[jboss-jira] [JBoss JIRA] (WFLY-2139) ProxyStepHandler/Controller need to check access before attempting to read information

RH Bugzilla Integration (JIRA) jira-events at lists.jboss.org
Wed Sep 25 10:24:02 EDT 2013 

    [ https://issues.jboss.org/browse/WFLY-2139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12807346#comment-12807346 ] 

RH Bugzilla Integration commented on WFLY-2139:
-----------------------------------------------

Brian Stansberry <brian.stansberry at redhat.com> made a comment on [bug 1010672|https://bugzilla.redhat.com/show_bug.cgi?id=1010672]

A comment on the scope of this issue:

The specific console issue reported is a symptom of a somewhat larger problem that could affect other requests, which is why we pushed to fix it in ER3.

The general issue relates to certain operations that have the effect of internally executing multiple other operations and then aggregating their results. Examples:

/<anyaddresspath>/xyz=*:read-resource

/<anyaddresspath>:read-children-resources(child-type=xyz)

The latter in essence does the same thing as the former. Both determine a list of resources of type "xyz", execute :read-resource against each, and aggregate the results into an overall response.

One of the interesting challenges with RBAC is handling these requests, where for some resources of type=xyz a user may have permissions, while not having such permissions for others.

We had solved this problem for cases where all the operations execute on the same domain process (e.g. /profile=full/subsystem=*), but the call path that calls that involved multiple hosts (e.g. /host=*) traverse resulted in that solution being bypassed. This bug is about fixing this problem.

ER3 has a fix for it, but that fix has problems (see https://bugzilla.redhat.com/show_bug.cgi?id=1011994). We now have a simpler fix in place for WildFly.
                
> ProxyStepHandler/Controller need to check access before attempting to read information
> --------------------------------------------------------------------------------------
>
>                 Key: WFLY-2139
>                 URL: https://issues.jboss.org/browse/WFLY-2139
>             Project: WildFly
>          Issue Type: Sub-task
>          Components: Domain Management, Security
>            Reporter: Kabir Khan
>            Assignee: Kabir Khan
>             Fix For: 8.0.0.CR1
>
>
> This affects things like recursive :read-resource(-description) :read-children-resources and so on. The problem as it stands is that if you have, say, a host scoped role scoped to host=master, and there is also a slave host controller, and you try to :read-resource(recursive=true,proxies=true), the master will list the slave host controller in its list of child addresses. It will then execute /host=slave:read-resource(recursive=true,proxies=true), which will fail and roll back the tx since the master host scoped role does not have access to that resource.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list