[wildfly-dev] Pattern defined RBAC scoped roles

Brian Stansberry brian.stansberry at redhat.com
Fri Apr 22 11:10:49 EDT 2016 

Yesterday afternoon I decided to scratch an itch I've had for a year. My 
scratching seems to work so I'm tossing the idea out to get feedback on 
whether it's wanted.

Idea is to let users create scoped roles for WildFly's management RBAC 
feature that are based on address pattern matching. For example this 
role would create a role where a user has non-sensitive write 
permissions to resources in the logging subsystem, either on a DC or a 
server:

<access-control provider="rbac">
   <pattern-scoped-roles>
     <role name="logmaint" base-role="Maintainer">
       <pattern 
regular-expression="(/profile=[^/]+)??/subsystem=logging(/.*)*"/>
     </role>
    </pattern-scoped-roles>
             ....
</access-control>

A role like this could be used when the server config is really meant to 
be locked down after boot, but you want to allow logging tweaks to get 
diagnostic data if necessary.

A scoped role in our RBAC impl is one where the user gets the 
permissions of some other role if the target resource is considered "in 
scope", while if it's not they get lesser permissions (just 
non-sensitive read perms, or for some cases no perms at all.)

What we have now are server group scoped roles and host scoped roles, 
where what's "in scope" is calculated based on a configurable list of 
server groups or hosts. This new type of scoped role instead does 
pattern matching of the target address against a configurable list of 
regular expressions. If there is no match the user gets non-sensitive 
read perms.

There can be more than one pattern; a match against any means the 
scoping constraint is satisfied.

The address matching is against the CLI-style representation of the 
target resource address. When authorizing JMX operations the match is 
against the canonical form of the ObjectName. JMX ops against the mbeans 
in the jboss.as[.expr] domains match against the CLI-style address of 
the management resource underlying the facade mbeans.

I have this working, see [1]. Needs tests but it works with manual testing.

[1] https://github.com/wildfly/wildfly-core/pull/1516

-- 
Brian Stansberry
Senior Principal Software Engineer
JBoss by Red Hat

More information about the wildfly-dev mailing list