[jboss-jira] [JBoss JIRA] (WFCORE-2633) Allow specification of "non-sensitive" values on an AttributeDefinition

Kabir Khan (JIRA) issues at jboss.org
Wed Apr 12 13:15:03 EDT 2017 

     [ https://issues.jboss.org/browse/WFCORE-2633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kabir Khan updated WFCORE-2633:
-------------------------------
    Fix Version/s: 3.0.0.Beta16
                       (was: 3.0.0.Beta15)


> Allow specification of "non-sensitive" values on an AttributeDefinition 
> ------------------------------------------------------------------------
>
>                 Key: WFCORE-2633
>                 URL: https://issues.jboss.org/browse/WFCORE-2633
>             Project: WildFly Core
>          Issue Type: Enhancement
>          Components: Domain Management, Security
>            Reporter: Brian Stansberry
>            Assignee: Brian Stansberry
>             Fix For: 3.0.0.Beta16
>
>
> The RBAC system requires the user to be in a role with permissions to perform "security sensitive" actions in order to manipulate "defined" attributes with a sensitivity constraint applied. And "defined" in this case includes attributes that are not explicitly configured by the user but which have default values. But for attributes without default values that are left undefined, the non-sensitive roles are allowed to perform that action.
> The requirement here is to open this up such that certain "defined" values (explicitly configured or default) also are treated as non-sensitive.
> See WFCORE-8521 for an explicit example of this. If the datasource subsystem "elytron-enabled" attribute has a value of "false", and other related attributes are left undefined, that basically means there is no configuration set up for how the DS should authenticate to the DB. Such a setup is likely useless (since the DB most likely requires authentication) but in and of itself doesn't involve anything security sensitive on the WildFly side, so configuring false shouldn't be sensitive. It's analogous to leaving other related attributes like "username" and "password" undefined which in previous releases was considered to be non-sensitive.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list