes.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dmichael David Michael
                  Reporter:
                  lthon Ladislav Thon
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 20 minutes
                    20m