[wildfly-dev] Pattern defined RBAC scoped roles
Ladislav Thon
lthon at redhat.com
Tue Apr 26 02:36:53 EDT 2016
> 1) Cross-profile perms
>
> /profile=*/subsystem=logging
Exactly, this is a syntax we already have.
> 2) Granting perms for an address and its children/
>
> /subsystem=logging/**
>
> Clean handling of 2) is a must.
Based on your previous question, this could actually mean 3 different
things:
a) only the resource and not its children
b) the resource and its children
c) only the resource's children, not the resource itself
I think /subsystem=logging could be used for a) or b). For c), I was
briefly thinking about /subsystem=logging/*=*, but I thought that we
surely don't support that, so I didn't bother trying and directly went
to the 'children-only' attribute. I tried it now and indeed we don't
support .../*=* :-)
But if we had to support all of a), b) and c), a multi-valued attribute
like children=yes|no|only (or recursive=yes|no|children-only, I didn't
give it much thought) could work.
LT
More information about the wildfly-dev
mailing list