[jboss-jira] [JBoss JIRA] (WFLY-1838) Authorisation descision filtered vs. read-only

Brian Stansberry (JIRA) jira-events at lists.jboss.org
Tue Aug 6 18:33:26 EDT 2013 

    [ https://issues.jboss.org/browse/WFLY-1838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795474#comment-12795474 ] 

Brian Stansberry commented on WFLY-1838:
----------------------------------------

Sorry, I didn't focus heavily on true vs false in Question 2. But I wisely deferred to Kabir!

A couple points re:

"2) a) If an attribute's access is sensitive it will not appear in either read-resource-description or read-resource."

We decided to use the term "address" instead of "access", (verb form, emphasis on the 2nd syllable) since really what's sensitive is the ability to address a resource and thus determine it's address (noun form, emphasis on the first syllable).

More important, let's just formally ban the notion that it's possible to make an attribute or operation non-addressable. The data being protected is the dynamic data in a resource address. Static data like address and operation names can always be obtained by looking at code or starting an empty system with RBAC disabled.


Re 2) c), yes that is correct, a read-resource response tells you nothing about whether an attribute is writable. I'm not opposed to disallowing writes if reads aren't allowed though, if it makes it easier for the console.
                
> Authorisation descision filtered vs. read-only
> ----------------------------------------------
>
>                 Key: WFLY-1838
>                 URL: https://issues.jboss.org/browse/WFLY-1838
>             Project: WildFly
>          Issue Type: Clarification
>          Components: Domain Management
>            Reporter: Heiko Braun
>            Assignee: Brian Stansberry
>
> When I look at datasources for example, I can see a difference between :read-resource-description(access-control=true) and the output of :read-resource(){roles=monitor}.
> The first doesn't contain constraints for "security-domain", but the later indicates them as being filtered (access-control response header).
> First question: Is this a bug?
> Second and more general question: Will all filtered attributes be presented as "read=false" & "write=false"?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list