[jboss-jira] [JBoss JIRA] (WFCORE-2349) Add RemoteManagementPermission and RemoteJMXPermission checks for remote clients.

Brian Stansberry (JIRA) issues at jboss.org
Thu May 25 15:06:00 EDT 2017 

     [ https://issues.jboss.org/browse/WFCORE-2349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brian Stansberry reassigned WFCORE-2349:
----------------------------------------

    Fix Version/s: 3.0.0.Beta24
                       (was: 4.0.0.Alpha1)
         Assignee:     (was: ehsavoie Hugonnet)


Some discussion notes on this:

[11:25 AM] Darran Lofthouse: As we move to Elytron based SecurityIdentities as a connection to a service is established we can call SecurityIdentity.implies(org.jboss.ejb.client.RemoteEJBPermission) - we already have some new permissions for some services.  These permissions are granted in the default Elytron config and also the legacy security realms grant all the permissions as there was no permission check in 2.  The Jira is to add a permission check for a remote management connection and update the default Elytron config and legacy realms to grant the permission.
[11:26 AM] Darran Lofthouse: Any users of 3 starting from the default config would be better to know about these permissions today and have them in the default config
    
[12:54 PM] Brian Stansberry: @DarranLofthouse sorry; I got distracted. :( so this isn't really a security manager permission, it's an extra server side authorization check beyond simple 1) can the user authenticate and 2) RBAC checks
[12:55 PM] Brian Stansberry: that seems ok. I misinterpreted it before as a client side security manager perm thing, where the client would pass that check and thereafter the call would be privileged and the calling code would not need the misc remoting etc perms

[1:00 PM] Darran Lofthouse: @BrianStansberry +1 it is actually somewhere between #1 and #2 - do they have permission to connect to this specific service - so where all Remoting services are available from a single Endpoint establishing a connection doesn't give an automatic right to use anything (Unless they are using legacy security realms where we do grant them all for compatibility)

[1:02 PM] Brian Stansberry: ah, good point; I never like management-interface=<iforget> that used the subsystem endpoint because of that problem

> Add RemoteManagementPermission and RemoteJMXPermission checks for remote clients.
> ---------------------------------------------------------------------------------
>
>                 Key: WFCORE-2349
>                 URL: https://issues.jboss.org/browse/WFCORE-2349
>             Project: WildFly Core
>          Issue Type: Enhancement
>          Components: Domain Management, Security
>            Reporter: Darran Lofthouse
>             Fix For: 3.0.0.Beta24
>
>
> Other services such as EJB and transactions have a Remote*Permission to verify the remote client has the required permission to use that service - this should be repeated for the management related services to control what a remote client can and can not connect to.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list