[wildfly-dev] Pattern defined RBAC scoped roles
Brian Stansberry
brian.stansberry at redhat.com
Fri Apr 22 11:10:49 EDT 2016
Yesterday afternoon I decided to scratch an itch I've had for a year. My
scratching seems to work so I'm tossing the idea out to get feedback on
whether it's wanted.
Idea is to let users create scoped roles for WildFly's management RBAC
feature that are based on address pattern matching. For example this
role would create a role where a user has non-sensitive write
permissions to resources in the logging subsystem, either on a DC or a
server:
<access-control provider="rbac">
<pattern-scoped-roles>
<role name="logmaint" base-role="Maintainer">
<pattern
regular-expression="(/profile=[^/]+)??/subsystem=logging(/.*)*"/>
</role>
</pattern-scoped-roles>
....
</access-control>
A role like this could be used when the server config is really meant to
be locked down after boot, but you want to allow logging tweaks to get
diagnostic data if necessary.
A scoped role in our RBAC impl is one where the user gets the
permissions of some other role if the target resource is considered "in
scope", while if it's not they get lesser permissions (just
non-sensitive read perms, or for some cases no perms at all.)
What we have now are server group scoped roles and host scoped roles,
where what's "in scope" is calculated based on a configurable list of
server groups or hosts. This new type of scoped role instead does
pattern matching of the target address against a configurable list of
regular expressions. If there is no match the user gets non-sensitive
read perms.
There can be more than one pattern; a match against any means the
scoping constraint is satisfied.
The address matching is against the CLI-style representation of the
target resource address. When authorizing JMX operations the match is
against the canonical form of the ObjectName. JMX ops against the mbeans
in the jboss.as[.expr] domains match against the CLI-style address of
the management resource underlying the facade mbeans.
I have this working, see [1]. Needs tests but it works with manual testing.
[1] https://github.com/wildfly/wildfly-core/pull/1516
--
Brian Stansberry
Senior Principal Software Engineer
JBoss by Red Hat
More information about the wildfly-dev
mailing list