Introduction to Role Based Administration in WildFly 8
5 likes2,812 views
This document discusses role-based administration in WildFly 8. It introduces the concept of assigning administrative users to predefined roles with different permissions to control access to server resources. Roles include Monitor, Operator, Maintainer, Deployer, Administrator, Auditor, and SuperUser. Sensitive resources can be annotated and access restricted based on roles. The role-based access control system provides more fine-grained access than the previous all-or-nothing model in JBoss AS7.
Introduction to Role Based Administration in WildFly 8
- 1. Geneva JUG, Aug 2014 Introduction to Role Based Administration in WildFly 8 Dimitris Andreadis JBoss EAP / WildFly Senior Engineering Manager Red Hat
- 2. Geneva JUG, Aug 2014 Agenda •Admin Access Control •Configuring Roles •Configuring Constraints
- 3. Geneva JUG, Aug 2014 WildFly v8 – Main Features •Java EE7 support •High Performance Web Server (Undertow) •Reduced Port Usage •Patching Infrastructure •Audit Logging •Role Based Administration
- 4. Geneva JUG, Aug 2014 Admin Access Control in AS7 •In JBoss AS7 authenticating with the management security realm provides full server control •All-or-nothing •Many users have more fine-grained requirements
- 5. Geneva JUG, Aug 2014 Roles based Admin in WF8 •Administrative users can be mapped to Roles •Role is set of Permissions •Permissions specify which Actions (lookup, read, write) are allowed on resources classified as: •Sensitive resource types, attributes, operations or data •Audit Resources •Application Resources
- 6. Geneva JUG, Aug 2014 Predefined Roles •Basic Administration •Monitor •Operator •Maintainer •Deployer •Elevated Privileges •Administrator •Auditor •Super User
- 7. Geneva JUG, Aug 2014 Monitor Role •Read Only Permissions •Runtime info: Read •Config info: Read •Sensitive info: No Access •Audit Log info: No Access •Browse server config and metrics Monitor R: r S: - C: r A: -
- 8. Geneva JUG, Aug 2014 •Based on Monitor Role •plus ability to modify Runtime state •reload/shutdown a server •pause/resume JMS queues •flush connection pools •… Operator R: rw Operator Role Monitor R: r S: - C: r A: -
- 9. Geneva JUG, Aug 2014 •Based on Operator Role •plus ability to modify configuration •deploy applications •setup datasources •setup JMS destinations •… Maintainer C: rw Operator R: rw Maintainer Role Monitor R: r S: - C: r A: -
- 10. Geneva JUG, Aug 2014 •Based on Maintainer Role •but constrained to managing application deployments •… Deployer D: rw Maintainer C: rw Operator R: rw Deployer Role Monitor R: r S: - C: r A: -
- 11. Geneva JUG, Aug 2014 •Based on Maintainer Role •can modify Sensitive information •still cannot access Audit Logging! •Setup the access control system •… Administrator S: rw Maintainer C: rw Operator R: rw Administrator Role Monitor R: r S: - C: r A: -
- 12. Geneva JUG, Aug 2014 •Based on Monitor Role •plus ability to manage Audit Logging •and read Sensitive configuration •setup Audit Logging •read users, passwords •… Auditor S: r A:rw Auditor Role Monitor R: r S: - C: r A: -
- 13. Geneva JUG, Aug 2014 SuperUser A: rw •Has all permissions •equivalent to an AS7 admin Administrator S: rw Maintainer C: rw Operator R: rw SuperUser Role Monitor R: r S: - C: r A: -
- 14. Geneva JUG, Aug 2014 Access Control Providers •“simple” •any authenticated admin has all privileges •consistent with AS 7 behavior •the default •“rbac” •users are mapped to roles •new in WF 8
- 15. Geneva JUG, Aug 2014 Security Realm Mapping Users to Roles User Role Group Access Control Provider
- 16. Geneva JUG, Aug 2014 Scoped Roles •New roles can be created based on the standard ones •With Additional Permissions for limiting write access •to certain Hosts (Host Scoped) •to certain Server Groups (Server Group Scoped)
- 17. Geneva JUG, Aug 2014 Sensitive Resources •Anything (resources, attributes, operations) that we want to restrict access for: •Addressing, Reading, Writing •Annotated with a sensitivity classification •System-wide (e.g. SOCKET_CONFIG) •Subsystem-scoped (e.g. JMS_SECURITY_SETTING)
- 18. Geneva JUG, Aug 2014 Sensitive Data •AS7/WildFly supports an external security vault for storing sensitive information (e.g. passwords)* •By default, attributes using the vault syntax are classified as sensitive for reading/writing The syntax to access the vault ${VAULT::VaultBlock::AttributeName::SharedKey} *Password Masking
- 19. Geneva JUG, Aug 2014 Application Resources •Main focus of the Deployer Role •to manage Deployments •Subsystems may annotate Application Resources •e.g. JMS destinations, Datasources •Additional Resource Types can be configured •but it applies to all Resources of that Type
- 20. Geneva JUG, Aug 2014 JMX Access Control •Same access control rules apply to the jboss.as & jboss.as.expr JMX domains •MBeans in other JMX domains can be marked Sensitive •Yes – access only for Administrator, SuperUser •No – Monitor, Auditor, Deployer can only read
- 21. Geneva JUG, Aug 2014 Future Directions •Custom Scoped Roles •Explicitly configure list or resources in scope •Use environmental data in role mapping, e.g. •time of day, day of week etc •whether incoming connection uses TLS •SPI and plug point for custom implementations •Delegate to a corporate XACML infrastructure
- 22. Geneva JUG, Aug 2014 Get Involved! www.wildfly.org community.jboss.org/en/wildfly #wildfly on irc.freenode.net dandreadis.blogspot.ch @dandreadis