Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-16570

Inconsistent SecurityIdentity when switching domain

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Security
    • None
    • ---
    • ---

      Trying to update the test for https://issues.redhat.com/browse/WFLY-16387 / https://github.com/wildfly/wildfly/pull/15717 to check the output of the whois operation, I see inconsistent results for what SecurityIdentity is used when switching from the ApplicationDomain to the ManagementDomain. The files in question are attached and can be used to override the ones in the PR (AbstractJmxAccessFromDeploymentWithRbacTest.java + JmxResource.java). Also https://github.com/kabir/wildfly/pull/new/rbac-core-mbeans-16387-follow-up contains the changes.

       

      To attempt to summarise, the tests are run in three setups. Each setup accesses the platform mbean server, and also does an access via a remote mbean server connection. For the remote case, the results are consistent and becomes $local in each setup.

      The setups and results for switched security identity when using the platform mbean server are:

      • Mapping the anonymous identity to RBAC superuser: Here the security identity is 'anonymous' as expected
      • Doing the RBAC role mapping via 
        /core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true) 

        and having the ManagementRealm manage the SuperUser the principal is 'kabir' as expected.

      • Doing the RBAC role mapping via 
        /core-service=management/access=authorization/role-mapping=SuperUser/include=user-kabir:add(name=kabir,type=USER) 

        the principal is 'anonymous' but I would expect 'kabir'.

       

       

              Unassigned Unassigned
              kkhan1@redhat.com Kabir Khan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: