[jboss-jira] [JBoss JIRA] (WFCORE-2633) Allow specification of "non-sensitive" values on an AttributeDefinition

[Brian Stansberry (JIRA)]

Brian Stansberry created WFCORE-2633:
----------------------------------------

             Summary: Allow specification of "non-sensitive" values on an AttributeDefinition 
                 Key: WFCORE-2633
                 URL: https://issues.jboss.org/browse/WFCORE-2633
             Project: WildFly Core
          Issue Type: Enhancement
          Components: Domain Management, Security
            Reporter: Brian Stansberry
            Assignee: Brian Stansberry
             Fix For: 3.0.0.Beta14


The RBAC system requires the user to be in a role with permissions to perform "security sensitive" actions in order to manipulate "defined" attributes with a sensitivity constraint applied. And "defined" in this case includes attributes that are not explicitly configured by the user but which have default values. But for attributes without default values that are left undefined, the non-sensitive roles are allowed to perform that action.

The requirement here is to open this up such that certain "defined" values (explicitly configured or default) also are treated as non-sensitive.

See WFCORE-8521 for an explicit example of this. If the datasource subsystem "elytron-enabled" attribute has a value of "false", and other related attributes are left undefined, that basically means there is no configuration set up for how the DS should authenticate to the DB. Such a setup is likely useless (since the DB most likely requires authentication) but in and of itself doesn't involve anything security sensitive on the WildFly side, so configuring false shouldn't be sensitive. It's analogous to leaving other related attributes like "username" and "password" undefined which in previous releases was considered to be non-sensitive.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)