XMLWordPrintable

    • CR1
    • 2019 Week 41-43 (from Okt 7), 2019 Week 44-46 (from Okt 28), 2019 Week 47-49 (from Nov 18), 2019 Week 50-52 (from Dec 9), 2020 Week 01-03 (from Dec 30), 2020 Week 04-06 (from Jan 20)

      If RHPAM is using: $RHPAM_HOME/standalone/configuration/application-roles.properties and $EAP_HOME/standalone/configuration/application-users.properties files for authentication the user that is configured in the following way cannot access/see Spaces:

      1. A group 'developer' is set up with no permissions to Spaces
      2. A user is set up with the 'developer' role

      However, above scenario does not work properly when RHPAM is configured to use RHSSO. In this case, the user configured in the same way as above, will be able to see all available Spaces.

      The following are the steps that were followed to reproduce the issue:

      ****************************************************************************************
      1. install two RHPAM 7.2.0 instances:

      1.1 one is integrated with RHSSO;
      1.2 the other one is using $RHPAM_HOME/standalone/configuration/application-roles.properties and $EAP_HOME/standalone/configuration/application-users.properties files;

      2. In both RHPAM environments, add new space - for instance "testSpace";

      3. Create new "groupTest" by following the instructions below:

      **************************************************************

      $ cd $RHPAM_HOME/bin/.niogit/system
      $ git clone security.git
      $ cd security/authz
      $ edit security-policy.properties and adding the configuration for this new group.
      group.groupTest.permission.orgunit.create=false
      group.groupTest.permission.orgunit.delete.SpaceName=true
      group.groupTest.permission.orgunit.read.SpaceName=true
      group.groupTest.permission.orgunit.update.SpaceName=true

      $Save.
      $ cd ../
      $ git add --all
      $ git commit -m "Edit security-policy.properties"
      $ git push --force

      **************************************************************

      where "SpaceName" should be replaced with the name of the newly added space - "testSpace".

      4. In both environments add new user and newly created "groupTest" assign to the new user;
      5. This user also should have the role "developer";

      See attached:

      1. security-policy.properties [1];
      2. application-role.properties [2];
      3. application-user.properties [3];

      6. In both environments, set the read/update/delete to "false" in all the Spaces permissions for the role "developer";
      7. Set the read/update/delete to true only for the space "testSpace" for the group "groupTest";

      Above test in the no_SSO environment will result in the user that is able to see testSpace - see no_SSO_test.zip [4]. On the other hand, the user with the same role, group and permissions in the environment where SSO is enabled is not able to see the testSpace - see attached sso_enabled_test.zip [5].

      ****************************************************************************************

        1. user_permissions.png
          user_permissions.png
          63 kB
        2. sso_enabled_test.zip
          289 kB
        3. security-policy.properties
          17 kB
        4. Screenshot from 2019-06-17 16-02-49.png
          Screenshot from 2019-06-17 16-02-49.png
          112 kB
        5. Screenshot from 2019-06-14 17-44-20.png
          Screenshot from 2019-06-14 17-44-20.png
          353 kB
        6. role_permissions.png
          role_permissions.png
          54 kB
        7. role_permissions.png
          role_permissions.png
          54 kB
        8. realm-admin assigned.png
          realm-admin assigned.png
          95 kB
        9. no_SSO_test.zip
          271 kB
        10. group_permissions.png
          group_permissions.png
          68 kB
        11. group_permissions.png
          group_permissions.png
          68 kB
        12. application-users.properties
          1 kB
        13. application-roles.properties
          0.8 kB

              csherrar Clifton Sherrard
              rhn-support-bkramer1 Biljana Kramer
              Tomas David Tomas David
              Tomas David Tomas David
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: