[
https://issues.jboss.org/browse/WFCORE-2349?page=com.atlassian.jira.plugi...
]
Brian Stansberry edited comment on WFCORE-2349 at 5/25/17 3:07 PM:
-------------------------------------------------------------------
Some discussion notes on this. The discussion reference to '2' and '3'
means software based on WildFly Core 2.x vs 3:
[11:25 AM] Darran Lofthouse: As we move to Elytron based SecurityIdentities as a
connection to a service is established we can call
SecurityIdentity.implies(org.jboss.ejb.client.RemoteEJBPermission) - we already have some
new permissions for some services. These permissions are granted in the default Elytron
config and also the legacy security realms grant all the permissions as there was no
permission check in 2. The Jira is to add a permission check for a remote management
connection and update the default Elytron config and legacy realms to grant the
permission.
[11:26 AM] Darran Lofthouse: Any users of 3 starting from the default config would be
better to know about these permissions today and have them in the default config
[12:54 PM] Brian Stansberry: @DarranLofthouse sorry; I got distracted. :( so this
isn't really a security manager permission, it's an extra server side
authorization check beyond simple 1) can the user authenticate and 2) RBAC checks
[12:55 PM] Brian Stansberry: that seems ok. I misinterpreted it before as a client side
security manager perm thing, where the client would pass that check and thereafter the
call would be privileged and the calling code would not need the misc remoting etc perms
[1:00 PM] Darran Lofthouse: @BrianStansberry +1 it is actually somewhere between #1 and #2
- do they have permission to connect to this specific service - so where all Remoting
services are available from a single Endpoint establishing a connection doesn't give
an automatic right to use anything (Unless they are using legacy security realms where we
do grant them all for compatibility)
[1:02 PM] Brian Stansberry: ah, good point; I never like
management-interface=<iforget> that used the subsystem endpoint because of that
problem
was (Author: brian.stansberry):
Some discussion notes on this:
[11:25 AM] Darran Lofthouse: As we move to Elytron based SecurityIdentities as a
connection to a service is established we can call
SecurityIdentity.implies(org.jboss.ejb.client.RemoteEJBPermission) - we already have some
new permissions for some services. These permissions are granted in the default Elytron
config and also the legacy security realms grant all the permissions as there was no
permission check in 2. The Jira is to add a permission check for a remote management
connection and update the default Elytron config and legacy realms to grant the
permission.
[11:26 AM] Darran Lofthouse: Any users of 3 starting from the default config would be
better to know about these permissions today and have them in the default config
[12:54 PM] Brian Stansberry: @DarranLofthouse sorry; I got distracted. :( so this
isn't really a security manager permission, it's an extra server side
authorization check beyond simple 1) can the user authenticate and 2) RBAC checks
[12:55 PM] Brian Stansberry: that seems ok. I misinterpreted it before as a client side
security manager perm thing, where the client would pass that check and thereafter the
call would be privileged and the calling code would not need the misc remoting etc perms
[1:00 PM] Darran Lofthouse: @BrianStansberry +1 it is actually somewhere between #1 and #2
- do they have permission to connect to this specific service - so where all Remoting
services are available from a single Endpoint establishing a connection doesn't give
an automatic right to use anything (Unless they are using legacy security realms where we
do grant them all for compatibility)
[1:02 PM] Brian Stansberry: ah, good point; I never like
management-interface=<iforget> that used the subsystem endpoint because of that
problem
Add RemoteManagementPermission and RemoteJMXPermission checks for
remote clients.
---------------------------------------------------------------------------------
Key: WFCORE-2349
URL:
https://issues.jboss.org/browse/WFCORE-2349
Project: WildFly Core
Issue Type: Enhancement
Components: Domain Management, Security
Reporter: Darran Lofthouse
Fix For: 3.0.0.Beta24
Other services such as EJB and transactions have a Remote*Permission to verify the remote
client has the required permission to use that service - this should be repeated for the
management related services to control what a remote client can and can not connect to.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)