Access Control - Role Mapping / Assignment - Configuration and Model.

Version 1

    The following is an example from the standalone.xml configuration to define user and group to role assignment within WildFly.

     

     

    <access-control>
      <role-mapping use-realm-roles="true">
        <role name="Monitor">
          <include>
            <user realm="ManagementRealm" name="UserOne" />
            <group realm="ApplicationRealm" name="GroupOne" />
          </include>
          <exclude>
            <user realm="ManagementRealm" name="UserTwo" />
            <group realm="ApplicationRealm" name="GroupTwo" />
          </exclude>
        </role>
        <role name="Operator">
          <include>
            <user name="UserThree" />
            <group name="GroupThree" />
          </include>
        </role>
        <role name="Maintainer">
          <exclude>
            <user name="UserFour" />
            <group name="GroupFour" />
          </exclude>
      </role>
    </access-control>
    
    

     

    This is closely related to the security realm configuration: -

     

    <security-realm name="ManagementRealm">
      <authentication>
        <local default-user="$local"/>
        <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
      </authentication>
      <authorization map-groups-to-roles="false">
        <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
      </authorization>
    </security-realm>
    

     

    Within the security realm is a new attribute 'map-groups-to-roles', the stores defined in the <authorization/> element load group information for the authenticated user, the map-groups-to-roles attribute allows for these groups to be assumed to be a 1:1 relationship of roles.

     

    Secondly within the <access-control><role-mapping> element there is the option 'use-realm-roles' - this enables using those roles mapped by the security realm directly for domain management access control decisions taking the following into account.

     

    A user is assigned a role provided the following conditions are met: -

                            A user is added to a role if any of the following are true: -

                              1 - The realm has assigned the user to role AND use-realm-roles is set to true.

                              2 - The user is a member of a group listed in the includes element.

                              3 - The user is explicitly listed in the includes element.

                            AND neither of the following are true: -

                              1 - The user is a member of a group listed in the excludes element.

                              2 - The user is explicitly listed in the groups element.

    i.e. Any excludes definition takes priority over any includes definition.

     

    Also note that within the include and exclude definitions that the realm attribute is optional, this is currently supported as different management interfaces could be defined with different realms used for authentication.

     

    These definitions are visible in the domain model as: -

     

    [standalone@localhost:9990 /] ./core-service=management:read-resource(recursive=true)
    {
        "outcome" => "success",
        "result" => {
            "access" => {"authorization" => {
                "provider" => "simple",
                "use-realm-roles" => "true",
                "role-mapping" => {
                    "Monitor" => {
                        "exclude" => {
                            "user-UserTwo@ManagementRealm" => {
                                "name" => "UserTwo",
                                "realm" => "ManagementRealm",
                                "type" => "user"
                            },
                            "group-GroupTwo@ApplicationRealm" => {
                                "name" => "GroupTwo",
                                "realm" => "ApplicationRealm",
                                "type" => "group"
                            }
                        },
                        "include" => {
                            "user-UserOne@ManagementRealm" => {
                                "name" => "UserOne",
                                "realm" => "ManagementRealm",
                                "type" => "user"
                            },
                            "group-GroupOne@ApplicationRealm" => {
                                "name" => "GroupOne",
                                "realm" => "ApplicationRealm",
                                "type" => "group"
                            }
                        }
                    },
                    "Operator" => {
                        "exclude" => undefined,
                        "include" => {
                            "user-UserThree" => {
                                "name" => "UserThree",
                                "realm" => undefined,
                                "type" => "user"
                            },
                            "group-GroupThree" => {
                                "name" => "GroupThree",
                                "realm" => undefined,
                                "type" => "group"
                            }
                        }
                    },
                    "Maintainer" => {
                        "exclude" => {
                            "user-UserFour" => {
                                "name" => "UserFour",
                                "realm" => undefined,
                                "type" => "user"
                            },
                            "group-GroupFour" => {
                                "name" => "GroupFour",
                                "realm" => undefined,
                                "type" => "group"
                            }
                        },
                        "include" => undefined
                    }
                }
            }},
            "security-realm" => {
                "ManagementRealm" => {
                    "map-groups-to-roles" => false,
                    "authentication" => {
                        "local" => {
                            "allowed-users" => undefined,
                            "default-user" => "$local"
                        },
                        "properties" => {
                            "path" => "mgmt-users.properties",
                            "plain-text" => false,
                            "relative-to" => "jboss.server.config.dir"
                        }
                    },
                    "authorization" => {"properties" => {
                        "path" => "mgmt-groups.properties",
                        "relative-to" => "jboss.server.config.dir"
                    }},
                    "plug-in" => undefined,
                    "server-identity" => undefined
                },
            }
        }
    }