[jboss-jira] [JBoss JIRA] (WFCORE-2325) User in any role can read sensitive configuration with RBAC enable in domain
Jan Tymel (JIRA)
issues at jboss.org
Fri Feb 24 04:10:01 EST 2017
[ https://issues.jboss.org/browse/WFCORE-2325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Tymel updated WFCORE-2325:
------------------------------
Security Sensitive Issue: This issue is security relevant
> User in any role can read sensitive configuration with RBAC enable in domain
> ----------------------------------------------------------------------------
>
> Key: WFCORE-2325
> URL: https://issues.jboss.org/browse/WFCORE-2325
> Project: WildFly Core
> Issue Type: Bug
> Components: Domain Management, Security
> Reporter: Jan Tymel
> Priority: Blocker
>
> User in any role can read sensitive configuration (e.g. authorization settings) in RBAC in domain. If user checks for assigned roles, the SuperUser is always given as a result ({{"mapped-roles" => ["SuperUser"]}}) - see result of step 12, no matter what roles should be mapped according to configuration.
> User can then read any part of the configuration, e.g. following command {{/core-service=management/access=authorization/role-mapping=SuperUser:read-resource(recursive)}} results in output similar to:
> {code}
> {
> "outcome" => "success",
> "result" => {
> "include-all" => false,
> "exclude" => undefined,
> "include" => {
> "user-$local" => {
> "name" => "$local",
> "realm" => undefined,
> "type" => "USER"
> },
> "user-admin" => {
> "name" => "admin",
> "realm" => undefined,
> "type" => "USER"
> }
> }
> },
> "response-headers" => {"process-state" => "reload-required"}
> }
> {code}
> However, user cannot add himself/herself to SuperUser role, if {{/core-service=management/access=authorization/role-mapping=SuperUser/include=user-user:add(name=user,type=USER)}} command is entered, the following output is given:
> {code}
> {
> "outcome" => "failed",
> "result" => undefined,
> "failure-description" => {"WFLYDC0074: Operation failed or was rolled back on all servers. Server failures:" => {"server-group" => {
> "main-server-group" => {"host" => {"dhcp-4-212.brq.redhat.com" => {"server-one" => "WFLYCTL0216: Management resource '[
> (\"core-service\" => \"management\"),
> (\"access\" => \"authorization\"),
> (\"role-mapping\" => \"SuperUser\"),
> (\"include\" => \"user-user\")
> ]' not found"}}},
> "other-server-group" => {"host" => {"dhcp-4-212.brq.redhat.com" => {"server-two" => "WFLYCTL0216: Management resource '[
> (\"core-service\" => \"management\"),
> (\"access\" => \"authorization\"),
> (\"role-mapping\" => \"SuperUser\"),
> (\"include\" => \"user-user\")
> ]' not found"}}}
> }}},
> "rolled-back" => true,
> "server-groups" => {
> "main-server-group" => {"host" => {"dhcp-4-212.brq.redhat.com" => {"server-one" => {"response" => {
> "outcome" => "failed",
> "result" => undefined,
> "failure-description" => "WFLYCTL0216: Management resource '[
> (\"core-service\" => \"management\"),
> (\"access\" => \"authorization\"),
> (\"role-mapping\" => \"SuperUser\"),
> (\"include\" => \"user-user\")
> ]' not found",
> "rolled-back" => true,
> "response-headers" => {"process-state" => "reload-required"}
> }}}}},
> "other-server-group" => {"host" => {"dhcp-4-212.brq.redhat.com" => {"server-two" => {"response" => {
> "outcome" => "failed",
> "result" => undefined,
> "failure-description" => "WFLYCTL0216: Management resource '[
> (\"core-service\" => \"management\"),
> (\"access\" => \"authorization\"),
> (\"role-mapping\" => \"SuperUser\"),
> (\"include\" => \"user-user\")
> ]' not found",
> "rolled-back" => true,
> "response-headers" => {"process-state" => "reload-required"}
> }}}}}
> },
> "response-headers" => {"process-state" => "reload-required"}
> }
> {code}
> Therefore, user in Monitor role has not the same rights as user in SuperUser role since (s)he is missing (at least) rights to write. However, (s)he can see any part of the configuration.
> This is a regression against 7.0.0.GA
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list