Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-490 Domain Management Role Based Access Control
  3. WFLY-2270

Lack of model integrity checking regarding role mappings, standard role names and scoped role names.

    Details

    • Type: Sub-task
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 8.0.0.CR1
    • Component/s: None
    • Labels:
      None

      Description

      Take the following scoped role definition and assignment: -

                  <host-scoped-roles>
                      <role name="master-Monitior" base-role="MONITOR">
                          <host name="master"/>
                      </role>
                  </host-scoped-roles>
      
       <role name="master-Monitior" include-all="true"/>
      

      Removal results in the following: -

      [domain@localhost:9990 /] ./core-service=management/access=authorization/host-scoped-role=master-Monitior:remove
      {
          "outcome" => "failed",
          "failure-description" => {"domain-failure-description" => "JBAS014749: Operation handler failed: JBAS013470: Unknown role 'MASTER-MONITIOR'"},
          "rolled-back" => true
      }
      

      Server side this is reported as: -

      [Host Controller] 11:24:57,780 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) JBAS014612: Operation ("remove") failed - address: ([
      [Host Controller]     ("core-service" => "management"),
      [Host Controller]     ("access" => "authorization"),
      [Host Controller]     ("host-scoped-role" => "master-Monitior")
      [Host Controller] ]): java.lang.IllegalArgumentException: JBAS013470: Unknown role 'MASTER-MONITIOR'
      [Host Controller] 	at org.jboss.as.controller.access.rbac.DefaultPermissionFactory.getUserPermissions(DefaultPermissionFactory.java:134) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.access.rbac.DefaultPermissionFactory.getUserPermissions(DefaultPermissionFactory.java:107) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.access.permission.ManagementPermissionAuthorizer.authorize(ManagementPermissionAuthorizer.java:99) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.access.management.DelegatingConfigurableAuthorizer.authorize(DelegatingConfigurableAuthorizer.java:98) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.OperationContextImpl.getBasicAuthorizationResponse(OperationContextImpl.java:1157) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.OperationContextImpl.authorize(OperationContextImpl.java:1059) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.OperationContextImpl.readResourceFromRoot(OperationContextImpl.java:542) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.domain.controller.operations.coordination.ServerOperationResolver.getServerOperations(ServerOperationResolver.java:232)
      [Host Controller] 	at org.jboss.as.domain.controller.operations.coordination.ServerOperationsResolverHandler.getServerOperations(ServerOperationsResolverHandler.java:149)
      [Host Controller] 	at org.jboss.as.domain.controller.operations.coordination.ServerOperationsResolverHandler.access$000(ServerOperationsResolverHandler.java:58)
      [Host Controller] 	at org.jboss.as.domain.controller.operations.coordination.ServerOperationsResolverHandler$2.getServerOperations(ServerOperationsResolverHandler.java:113)
      [Host Controller] 	at org.jboss.as.domain.controller.operations.coordination.HostControllerExecutionSupport$Factory$DomainOpExecutionSupport.getServerOps(HostControllerExecutionSupport.java:265)
      [Host Controller] 	at org.jboss.as.domain.controller.operations.coordination.ServerOperationsResolverHandler.execute(ServerOperationsResolverHandler.java:124)
      [Host Controller] 	at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:609) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:487) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:277) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:272) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:258) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:143) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:205) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$300(ModelControllerClientOperationHandler.java:110) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$2.run(ModelControllerClientOperationHandler.java:157) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$2.run(ModelControllerClientOperationHandler.java:153) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_17]
      [Host Controller] 	at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_17]
      [Host Controller] 	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:153) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.protocol.mgmt.AbstractMessageHandler$2$1.doExecute(AbstractMessageHandler.java:296) [wildfly-protocol-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:518) [wildfly-protocol-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]
      [Host Controller] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_17]
      [Host Controller] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_17]
      [Host Controller] 	at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_17]
      [Host Controller] 	at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.1.Final.jar:2.1.1.Final]
      

      At this point I believe that role removal is actually successful, however a subsequent operation is failing as the role previously associated with the user no longer exists.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  dlofthouse Darran Lofthouse
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: