Role Based Access Control (RBAC) is the ability to restrict access to system or certain portions of it to authorized users. For JBoss AS 7.x, the web-based administrative console had an all-or-nothing approach. This means user authenticated with management security realm will have all the privileges. This may not be appropriate for mission-critical deployments and a finer-grained control may be required. WildFly 8 introduces RBAC using different roles.
Purpose: This section explains how to configure and use RBAC for WildFly.
There are seven pre-defined roles in two different categories. First four roles are where users are locked out of sensitive data and the next three level roles where users are allowed to deal with sensitive data.
The pre-defined roles are explained below:
Role | Permissions |
---|---|
Monitor |
|
Operator |
|
Maintainer |
|
Deployer |
|
Administrator |
|
Auditor |
|
Super User |
|
By default, any user added to the management realm and not belonging to a group is in ``Super User'' role.
-
Start the server as standalone instance if not already running:
./bin/standalone.sh
-
Access Admin Console at http://localhost:9990/console. This prompts for authentication as shown:
Enter the user name `sheldon' and password `bazinga' (as created earlier). Admin console should look like:
This view shows:
-
A new `Administration' tab that allows to map users to roles. This will be done in a later section.
-
Information about the logged in user is shown on top-right as:
Notice the logged in user name is shown.
-
A user in `Super User'' role can act to run in any role by clicking on `Run as'. Click on `Run as' and select drop-down list box to see the list of available roles as:
-
Select the `Monitor' role and click on `Run As'.
The application has to be reloaded for changes to take effect. Click on `Confirm' to reload the application. After the reload, clicking on the user on top-right in admin console will display the selected role as `Run as Monitor' as shown:
-
Click on `Manage Deployments' and check that `Add', `Remove', and similar buttons are not present as shown:
-
Click on `Profile', `Data Sources' and check that all data sources are visible but not editable. This is identified by the fact that `Add', `Remove', and `Disable' buttons are not available as shown.
-
Click on `Administration' tab and make sure the user does not have access to it as shown:
-
-
Feel free to select other roles and observe how different options are enabled/disabled.
-
WildFly 8 comes with two access control providers:
-
`simple' provider, the default one, gives all privileges to any authenticated administrator. This provides compatibility with older releases.
-
`rbac' provider allows you to setup configuration that will map users to different roles.
-
Configure `rbac' access control provider by giving the following command:
jboss-cli.sh -c --command="/core-service=management/access=authorization:write-attribute(name=provider,value=rbac)"
This command will change authorization provider to ``rbac'' and will produce the output as:
{ "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } }
-
The server needs to be restarted as the authorization provider is changed. Give the following command to restart the server:
./bin/jboss-cli.sh -c --command="reload"
TipIf the server is running in managed domain then it can be restarted by additionally specifying --host=master
in the command.Check the server log to confirm server restarted, look for specific time stamps.
-
Any existing roles need to be explicitly mapped after the access control provider is changed. Map the user `sheldon' to the role `Super User' by giving the following command:
jboss-cli.sh -c --command="/core-service=management/access=authorization/role-mapping=SuperUser/include=user-sheldon:add(name=sheldon,type=USER)"
-
On top-right in admin console, click on the username and click on `Logout' and then `Confirm'.
-
Enter the login credentials again (username is `sheldon' and password is `bazinga') to login back into the admin console.
-
WildFly introduces the concept of ``groups'' in security realms. Users can be directly associated with a role, or can belong to a group and then a group can be associated with a role.
-
Add two users in different groups using
bin/adduser.sh
script-
Add first user in a group by giving the following command:
add-user.sh -u penny -p penny1 -g just4fun Added user 'penny' to file '/Users/arungupta/workspaces/wildfly/build/target/wildfly-8.0.0.Final-SNAPSHOT/standalone/configuration/mgmt-users.properties' Added user 'penny' to file '/Users/arungupta/workspaces/wildfly/build/target/wildfly-8.0.0.Final-SNAPSHOT/domain/configuration/mgmt-users.properties' Added user 'penny' with groups just4fun to file '/Users/arungupta/workspaces/wildfly/build/target/wildfly-8.0.0.Final-SNAPSHOT/standalone/configuration/mgmt-groups.properties' Added user 'penny' with groups just4fun to file '/Users/arungupta/workspaces/wildfly/build/target/wildfly-8.0.0.Final-SNAPSHOT/domain/configuration/mgmt-groups.properties'
-
Add another user in a different group by giving the following command:
add-user.sh -u leonard -p leonard1 -g geek Added user 'leonard' to file '/Users/arungupta/workspaces/wildfly/build/target/wildfly-8.0.0.Final-SNAPSHOT/standalone/configuration/mgmt-users.properties' Added user 'leonard' to file '/Users/arungupta/workspaces/wildfly/build/target/wildfly-8.0.0.Final-SNAPSHOT/domain/configuration/mgmt-users.properties' Added user 'leonard' with groups geek to file '/Users/arungupta/workspaces/wildfly/build/target/wildfly-8.0.0.Final-SNAPSHOT/standalone/configuration/mgmt-groups.properties' Added user 'leonard' with groups geek to file '/Users/arungupta/workspaces/wildfly/build/target/wildfly-8.0.0.Final-SNAPSHOT/domain/configuration/mgmt-groups.properties'
These commands creates the following users:
User Password Group penny
penny1
just4fun
leonard
leonard1
geek
Both users are added for standalone instance and managed domain.
-
-
Click on `Administration' tab to see an output as:
Previously assigned user/role mapping is already shown here.
-
Click on `Add' to assign a new role to user mapping. Type `penny' in `User' textbox and select `Monitor' role as shown:
Click on `Save'.
NoteMultiple roles may be assigned to each user. -
Assign `Administrator' role to user `leonard'. The updated admin console looks like as shown:
TipGroups, and thus all users in that group, can be assigned one or more roles by clicking on `GROUPS' tab.
-
Click on top-right and select `Logout' to log out of admin console. Login again by using the username `penny' and password `penny1'. Note that this user was assigned `Monitor' role.
-
Top-right of admin console shows the logged in user name.
Note that `Run as' is not available any more.
-
Click on `Manage Deployments' to see the output as shown:
This role permits only monitoring and `Add', `Remove', `En/Disable', and `Replace' buttons are not available.
-
Click on `Administration' tab to see a permissiond denied output as:
-
Click on top-right and select `Logout' to log out of admin console. Login again by using the username `leonard' and password `leonard1'. Note that this user was assigned `Administrator' role.
-
Top-right of admin console shows the logged in user name.
Note that `Run as' is not available any more.
-
Click on `Deployments' and confirm that new deployments can be added or existing can be replace, removed, enabled or disabled by the presence of buttons.
-
Click on `Administration' tab and confirm that all information is visible and editable.
CLI or `jboss-cli' can authenticate against local WildFly without prompting the user for a username and password. This mechanism only works if the user running the CLI has read access to the standalone/tmp/auth'' directory or
domain/tmp/auth'' folder under the respective WildFly installation. If the local mechanism fails then the CLI will fallback to prompting for a username and password.
Alternatively authentication can be forced by explicitly specifying user
and password
options.
-
Connect using `jboss-cli' using the following command:
jboss-cli.sh --user=penny --password=penny1 -c
Note that the user `penny' is in Monitor role.
-
Type
data-source
on the CLI console and TAB to see the following output:[standalone@localhost:9990 /] data-source --help flush-gracefully-connection-in-pool --name= flush-idle-connection-in-pool add flush-invalid-connection-in-pool disable read-resource enable remove flush-all-connection-in-pool test-connection-in-pool
Note that all commands and attributes, even those not permitted for Monitor role, are shown.
-
Try to add a new data source using the following command:
[standalone@localhost:9990 /] data-source add --name=testDataSource
This command gives the following error:
JBAS013456: Unauthorized to execute operation 'add' for resource '[ ("subsystem" => "datasources"), ("data-source" => "testDataSource") ]' -- "JBAS013475: Permission denied"
This is because `Monitor' role does not have permission to add data sources.
-
Type
exit
orquit
to exit out of CLI console. -
Edit
bin/jboss-cli.xml
and change the following element:<access-control>false</access-control>
to
<access-control>true</access-control>
This element filter out the command and attribute suggestions displayed based on user’s permissions.
-
Connect using `jboss-cli' using the following command:
./bin/jboss-cli.sh --user=penny --password=penny1 -c
-
Type
data-source
on the CLI console and TAB to see the following output:[standalone@localhost:9990 /] data-source --help --name= read-resource
Note that only permitted commands and attributes are shown.
TipTry some other commands and see which ones are accessible or not.