[jboss-jira] [JBoss JIRA] (WFCORE-3995) Deployer or Maintainer RBAC role unable to write datasource credential after setting sensitive-classification credential requires-write=false

Ilia Vassilev (Jira) issues at jboss.org
Fri Apr 19 16:50:00 EDT 2019 

     [ https://issues.jboss.org/browse/WFCORE-3995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ilia Vassilev updated WFCORE-3995:
----------------------------------
    Labels: downstream_dependency  (was: )


> Deployer or Maintainer RBAC role unable to write datasource credential after setting sensitive-classification credential requires-write=false
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WFCORE-3995
>                 URL: https://issues.jboss.org/browse/WFCORE-3995
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Management
>    Affects Versions: 6.0.0.Alpha5
>            Reporter: Chao Wang
>            Assignee: Chao Wang
>            Priority: Major
>              Labels: downstream_dependency
>             Fix For: 9.0.0.Beta3
>
>
> 1) Start the EAP in standalone or domain mode and connect to CLI and create a user with Deployer or Maintainer role
> ~~~
> - Create a user named "maintainer" using adduser.sh, then follow below steps to add it to the maintainer role
>     /core-service=management/access=authorization/role-mapping=Maintainer:add()
>     /core-service=management/access=authorization/role-mapping=Maintainer/include=maintainer:add(name=maintainer, type=user)
>     /core-service=management/access=authorization:write-attribute(name=provider, value=rbac)
>     reload
> ~~~
> 2) Apply application constraint to data-sources
> ~~~
> /core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=data-source:write-attribute(name=configured-application,value=true)
> /core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=xa-data-source:write-attribute(name=configured-application,value=true) 
> ~~~
> 3) Set sensitivity-constraints to false for security credential requires-write
> ~~~
> /core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=credential:write-attribute(name=configured-requires-write,value=false)
> /core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=security-domain-ref:write-attribute(name=configured-requires-write,value=false)
> /core-service=management/access=authorization/constraint=sensitivity-classification/type=datasources/classification=data-source-security:write-attribute(name=configured-requires-write,value=false)
> /core-service=management/access=authorization/constraint=sensitivity-classification/type=datasources/classification=data-source-security:write-attribute(name=configured-requires-read,value=false)
> ~~~
> 4) Try to read / write the datasource's user-name and password: 
> {code}
> [standalone at localhost:9990 /] /subsystem=datasources/data-source=ExampleDS:write-attribute(name=user-name, sa)
> {
>     "outcome" => "failed",
>     "result" => undefined,
>     "failure-description" => "WFLYCTL0313: Unauthorized to execute operation 'write-attribute' for resource '[
>     (\"subsystem\" => \"datasources\"),
>     (\"data-source\" => \"ExampleDS\")
> ]' -- \"WFLYCTL0332: Permission denied\"",
>     "rolled-back" => true
> }
> {code}
> {code}
>         <access-control provider="rbac">
>             <role-mapping>
>                 <role name="SuperUser">
>                     <include>
>                         <user name="$local"/>
>                     </include>
>                 </role>
>                 <role name="Maintainer">
>                     <include>
>                         <user alias="maintainer" name="maintainer"/>
>                     </include>
>                 </role>
>             </role-mapping>
>             <constraints>
>                 <sensitive-classifications>
>                     <sensitive-classification type="core" name="credential" requires-write="false"/>
>                     <sensitive-classification type="core" name="security-domain-ref" requires-write="false"/>
>                     <sensitive-classification type="datasources" name="data-source-security" requires-addressable="false" requires-read="false" requires-write="false"/>
>                 </sensitive-classifications>
>                 <application-classifications>
>                     <application-classification type="datasources" name="data-source" application="true"/>
>                     <application-classification type="datasources" name="xa-data-source" application="true"/>
>                 </application-classifications>
>             </constraints>
>         </access-control>
> {code}



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list