[jboss-jira] [JBoss JIRA] (WFCORE-5084) Why does the elytron layer bring in access control?
Darran Lofthouse (Jira)
issues at jboss.org
Thu Aug 6 05:22:01 EDT 2020
[ https://issues.redhat.com/browse/WFCORE-5084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14360468#comment-14360468 ]
Darran Lofthouse commented on WFCORE-5084:
------------------------------------------
[~brian.stansberry] +1 it looks like the management layers already bring it in, it's only purpose is to provide an RBAC mapping where local authentication is in use with the management interfaces so only has a meaning if the management interfaces are secured one way or another so I think we can just remove it from the ELytron layer.
My test was web-server and reviewing the diff once elytron was added, there are no management interfaces in my set of layers so no need for the $local to SuperUser mapping.
> Why does the elytron layer bring in access control?
> ---------------------------------------------------
>
> Key: WFCORE-5084
> URL: https://issues.redhat.com/browse/WFCORE-5084
> Project: WildFly Core
> Issue Type: Task
> Components: Build System, Management, Security
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Major
> Fix For: 13.0.0.Beta4
>
>
> The following shows the set of changes created by adding the elytron layer to a provisioned server:
> https://gist.github.com/darranl/68f4a3d60560dae9a9225ec1a0e35a9f/revisions
> This includes the following:
> {code:xml}
> <management>
> <access-control provider="simple">
> <role-mapping>
> <role name="SuperUser">
> <include>
> <user name="$local"/>
> </include>
> </role>
> </role-mapping>
> </access-control>
> </management>
> {code}
> Shouldn't this section be added if any form of authenticated management is added instead?
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list