Details
-
Bug
-
Resolution: Done
-
Major
-
7.2.0.GA
-
CR1
-
2019 Week 41-43 (from Okt 7), 2019 Week 44-46 (from Okt 28), 2019 Week 47-49 (from Nov 18), 2019 Week 50-52 (from Dec 9), 2020 Week 01-03 (from Dec 30), 2020 Week 04-06 (from Jan 20)
Description
If RHPAM is using: $RHPAM_HOME/standalone/configuration/application-roles.properties and $EAP_HOME/standalone/configuration/application-users.properties files for authentication the user that is configured in the following way cannot access/see Spaces:
1. A group 'developer' is set up with no permissions to Spaces
2. A user is set up with the 'developer' role
However, above scenario does not work properly when RHPAM is configured to use RHSSO. In this case, the user configured in the same way as above, will be able to see all available Spaces.
The following are the steps that were followed to reproduce the issue:
****************************************************************************************
1. install two RHPAM 7.2.0 instances:
1.1 one is integrated with RHSSO;
1.2 the other one is using $RHPAM_HOME/standalone/configuration/application-roles.properties and $EAP_HOME/standalone/configuration/application-users.properties files;
2. In both RHPAM environments, add new space - for instance "testSpace";
3. Create new "groupTest" by following the instructions below:
**************************************************************
$ cd $RHPAM_HOME/bin/.niogit/system
$ git clone security.git
$ cd security/authz
$ edit security-policy.properties and adding the configuration for this new group.
group.groupTest.permission.orgunit.create=false
group.groupTest.permission.orgunit.delete.SpaceName=true
group.groupTest.permission.orgunit.read.SpaceName=true
group.groupTest.permission.orgunit.update.SpaceName=true
$Save.
$ cd ../
$ git add --all
$ git commit -m "Edit security-policy.properties"
$ git push --force
**************************************************************
where "SpaceName" should be replaced with the name of the newly added space - "testSpace".
4. In both environments add new user and newly created "groupTest" assign to the new user;
5. This user also should have the role "developer";
See attached:
1. security-policy.properties [1];
2. application-role.properties [2];
3. application-user.properties [3];
6. In both environments, set the read/update/delete to "false" in all the Spaces permissions for the role "developer";
7. Set the read/update/delete to true only for the space "testSpace" for the group "groupTest";
Above test in the no_SSO environment will result in the user that is able to see testSpace - see no_SSO_test.zip [4]. On the other hand, the user with the same role, group and permissions in the environment where SSO is enabled is not able to see the testSpace - see attached sso_enabled_test.zip [5].
****************************************************************************************
Attachments
Issue Links
- is documented by
-
BXMSDOC-5260 Update configuration to resolve SSO permissions issue
-
- Closed
-
