[wildfly-dev] Pattern defined RBAC scoped roles

Yesterday afternoon I decided to scratch an itch I've had for a year. My scratching seems to work so I'm tossing the idea out to get feedback on whether it's wanted. Idea is to let users create scoped roles for WildFly's management RBAC feature that are based on address pattern matching. For example this role would create a role where a user has non-sensitive write permissions to resources in the logging subsystem, either on a DC or a server: <access-control provider="rbac"> <pattern-scoped-roles> <role name="logmaint" base-role="Maintainer"> <pattern regular-expression="(/profile=[^/]+)??/subsystem=logging(/.*)*"/> </role> </pattern-scoped-roles> .... </access-control> A role like this could be used when the server config is really meant to be locked down after boot, but you want to allow logging tweaks to get diagnostic data if necessary. A scoped role in our RBAC impl is one where the user gets the permissions of some other role if the target resource is considered "in scope", while if it's not they get lesser permissions (just non-sensitive read perms, or for some cases no perms at all.) What we have now are server group scoped roles and host scoped roles, where what's "in scope" is calculated based on a configurable list of server groups or hosts. This new type of scoped role instead does pattern matching of the target address against a configurable list of regular expressions. If there is no match the user gets non-sensitive read perms. There can be more than one pattern; a match against any means the scoping constraint is satisfied. The address matching is against the CLI-style representation of the target resource address. When authorizing JMX operations the match is against the canonical form of the ObjectName. JMX ops against the mbeans in the jboss.as[.expr] domains match against the CLI-style address of the management resource underlying the facade mbeans. I have this working, see [1]. Needs tests but it works with manual testing. [1] https://github.com/wildfly/wildfly-core/pull/1516 -- Brian Stansberry Senior Principal Software Engineer JBoss by Red Hat