User in any role can read sensitive configuration with RBAC enable in domain ---------------------------------------------------------------------------- Key: WFCORE-2325 URL: https://issues.jboss.org/browse/WFCORE-2325 Project: WildFly Core Issue Type: Bug Components: Domain Management, Security Reporter: Jan Tymel Priority: Blocker User in any role can read sensitive configuration (e.g. authorization settings) in RBAC in domain. If user checks for assigned roles, the SuperUser is always given as a result ({{"mapped-roles" => ["SuperUser"]}}) - see result of step 12, no matter what roles should be mapped according to configuration. User can then read any part of the configuration, e.g. following command {{/core-service=management/access=authorization/role-mapping=SuperUser:read-resource(recursive)}} results in output similar to: {code} { "outcome" => "success", "result" => { "include-all" => false, "exclude" => undefined, "include" => { "user-$local" => { "name" => "$local", "realm" => undefined, "type" => "USER" }, "user-admin" => { "name" => "admin", "realm" => undefined, "type" => "USER" } } }, "response-headers" => {"process-state" => "reload-required"} } {code} However, user cannot add himself/herself to SuperUser role, if {{/core-service=management/access=authorization/role-mapping=SuperUser/include=user-user:add(name=user,type=USER)}} command is entered, the following output is given: {code} { "outcome" => "failed", "result" => undefined, "failure-description" => {"WFLYDC0074: Operation failed or was rolled back on all servers. Server failures:" => {"server-group" => { "main-server-group" => {"host" => {"dhcp-4-212.brq.redhat.com" => {"server-one" => "WFLYCTL0216: Management resource '[ (\"core-service\" => \"management\"), (\"access\" => \"authorization\"), (\"role-mapping\" => \"SuperUser\"), (\"include\" => \"user-user\") ]' not found"}}}, "other-server-group" => {"host" => {"dhcp-4-212.brq.redhat.com" => {"server-two" => "WFLYCTL0216: Management resource '[ (\"core-service\" => \"management\"), (\"access\" => \"authorization\"), (\"role-mapping\" => \"SuperUser\"), (\"include\" => \"user-user\") ]' not found"}}} }}}, "rolled-back" => true, "server-groups" => { "main-server-group" => {"host" => {"dhcp-4-212.brq.redhat.com" => {"server-one" => {"response" => { "outcome" => "failed", "result" => undefined, "failure-description" => "WFLYCTL0216: Management resource '[ (\"core-service\" => \"management\"), (\"access\" => \"authorization\"), (\"role-mapping\" => \"SuperUser\"), (\"include\" => \"user-user\") ]' not found", "rolled-back" => true, "response-headers" => {"process-state" => "reload-required"} }}}}}, "other-server-group" => {"host" => {"dhcp-4-212.brq.redhat.com" => {"server-two" => {"response" => { "outcome" => "failed", "result" => undefined, "failure-description" => "WFLYCTL0216: Management resource '[ (\"core-service\" => \"management\"), (\"access\" => \"authorization\"), (\"role-mapping\" => \"SuperUser\"), (\"include\" => \"user-user\") ]' not found", "rolled-back" => true, "response-headers" => {"process-state" => "reload-required"} }}}}} }, "response-headers" => {"process-state" => "reload-required"} } {code} Therefore, user in Monitor role has not the same rights as user in SuperUser role since (s)he is missing (at least) rights to write. However, (s)he can see any part of the configuration. This is a regression against 7.0.0.GA