[wildfly-dev] Pattern defined RBAC scoped roles

Anil Saldanha anilsaldhana at gmail.com
Mon Apr 25 09:09:34 EDT 2016


The challenge with pattern based matching is that you provide access when you should not. Explicit definition of the grants is recommended.

So I support your thinking, Brian.

> On Apr 25, 2016, at 7:55 AM, Brian Stansberry <brian.stansberry at redhat.com> wrote:
> 
> Perhaps. I'm a bit bit reluctant to move away from something powerful 
> and standard to something custom. Mostly because it's hard to move the 
> other way in the future while remaining compatible. But your point is 
> well taken.
> 
> How would you propose discriminating these cases?
> 
> 1) /subsystem=messaging is not allowed but its children are.
> 
> 2) /subsystem=messaging and its children are.
> 
> We also need to think about ObjectName patterns, which are not 
> inherently hierarchical.
> 
>> On 4/23/16 1:38 AM, Ladislav Thon wrote:
>> I only have a single comment: writing a regular expression can sometimes
>> be a bit tricky. Just see the example you used:
>> 
>>> (/profile=[^/]+)??/subsystem=logging(/.*)*
>> 
>> It's also fairly easy to write a regular expression that doesn't quite
>> do what you want it to do, in some corner cases. Finally, some
>> well-crafted regular expressions have running time in years or more (at
>> least in the java.util.regex implementation).
>> 
>> This all leads me to believe that maybe regular expressions are not the
>> best choice.
>> 
>> Instead, I'm thinking about address prefixes. So the role would be
>> specified by a set of valid addresses (including the "*" wildcard), and
>> only the specified resources and all their children would be accessible.
>> 
>> I'm specifically not thinking about _textual_ prefix, so e.g. prefix of
>> /subsystem=messaging would give you access to the old messaging
>> subsystem, but it _wouldn't_ give you access to the new
>> /subsystem=messaging-activemq, even if /subsystem=messaging is a textual
>> prefix.
>> 
>> Granted, that's way less powerful than regular expressions, but also
>> easier and safer to use.
>> 
>> WDYT? Am I being too paranoid here?
>> 
>> LT
>> _______________________________________________
>> wildfly-dev mailing list
>> wildfly-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
> 
> 
> -- 
> Brian Stansberry
> Senior Principal Software Engineer
> JBoss by Red Hat
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev



More information about the wildfly-dev mailing list