[wildfly-dev] Pattern defined RBAC scoped roles
Brian Stansberry
brian.stansberry at redhat.com
Mon Apr 25 11:59:46 EDT 2016
Gotcha; thanks.
I think there are two basic (non-regex) patterns that are likely to be
useful:
1) Cross-profile perms
/profile=*/subsystem=logging
vs
/profile=default/subsystem=logging
/profile=ha/subsystem=logging
...
/profile=prof-52/subsystem=logging
2) Granting perms for an address and its children/
/subsystem=logging/**
Clean handling of 2) is a must. I'm sure we'd get complaints if we
didn't support 1).
But full regex support isn't needed for those two.
On 4/25/16 10:07 AM, Anil Saldanha wrote:
> Hi Brian - I was just making a generic statement about staying away from
> pattern matching in ACLs given it is hard to debug and the possibility
> of Allow instead of Deny in unintended cases. Having explicit grants
> will make it cleaner.
>
> On Mon, Apr 25, 2016 at 9:28 AM, Brian Stansberry
> <brian.stansberry at redhat.com <mailto:brian.stansberry at redhat.com>> wrote:
>
> On 4/25/16 8:09 AM, Anil Saldanha wrote:
>
> The challenge with pattern based matching is that you provide
> access when you should not. Explicit definition of the grants is
> recommended.
>
> So I support your thinking, Brian.
>
>
> Did you mean you support Ladislav's thinking? His proposed approach
> is more explicit.
>
>
> On Apr 25, 2016, at 7:55 AM, Brian Stansberry
> <brian.stansberry at redhat.com
> <mailto:brian.stansberry at redhat.com>> wrote:
>
> Perhaps. I'm a bit bit reluctant to move away from something
> powerful
> and standard to something custom. Mostly because it's hard
> to move the
> other way in the future while remaining compatible. But your
> point is
> well taken.
>
> How would you propose discriminating these cases?
>
> 1) /subsystem=messaging is not allowed but its children are.
>
> 2) /subsystem=messaging and its children are.
>
> We also need to think about ObjectName patterns, which are not
> inherently hierarchical.
>
> On 4/23/16 1:38 AM, Ladislav Thon wrote:
> I only have a single comment: writing a regular
> expression can sometimes
> be a bit tricky. Just see the example you used:
>
> (/profile=[^/]+)??/subsystem=logging(/.*)*
>
>
> It's also fairly easy to write a regular expression that
> doesn't quite
> do what you want it to do, in some corner cases.
> Finally, some
> well-crafted regular expressions have running time in
> years or more (at
> least in the java.util.regex implementation).
>
> This all leads me to believe that maybe regular
> expressions are not the
> best choice.
>
> Instead, I'm thinking about address prefixes. So the
> role would be
> specified by a set of valid addresses (including the "*"
> wildcard), and
> only the specified resources and all their children
> would be accessible.
>
> I'm specifically not thinking about _textual_ prefix, so
> e.g. prefix of
> /subsystem=messaging would give you access to the old
> messaging
> subsystem, but it _wouldn't_ give you access to the new
> /subsystem=messaging-activemq, even if
> /subsystem=messaging is a textual
> prefix.
>
> Granted, that's way less powerful than regular
> expressions, but also
> easier and safer to use.
>
> WDYT? Am I being too paranoid here?
>
> LT
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> <mailto:wildfly-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>
>
>
> --
> Brian Stansberry
> Senior Principal Software Engineer
> JBoss by Red Hat
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org <mailto:wildfly-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>
>
>
> --
> Brian Stansberry
> Senior Principal Software Engineer
> JBoss by Red Hat
>
>
--
Brian Stansberry
Senior Principal Software Engineer
JBoss by Red Hat
More information about the wildfly-dev
mailing list