[jboss-jira] [JBoss JIRA] (WFCORE-1497) RBAC roles scoped to addresses that match a regex
Brian Stansberry (JIRA)
issues at jboss.org
Thu Apr 21 18:31:00 EDT 2016
Brian Stansberry created WFCORE-1497:
----------------------------------------
Summary: RBAC roles scoped to addresses that match a regex
Key: WFCORE-1497
URL: https://issues.jboss.org/browse/WFCORE-1497
Project: WildFly Core
Issue Type: Feature Request
Components: Domain Management
Reporter: Brian Stansberry
Assignee: Brian Stansberry
Host scoped roles and server group scoped roles work via a constraint that checks the address being manipulated against a calculated group of allowed addresses. That calculation is complex in the server group and host cases to account for the complex semantics of those kinds of scoping while requiring very little config from the user, but we could also have a similar kind of scoping that requires more config from the user but is also more flexible. The user configures one or more regex strings, and any address (or canonical mbean object name) that matches meets the constraint.
Example, a "log-maintainer" role that gets Maintainer privileges for the logging subsystem but is Monitor for everything else:
{code}
<pattern-scoped-role name="log-maintainer" base-role="Maintainer>
<patterns>
<!-- For domain controller -->
<pattern value="/profile=*/subsystem=logging*"/>
<!-- For servers -->
<pattern value="/subsystem=logging*"/>
</patterns>
</pattern-scoped-role>
{code}
I use logging as an example as it's a use case I can imagine easily enough -- a server is largely locked down but tweaks to logging are allowed to allow diagnostic data to be gathered.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list