Brian Stansberry created WFCORE-1649:
----------------------------------------
Summary: RBAC constraint config modifications will fail in a mixed domain if
the modified constraint is not present in the legacy slave
Key: WFCORE-1649
URL:
https://issues.jboss.org/browse/WFCORE-1649
Project: WildFly Core
Issue Type: Bug
Components: Domain Management
Reporter: Brian Stansberry
Priority: Critical
Fix For: 3.0.0.Beta1
The management model for RBAC constraints is maintained using synthetic resources, with
resources only existing for those items (SensitivityClassification and
ApplicationClassification) that are registered in the current process. Operations that
touch classifications unknown to that process will fail due to missing resource problems.
This is a big problem in the following scenarios:
1) Mixed domain, where legacy slaves do not know about newly introduced classifications.
2) Slimming scenarios where slaves are ignoring unrelated parts of the domain wide config
and also don't have some extension installed, resulting in classifications registered
by those extensions not being present.
A partial workaround to 1) is for the kernel to register transformers for newly introduced
classifications (e.g. SERVER_SSL added in EAP 6.4.7 and EAP 7). But:
-- that doesn't help with problem 2)
-- only the kernel can register kernel transformers, so if extensions add new
classifications there is no way for them to register the transformer.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)