Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-4146

[ELYTRON] Authorization fails when using role mapping

    XMLWordPrintable

Details

    • Bug
    • Status: Verified (View Workflow)
    • Major
    • Resolution: Done
    • 7.12.0.GA
    • 7.12.1.GA
    • Cloud
    • None
    • CR1
    • Hide
      • create the workaround.cli script:
      embed-server --std-out=echo --server-config=standalone-openshift.xml
      batch
      
      /subsystem=elytron/security-domain=KIELdapSecurityDomain:write-attribute(name=realms[0].role-mapper, value=kie-custom-role-mapper)
      
      run-batch 
      quit
      
      • create a empty file called delayedpostconfigure.sh
      • create the postconfigure.sh file with the following content:

       

      echo "trying to execute /opt/eap/bin/jboss-cli.sh --file=/opt/eap/extensions/workaround.cli "
      /opt/eap/bin/jboss-cli.sh --file=/opt/eap/extensions/workaround.cli
      echo "END - cli script executed"

       

       

      • create the config-map with the content mentioned above:
      oc create configmap postconfigure \
        --from-file=workaround.cli=workaround.cli \
        --from-file=delayedpostconfigure.sh=delayedpostconfigure.sh \
        --from-file=postconfigure.sh=postconfigure.sh

       

       

      A similar message will be printed in the logs durng JBoss EAP startup:

       

      trying to execute /opt/eap/bin/jboss-cli.sh --file=/opt/eap/extensions/workaround.cli 
      19:15:55,744 INFO  [org.jboss.modules] (CLI command executor) JBoss Modules version 1.11.0.Final-redhat-00001
      ...
      The batch executed successfully
      process-state: reload-required 
      19:16:04,757 INFO  [org.jboss.as] (MSC service thread 1-1) WFLYSRV0050: JBoss EAP 7.4.1.GA (WildFly Core 15.0.4.Final-redhat-00001) stopped in 18ms
      END - cli script executed
      

       

       

      And the security domain updated:

       

              <security-domain name="KIELdapSecurityDomain" default-realm="KIELdapRealm" permission-mapper="default-permission-mapper">
                <realm name="KIELdapRealm" role-decoder="from-roles-attribute" role-mapper="kie-custom-role-mapper"/>
              </security-domain>

       

       

       

       

      Show
      create the workaround.cli script: embed-server --std-out=echo --server-config=standalone-openshift.xml batch /subsystem=elytron/security-domain=KIELdapSecurityDomain:write-attribute(name=realms[0].role-mapper, value=kie-custom-role-mapper) run-batch quit create a empty file called delayedpostconfigure.sh create the postconfigure.sh file with the following content:   echo "trying to execute /opt/eap/bin/jboss-cli.sh --file=/opt/eap/extensions/workaround.cli " /opt/eap/bin/jboss-cli.sh --file=/opt/eap/extensions/workaround.cli echo "END - cli script executed"     create the config-map with the content mentioned above: oc create configmap postconfigure \ --from-file=workaround.cli=workaround.cli \ --from-file=delayedpostconfigure.sh=delayedpostconfigure.sh \ --from-file=postconfigure.sh=postconfigure.sh   follow the steps on this example to mount the config-map by adding the changes for every object that is using the role mapping: https://github.com/jboss-container-images/rhpam-7-openshift-image/tree/main/quickstarts/post-configure-example#operator-method   A similar message will be printed in the logs durng JBoss EAP startup:   trying to execute /opt/eap/bin/jboss-cli.sh --file=/opt/eap/extensions/workaround.cli  19:15:55,744 INFO  [org.jboss.modules] (CLI command executor) JBoss Modules version 1.11.0.Final-redhat-00001 ... The batch executed successfully process-state: reload-required  19:16:04,757 INFO  [org.jboss.as] (MSC service thread 1-1) WFLYSRV0050: JBoss EAP 7.4.1.GA (WildFly Core 15.0.4.Final-redhat-00001) stopped in 18ms END - cli script executed     And the security domain updated:           <security-domain name= "KIELdapSecurityDomain" default -realm= "KIELdapRealm" permission-mapper= " default -permission-mapper" >           <realm name= "KIELdapRealm" role-decoder= "from-roles-attribute" role-mapper= "kie-custom-role-mapper" />         </security-domain>        
    • Documentation (Ref Guide, User Guide, etc.), Release Notes
    • 2022 Week 05-07 (from Jan 31)
    • +

    Description

       When roleMapper is set like the following
       

        auth:
          ...
          roleMapper:
            from:
              kind: ConfigMap
              name: ldap-role-mapping
            rolesKeepMapped: false
            rolesKeepNonMapped: false
            rolesProperties: /etc/ldap-role-mappings.properties

        
        mapped-role-mapper "kie-custom-role-mapper"  is set like the following.

      <!-- ##KIE_AUTH_LDAP_DEFAULT_ROLE## -->
              <simple-role-decoder name="from-roles-attribute" attribute="Roles"/>
              <!-- ##KIE_ROLE_DECODER## -->
              <simple-role-decoder name="groups-to-roles" attribute="groups"/>
              <mapped-role-mapper name="kie-custom-role-mapper" keep-mapped="false" keep-non-mapped="false">
                <role-mapping from="rhpam_admin" to="admin"/>
                <role-mapping from="rhpam_kieserver" to="kie-server"/>
                <role-mapping from="rhpam_restall" to="rest-all"/>
                <role-mapping from="rhpam_administrators" to="Administrators"/>
                <role-mapping from="rhpam_all" to="admin kie-server rest-all Administrators"/>
              </mapped-role-mapper>

        But this role-mapper is not specified in the security-domain "KIELdapSecurityDomain".
       

              <security-domain name="KIELdapSecurityDomain" default-realm="KIELdapRealm" permission-mapper="default-permission-mapper">
                <realm name="KIELdapRealm" role-decoder="from-roles-attribute"/>
              </security-domain>
      

      Note: make sure that the defaultRole still wroking with the mapping roles configuration

      Attachments

        Activity

          People

            rhn-support-fspolti Filippe Spolti
            rhn-support-fspolti Filippe Spolti
            Jakub Schwan Jakub Schwan
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: