主页
产品
Red Hat JBoss Enterprise Application Platform
6.2
安全指南
11.8.2. 启用基于角色的访问控制

11.8.2. 启用基于角色的访问控制

在默认情况下，RBAC 是被禁用的。将提供者属性从 simple 修改为 rbac 就可以启用它。你可以用 jboss-cli.sh 工具来完成，或者当服务器下线时编辑服务器配置 XML 文件。如果在运行的服务器上禁用或启用 RBAC，在生效前必须重载服务器配置。

启用后，它只能由具有 Administrator 或 SuperUser 角色的用户禁用。在默认情况下，如果jboss-cli.sh 运行在和服务器相同的主机上，它是以 SuperUser 角色运行的。

过程 11.1. 启用 RBAC

要用 jboss-cli.sh 启用 RBAC，请使用访问授权资源的 write-attribute 操作来设置提供者的属性为 rbac。

/core-service=management/access=authorization:write-attribute(name=provider, value=rbac)

/core-service=management/access=authorization:write-attribute(name=provider, value=rbac)

Copy to Clipboard

Toggle word wrap

[standalone@localhost:9999 /] /core-service=management/access=authorization:write-attribute(name=provider, value=rbac)
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}
[standalone@localhost:9999 /] /:reload
{
    "outcome" => "success",
    "result" => undefined
}
[standalone@localhost:9999 /]

[standalone@localhost:9999 /] /core-service=management/access=authorization:write-attribute(name=provider, value=rbac)
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}
[standalone@localhost:9999 /] /:reload
{
    "outcome" => "success",
    "result" => undefined
}
[standalone@localhost:9999 /]

Copy to Clipboard

Toggle word wrap

过程 11.2. 禁用 RBAC

要用 jboss-cli.sh 禁用 RBAC，请使用访问授权资源的 write-attribute 操作来设置提供者的属性为 simple。

/core-service=management/access=authorization:write-attribute(name=provider, value=simple)

/core-service=management/access=authorization:write-attribute(name=provider, value=simple)

Copy to Clipboard

Toggle word wrap

[standalone@localhost:9999 /] /core-service=management/access=authorization:write-attribute(name=provider, value=simple)
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}
[standalone@localhost:9999 /] /:reload
{
    "outcome" => "success",
    "result" => undefined
}
[standalone@localhost:9999 /]

[standalone@localhost:9999 /] /core-service=management/access=authorization:write-attribute(name=provider, value=simple)
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}
[standalone@localhost:9999 /] /:reload
{
    "outcome" => "success",
    "result" => undefined
}
[standalone@localhost:9999 /]

Copy to Clipboard

Toggle word wrap

如果服务器已下线，你可以编辑 XML 配置文件来启用或禁用 RBAC。你可以找到 management 元素下的 access-control 元素里的 provider 属性，设置为 rbac 则启用， simple 则禁用 RBAC。

<management>

        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>

    </management>

<management>

        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>

    </management>

Copy to Clipboard

Toggle word wrap

提交 bug 报告

返回顶部

11.8.2. 启用基于角色的访问控制

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links