Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-490 Domain Management Role Based Access Control
  3. WFLY-2317

Trying to remove a server group as a server-group-scoped role leaks information

XMLWordPrintable

      When writing a small test case for WFLY-2190, I stumbled upon a problem: trying to remove an existing server group by a server-group-scoped user that does NOT have permissions to that server group leaks information. On a freshly built WildFly with added admin user into domain/configuration/mgmt-users.properties, it can be reproduced like this:

      [1] ./bin/domain.sh
      [2] ./bin/jboss-cli.sh -c
          /core-service=management/access=authorization/server-group-scoped-role=NewRole:add(base-role=administrator, server-groups=[main-server-group])
          /core-service=management/access=authorization/role-mapping=NewRole:add
          /core-service=management/access=authorization/role-mapping=NewRole/include=user-admin:add(name=admin, type=user)
          /core-service=management/access=authorization:write-attribute(name=provider, value=rbac)
          exit
      [1] ^C
          ./bin/domain.sh
      [2] ./bin/jboss-cli.sh -c --user=admin --password=XXX
          /server-group=other-server-group:read-resource
          /server-group=other-server-group:remove
      

      What does that mean? The NewRole is scoped to the main-server-group server group and can't see other-server-group. When doing /server-group=other-server-group:read-resource, this is correctly enforced and the output looks like this:

      {
          "outcome" => "failed",
          "failure-description" => "JBAS014807: Management resource '[(\"server-group\" => \"other-server-group\")]' not found",
          "rolled-back" => true
      }
      

      However, trying to do /server-group=other-server-group:remove, which is only a different operation on the same resource, I get a different error message:

      {
          "outcome" => "failed",
          "failure-description" => {"domain-failure-description" => "JBAS013456: Unauthorized to execute operation 'remove' for resource '[(\"server-group\" => \"other-server-group\")]' -- \"JBAS013475: Permission denied\""},
          "rolled-back" => true
      }
      

      I expect the error message to be completely the same as in previous case, not leaking any information that the other-server-group actually exists.

            bstansbe@redhat.com Brian Stansberry
            lthon@redhat.com Ladislav Thon
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: