[jboss-jira] [JBoss JIRA] (WFLY-2583) Support multiple run-as roles from CLI and HTTP clients
Brian Stansberry (JIRA)
jira-events at lists.jboss.org
Tue Nov 26 22:44:05 EST 2013
[ https://issues.jboss.org/browse/WFLY-2583?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Stansberry updated WFLY-2583:
-----------------------------------
Description:
The "run-as" roles feature with RBAC will only allow multiple role declarations if the caller provides a ModelNode of type LIST. The CLI doesn't do that and clients using the HTTP interface (e.g. web console) cannot do that. This makes doing this largely unsupported except for things like unit tests that create custom clients.
Fix is to do some more sophisticated parsing in RunAsRolesMapper.getOperationHeaderRoles(...).
1) If the trimmed role-list string starts with [ and ends with ] try to use ModelNode.fromString to parse. Return result if no error.
2) If not, or there is a parse error in 1), check for "," and use String.split(",")
3) Just return the trimmed string in a ModelNode.
Step 2 makes "," a kind of privileged char in role names. However, in the extremely remote chance users want to include "," in role names and still use this feature, the solution is to use proper DMR syntax for the roles header value, e.g.
["yuck,commas","Maintainer"]
So, in the CLI:
$ :read-resource{roles=["yuck,commas","Maintainer"]}
An HTTP client like the console should use proper DMR syntax for the value of the operation-header-roles query parameter.
was:
The "run-as" roles feature with RBAC will only allow multiple role declarations if the caller provides a ModelNode of type LIST. The CLI doesn't do that and clients using the HTTP interface (e.g. web console) cannot do that. This makes doing this largely unsupported except for things like unit tests the create custom clients.
Fix is to do some more sophisticated parsing in RunAsRolesMapper.getOperationHeaderRoles(...).
1) If the trimmed role-list string starts with [ and ends with ] try to use ModelNode.fromString to parse. Return result if no error.
2) If not, or there is a parse error in 1), check for "," and use String.split(",")
3) Just return the trimmed string in a ModelNode.
Step 2 makes "," a kind of privileged char in role names. However, in the extremely remote chance users want to include "," in role names and still use this feature, the solution is to use proper DMR syntax for the roles header value, e.g.
["yuck,commas","Maintainer"]
So, in the CLI:
$ :read-resource{roles=["yuck,commas","Maintainer"]}
An HTTP client like the console should use proper DMR syntax for the value of the operation-header-roles query parameter.
> Support multiple run-as roles from CLI and HTTP clients
> -------------------------------------------------------
>
> Key: WFLY-2583
> URL: https://issues.jboss.org/browse/WFLY-2583
> Project: WildFly
> Issue Type: Requirement
> Security Level: Public(Everyone can see)
> Components: Domain Management
> Reporter: Brian Stansberry
> Assignee: Brian Stansberry
> Fix For: 8.0.0.CR1
>
>
> The "run-as" roles feature with RBAC will only allow multiple role declarations if the caller provides a ModelNode of type LIST. The CLI doesn't do that and clients using the HTTP interface (e.g. web console) cannot do that. This makes doing this largely unsupported except for things like unit tests that create custom clients.
> Fix is to do some more sophisticated parsing in RunAsRolesMapper.getOperationHeaderRoles(...).
> 1) If the trimmed role-list string starts with [ and ends with ] try to use ModelNode.fromString to parse. Return result if no error.
> 2) If not, or there is a parse error in 1), check for "," and use String.split(",")
> 3) Just return the trimmed string in a ModelNode.
> Step 2 makes "," a kind of privileged char in role names. However, in the extremely remote chance users want to include "," in role names and still use this feature, the solution is to use proper DMR syntax for the roles header value, e.g.
> ["yuck,commas","Maintainer"]
> So, in the CLI:
> $ :read-resource{roles=["yuck,commas","Maintainer"]}
> An HTTP client like the console should use proper DMR syntax for the value of the operation-header-roles query parameter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list