4 Replies Latest reply on Aug 3, 2018 7:51 AM by pmm

    Readonly Auditor Role

    pmm
    pmm Jul 31, 2018 1:37 PM

      We have a custom (legacy) server side LoginModule that needs to be able to flush the credential cache for a user on a login failure. We have this requirement because this came up in a security review. We achieve this by looking up the JMX bean for the security domain under the security bean and calling the fushCache method (see attachment).

      We are using the "rbac" access-control, not "simple". This has been working fine up until WildFly 12. Starting with WildFly 12 we need to give the the "anonymous" user the "Auditor" role (see also https://issues.jboss.org/browse/JBEAP-13845), otherwise the security domain JMX beans are not visible to the application. It seems as if the security domain JMX beans are now considered a sensitive resource. Unfortunately the "Auditor" role also has permissions to modify resources of administrative audit logging system (Role Based Access Control in WildFly 8 (Tech Tip #12) ). We would prefer to use a role that has only view and no modify permissions.

        • 1. Re: Readonly Auditor Role
          mchoma
          mchoma Aug 1, 2018 9:08 AM (in response to pmm)

          In jira you mentioned (JBEAP-13845), there is in workaround section written Monitor role should be enough. Could you have a try?

            • Actions
          • 2. Re: Readonly Auditor Role
            pmm
            pmm Aug 1, 2018 3:35 PM (in response to mchoma)

            mchoma  wrote:

             

            In jira you mentioned (JBEAP-13845), there is in workaround section written Monitor role should be enough. Could you have a try?

            The Monitor role is not enough, if I assign the Monitor role the mbeans for the security domains ("jaspitest", "jboss-ejb-policy", "jboss-web-policy", "other") under the "security" mbean will not be visible.

              • Actions
            • 3. Re: Readonly Auditor Role
              mchoma
              mchoma Aug 2, 2018 11:52 AM (in response to pmm)

              So what about tweak RBAC to let you call security domain jmx?

               

              E.g. does this makes it visible for Monitore role?

              /core-service=management/access=authorization/constraint=sensitivity-classification/type=security/classification=security-domain:write-attribute(name=requires-addressable,value=false)

              /core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=security-domain:write-attribute(name=requires-addressable,value=false)

               

              Because security-domain is defined as

                  "access-constraints" => {
                      "sensitive" => {"security-domain" => {"type" => "core"}},
                      "application" => {"security-domain" => {"type" => "security"}}
                  },
                • Actions
              • 4. Re: Readonly Auditor Role
                pmm
                pmm Aug 3, 2018 7:51 AM (in response to mchoma)

                mchoma  wrote:

                 

                So what about tweak RBAC to let you call security domain jmx?

                 

                E.g. does this makes it visible for Monitore role?

                /core-service=management/access=authorization/constraint=sensitivity-classification/type=security/classification=security-domain:write-attribute(name=requires-addressable,value=false)

                /core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=security-domain:write-attribute(name=requires-addressable,value=false)

                 

                Because security-domain is defined as

                    "access-constraints" => {
                        "sensitive" => {"security-domain" => {"type" => "core"}},
                        "application" => {"security-domain" => {"type" => "security"}}
                    },

                I get the following error message

                 

                $/core-service=management/access=authorization/constraint=sensitivity-classification/type=security/classification=security-domain:write-attribute(name=requires-addressable,value=false)

                {

                  "outcome" => "failed",

                  "failure-description" => "WFLYCTL0201: Unknown attribute 'requires-addressable'",

                  "rolled-back" => true

                }

                $/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=security-domain:write-attribute(name=requires-addressable,value=false)

                {

                  "outcome" => "failed",

                  "failure-description" => "WFLYCTL0201: Unknown attribute 'requires-addressable'",

                  "rolled-back" => true

                }

                  • Actions