XMLWordPrintable

    • CR1
    • 2019 Week 41-43 (from Okt 7), 2019 Week 44-46 (from Okt 28), 2019 Week 47-49 (from Nov 18), 2019 Week 50-52 (from Dec 9), 2020 Week 01-03 (from Dec 30), 2020 Week 04-06 (from Jan 20)

      If RHPAM is using: $RHPAM_HOME/standalone/configuration/application-roles.properties and $EAP_HOME/standalone/configuration/application-users.properties files for authentication the user that is configured in the following way cannot access/see Spaces:

      1. A group 'developer' is set up with no permissions to Spaces
      2. A user is set up with the 'developer' role

      However, above scenario does not work properly when RHPAM is configured to use RHSSO. In this case, the user configured in the same way as above, will be able to see all available Spaces.

      The following are the steps that were followed to reproduce the issue:

      ****************************************************************************************
      1. install two RHPAM 7.2.0 instances:

      1.1 one is integrated with RHSSO;
      1.2 the other one is using $RHPAM_HOME/standalone/configuration/application-roles.properties and $EAP_HOME/standalone/configuration/application-users.properties files;

      2. In both RHPAM environments, add new space - for instance "testSpace";

      3. Create new "groupTest" by following the instructions below:

      **************************************************************

      $ cd $RHPAM_HOME/bin/.niogit/system
      $ git clone security.git
      $ cd security/authz
      $ edit security-policy.properties and adding the configuration for this new group.
      group.groupTest.permission.orgunit.create=false
      group.groupTest.permission.orgunit.delete.SpaceName=true
      group.groupTest.permission.orgunit.read.SpaceName=true
      group.groupTest.permission.orgunit.update.SpaceName=true

      $Save.
      $ cd ../
      $ git add --all
      $ git commit -m "Edit security-policy.properties"
      $ git push --force

      **************************************************************

      where "SpaceName" should be replaced with the name of the newly added space - "testSpace".

      4. In both environments add new user and newly created "groupTest" assign to the new user;
      5. This user also should have the role "developer";

      See attached:

      1. security-policy.properties [1];
      2. application-role.properties [2];
      3. application-user.properties [3];

      6. In both environments, set the read/update/delete to "false" in all the Spaces permissions for the role "developer";
      7. Set the read/update/delete to true only for the space "testSpace" for the group "groupTest";

      Above test in the no_SSO environment will result in the user that is able to see testSpace - see no_SSO_test.zip [4]. On the other hand, the user with the same role, group and permissions in the environment where SSO is enabled is not able to see the testSpace - see attached sso_enabled_test.zip [5].

      ****************************************************************************************

        1. application-roles.properties
          0.8 kB
          Biljana Kramer
        2. application-users.properties
          1 kB
          Biljana Kramer
        3. group_permissions.png
          68 kB
          Biljana Kramer
        4. group_permissions.png
          68 kB
          Biljana Kramer
        5. realm-admin assigned.png
          95 kB
          Rishiraj Anand
        6. role_permissions.png
          54 kB
          Biljana Kramer
        7. role_permissions.png
          54 kB
          Biljana Kramer
        8. Screenshot from 2019-06-14 17-44-20.png
          353 kB
          Rishiraj Anand
        9. Screenshot from 2019-06-17 16-02-49.png
          112 kB
          Rishiraj Anand
        10. security-policy.properties
          17 kB
          Biljana Kramer
        11. user_permissions.png
          63 kB
          Biljana Kramer

              csherrar Clifton Sherrard
              rhn-support-bkramer1 Biljana Kramer
              Tomas David Tomas David
              Tomas David Tomas David
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: