]
Chao Wang moved JBEAP-15207 to WFCORE-3995:
-------------------------------------------
Project: WildFly Core (was: JBoss Enterprise Application Platform)
Key: WFCORE-3995 (was: JBEAP-15207)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Management
(was: Management)
Affects Version/s: 6.0.0.Alpha5
(was: 7.1.3.GA)
Deployer or Maintainer RBAC role unable to write datasource
credential after setting sensitive-classification credential requires-write=false
---------------------------------------------------------------------------------------------------------------------------------------------
Key: WFCORE-3995
URL:
https://issues.jboss.org/browse/WFCORE-3995
Project: WildFly Core
Issue Type: Bug
Components: Management
Affects Versions: 6.0.0.Alpha5
Reporter: Chao Wang
Assignee: Chao Wang
1) Start the EAP in standalone or domain mode and connect to CLI and create a user with
Deployer or Maintainer role
~~~
- Create a user named "maintainer" using adduser.sh, then follow below steps to
add it to the maintainer role
/core-service=management/access=authorization/role-mapping=Maintainer:add()
/core-service=management/access=authorization/role-mapping=Maintainer/include=maintainer:add(name=maintainer,
type=user)
/core-service=management/access=authorization:write-attribute(name=provider,
value=rbac)
reload
~~~
2) Apply application constraint to data-sources
~~~
/core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=data-source:write-attribute(name=configured-application,value=true)
/core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=xa-data-source:write-attribute(name=configured-application,value=true)
~~~
3) Set sensitivity-constraints to false for security credential requires-write
~~~
/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=credential:write-attribute(name=configured-requires-write,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=security-domain-ref:write-attribute(name=configured-requires-write,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=datasources/classification=data-source-security:write-attribute(name=configured-requires-write,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=datasources/classification=data-source-security:write-attribute(name=configured-requires-read,value=false)
~~~
4) Try to read / write the datasource's user-name and password:
{code}
[standalone@localhost:9990 /]
/subsystem=datasources/data-source=ExampleDS:write-attribute(name=user-name, sa)
{
"outcome" => "failed",
"result" => undefined,
"failure-description" => "WFLYCTL0313: Unauthorized to execute
operation 'write-attribute' for resource '[
(\"subsystem\" => \"datasources\"),
(\"data-source\" => \"ExampleDS\")
]' -- \"WFLYCTL0332: Permission denied\"",
"rolled-back" => true
}
{code}
{code}
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
</include>
</role>
<role name="Maintainer">
<include>
<user alias="maintainer"
name="maintainer"/>
</include>
</role>
</role-mapping>
<constraints>
<sensitive-classifications>
<sensitive-classification type="core"
name="credential" requires-write="false"/>
<sensitive-classification type="core"
name="security-domain-ref" requires-write="false"/>
<sensitive-classification type="datasources"
name="data-source-security" requires-addressable="false"
requires-read="false" requires-write="false"/>
</sensitive-classifications>
<application-classifications>
<application-classification type="datasources"
name="data-source" application="true"/>
<application-classification type="datasources"
name="xa-data-source" application="true"/>
</application-classifications>
</constraints>
</access-control>
{code}