Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-490 Domain Management Role Based Access Control
  3. WFLY-1818

Allow ModelControllerClient configurations to disable the JBOSS_LOCAL_USER SASL mechanism


    • Icon: Sub-task Sub-task
    • Resolution: Done
    • Icon: Major Major
    • 8.0.0.Alpha4
    • None
    • Management
    • None

      The ModelControllerClient ClientConfiguration interface allows passing in a "saslOptions" map, which gets passed to xnio. Remoting also supports an "Options.SASL_DISALLOWED_MECHANISMS" Option but does not look to the saslOptions map for that. This makes it difficult for a ModelControllerClient user to disallow a mechanism, specifically JBOSS_LOCAL_USER.

      This makes building integration tests for RBAC very difficult, since the JBOSS_LOCAL_USER mechanism will get preference, the desired user account will not be used, and the intended role mapping will not occur.

      Intended fix is to have ProtocolConnectionUtils, which sets up the remoting OptionMap, look for a "SASL_DISALLOWED_MECHANISMS" key in saslOptions and if found set up the Remoting Option.

            bstansbe@redhat.com Brian Stansberry
            bstansbe@redhat.com Brian Stansberry
            0 Vote for this issue
            2 Start watching this issue