[keycloak-user] KEYCLOAK-1735 - possible to recategorise it as an urgent bug not enhancement?
Stian Thorgersen
sthorger at redhat.com
Fri Oct 23 01:52:08 EDT 2015
Sorry for late response, but this one ended up in my spam for some reason.
KEYCLOAK-1735 is not a bug as by definition a bug is something that not
works as designed. I agree with you that the approach is less than elegant,
which is why we have an outstanding issue to enhance this.
At some point we are going to redesign the admin permissions to provide
more fine grained control, which will make it possible to create admins
that can manage groups of users and/or roles. However, the way it works now
is that it's an all or nothing thing. End of the day though if someone with
manage-users role was prevented from making them selves an admin of
Keycloak, they would still have the power to make themselves an admin (or
the equivalent role) in your applications and in that way obtaining full
permissions to all your business logic/data. So that's a permissions you
should only give to a trusted individual in the first place. With that in
mind I disagree that this is really a vulnerability, but I appreciate that
the permission is to course for most.
On 13 October 2015 at 20:15, David Illsley <davidillsley at gmail.com> wrote:
> Hi all,
> KEYCLOAK-1735 describes that users with the 'manage-users' can role can
> self-assign 'manage-realm', and gain substantial extra privileges.
>
> This behaviour came as a substantial surprise to me when I discovered it,
> and I suspect there are users out there who have vulnerabilities due to
> this unexpected behaviour.
>
> KEYCLOAK-1735 is currently marked as an enhancement, and while I can see
> that it might be substantial work to change this behaviour, I think it
> should be a priority to make the behaviour clear to users - probably
> through documentation, and possibly through renaming the role so that its
> expansive powers are clear.
>
> Is this a possibility? What's the best way to get this to happen?
> Thanks,
> David
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151023/eb6fedc5/attachment.html
More information about the keycloak-user
mailing list