Re: [wildfly-dev] Automatically resolving expressions in the CLI

On 7/16/14, 1:21 PM, Brian Stansberry wrote: FYI, folks, Joe has done great work on this and has also been very patient! See [1] which I hope to merge in the next day or so. I was a bit off base in my last comment above. I don't actually want to bring the security vault into the resolution process. The really nice article on the vault by mentallurg at [2] outlines the theory of the vault nicely. The whole point is the expression can be publicly available, e.g. in the config file which might get passed around. But to learn a secret you must have access to the vault itself, and that is a carefully protected file. Allowing a remote management client to read the vault via this feature defeats the whole point. We don't let the existing :resolve-expression op do this. I don't think our security schemes are such that we can say that just because a user is an authorized WildFly admin (even an RBAC SuperUser) that they are privileged in the user organization to read their vault. This isn't a difficult issue to deal with though; a simple added commit on Joe's work takes care of it. [1] https://github.com/wildfly/wildfly-core/pull/192 [2] https://developer.jboss.org/docs/DOC-48166 -- Brian Stansberry Senior Principal Software Engineer JBoss by Red Hat