[jboss-jira] [JBoss JIRA] (WFCORE-2325) User in any role can read sensitive configuration with RBAC enable in domain
Jan Tymel (JIRA)
issues at jboss.org
Fri Feb 24 03:47:02 EST 2017
Jan Tymel created WFCORE-2325:
---------------------------------
Summary: User in any role can read sensitive configuration with RBAC enable in domain
Key: WFCORE-2325
URL: https://issues.jboss.org/browse/WFCORE-2325
Project: WildFly Core
Issue Type: Bug
Components: Domain Management, Security
Reporter: Jan Tymel
Assignee: Brian Stansberry
Priority: Blocker
User in any role can read sensitive configuration (e.g. authorization settings) in RBAC in domain. If user checks for assigned roles, the SuperUser is always given as a result ({{"mapped-roles" => ["SuperUser"]}}) - see result of step 12, no matter what roles should be mapped according to configuration.
User can then read any part of the configuration, e.g. following command {{/core-service=management/access=authorization/role-mapping=SuperUser:read-resource(recursive)}} results in output similar to:
{code}
{
"outcome" => "success",
"result" => {
"include-all" => false,
"exclude" => undefined,
"include" => {
"user-$local" => {
"name" => "$local",
"realm" => undefined,
"type" => "USER"
},
"user-admin" => {
"name" => "admin",
"realm" => undefined,
"type" => "USER"
}
}
},
"response-headers" => {"process-state" => "reload-required"}
}
{code}
However, user cannot add himself/herself to SuperUser role, if {{/core-service=management/access=authorization/role-mapping=SuperUser/include=user-user:add(name=user,type=USER)}} command is entered, the following output is given:
{code}
{
"outcome" => "failed",
"result" => undefined,
"failure-description" => {"WFLYDC0074: Operation failed or was rolled back on all servers. Server failures:" => {"server-group" => {
"main-server-group" => {"host" => {"dhcp-4-212.brq.redhat.com" => {"server-one" => "WFLYCTL0216: Management resource '[
(\"core-service\" => \"management\"),
(\"access\" => \"authorization\"),
(\"role-mapping\" => \"SuperUser\"),
(\"include\" => \"user-user\")
]' not found"}}},
"other-server-group" => {"host" => {"dhcp-4-212.brq.redhat.com" => {"server-two" => "WFLYCTL0216: Management resource '[
(\"core-service\" => \"management\"),
(\"access\" => \"authorization\"),
(\"role-mapping\" => \"SuperUser\"),
(\"include\" => \"user-user\")
]' not found"}}}
}}},
"rolled-back" => true,
"server-groups" => {
"main-server-group" => {"host" => {"dhcp-4-212.brq.redhat.com" => {"server-one" => {"response" => {
"outcome" => "failed",
"result" => undefined,
"failure-description" => "WFLYCTL0216: Management resource '[
(\"core-service\" => \"management\"),
(\"access\" => \"authorization\"),
(\"role-mapping\" => \"SuperUser\"),
(\"include\" => \"user-user\")
]' not found",
"rolled-back" => true,
"response-headers" => {"process-state" => "reload-required"}
}}}}},
"other-server-group" => {"host" => {"dhcp-4-212.brq.redhat.com" => {"server-two" => {"response" => {
"outcome" => "failed",
"result" => undefined,
"failure-description" => "WFLYCTL0216: Management resource '[
(\"core-service\" => \"management\"),
(\"access\" => \"authorization\"),
(\"role-mapping\" => \"SuperUser\"),
(\"include\" => \"user-user\")
]' not found",
"rolled-back" => true,
"response-headers" => {"process-state" => "reload-required"}
}}}}}
},
"response-headers" => {"process-state" => "reload-required"}
}
{code}
Therefore, user in Monitor role has not the same rights as user in SuperUser role since (s)he is missing (at least) rights to write. However, (s)he can see any part of the configuration.
This is a regression against 7.0.0.GA
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list