Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2633

Allow specification of "non-sensitive" values on an AttributeDefinition

    XMLWordPrintable

    Details

      Description

      The RBAC system requires the user to be in a role with permissions to perform "security sensitive" actions in order to manipulate "defined" attributes with a sensitivity constraint applied. And "defined" in this case includes attributes that are not explicitly configured by the user but which have default values. But for attributes without default values that are left undefined, the non-sensitive roles are allowed to perform that action.

      The requirement here is to open this up such that certain "defined" values (explicitly configured or default) also are treated as non-sensitive.

      See WFCORE-8521 for an explicit example of this. If the datasource subsystem "elytron-enabled" attribute has a value of "false", and other related attributes are left undefined, that basically means there is no configuration set up for how the DS should authenticate to the DB. Such a setup is likely useless (since the DB most likely requires authentication) but in and of itself doesn't involve anything security sensitive on the WildFly side, so configuring false shouldn't be sensitive. It's analogous to leaving other related attributes like "username" and "password" undefined which in previous releases was considered to be non-sensitive.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              brian.stansberry Brian Stansberry
              Reporter:
              brian.stansberry Brian Stansberry
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: