[jboss-jira] [JBoss JIRA] (WFLY-1980) Revisit priviledges for /core-service=management/access=authorization
Brian Stansberry (JIRA)
jira-events at lists.jboss.org
Sun Sep 15 13:47:03 EDT 2013
[ https://issues.jboss.org/browse/WFLY-1980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Stansberry resolved WFLY-1980.
------------------------------------
Resolution: Done
Fixed by actually applying the constraint. Also, the constraint make "address" sensitive, which isn't ideal for /core-service=management/access=authorization but is appropriate for many sub-resources. IMO the non-ideal situation for the parent resource is minor, and the alternative of having separate a separate classification for the children is worse.
> Revisit priviledges for /core-service=management/access=authorization
> ---------------------------------------------------------------------
>
> Key: WFLY-1980
> URL: https://issues.jboss.org/browse/WFLY-1980
> Project: WildFly
> Issue Type: Sub-task
> Components: Domain Management
> Reporter: Heiko Braun
> Assignee: Brian Stansberry
> Fix For: 8.0.0.Beta1
>
>
> It seems the access control resources (/core-service=management/access=authorization) are addressable by the monitor role:
> {noformat}
> [standalone at localhost:9990 /] /core-service=management/access=authorization:read-resource(){roles=monitor}
> {
> "outcome" => "success",
> "result" => {
> "provider" => "simple",
> "use-realm-roles" => false,
> "constraint" => {
> "application-classification" => undefined,
> "sensitivity-classification" => undefined,
> "vault-expression" => undefined
> },
> "role-mapping" => {"SuperUser" => undefined}
> }
> }
> {noformat}
> I think it should be 'addressable=false' for anybody except SuperUser and Administrator
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list