红帽全球峰会此内容没有您所选择的语言版本。
7.2. Role-Based Access Control for Management Interfaces
The management interfaces of JBoss EAP 6.2.2 (the command line interface and the web-based administrative interface) allow access to the JBoss EAP system configuration in order to manage all configurable aspects of JBoss EAP 6.2.2. Administrators can access general system aspects, such as network port configurations, and container configurations. In addition, configuration aspects for services offered by containers are managed as well.
The configuration of applications, such as the application access control, are addressed in the deployment descriptors shipped with the application. Therefore, application configuration is generally not accessible via the management interfaces.
The administrative interfaces can be bound to a specific network interface. This allows for the management interfaces to be restricted to an administration LAN in order to prevent untrusted users from accessing the management interfaces. In order for administrators to interact with administrative interfaces, they must log in. Administration accounts are maintained separately from other user accounts.
Each action on an object that an administrative user can perform is subject to a role-based access control mechanism. The actions are classified into:
- Model operations, whose the main function is to read/write from the model, although there will often be associated runtime services started/stopped as a consequence.
- RPC operations, which invokes some runtime that affects runtime state only. This may either read runtime state or change it. The model is not affected.
- A resource.
- An attribute residing in a resource.
A set of object-action capabilities are mapped to a management role. This mapping defines the allowed access for the management role. A set of pre-defined management roles is included with JBoss EAP 6.2.2 and is available after installation. The pre-configured roles are detailed below.
Role-based access control pre-configured management roles
- Monitor
- The monitor role has the fewest permissions and restricts the user to viewing the configuration and the current state. The monitor role does not have permission to view sensitive data.
- Configurator
- The configurator role has the same permissions as the monitor role, and can change the configuration. For example, the configurator can deploy an application. The configurator role does not have permission to view sensitive data.
- Operator
- The operator role has monitor permissions and can also change the runtime state, but not the persistent configuration. For example, the operator can start or stop servers. The operator role does not have permission to view sensitive data.
- Administrator
- The administrator role has the combined permissions of the operator and the configurator. This role has also permission to access sensitive data, including passwords. The administrator role is the superuser of the Application Server and can modify administrative users and roles.
- Deployer
- The deployer role has the combined permissions of the operator and the configurator, but with those permissions constrained to operating on deployments.
- Auditor
- The auditor role can view and modify the configuration settings for the security auditing system. The auditor role includes the monitor role, allowing the auditor to view but not change the rest of the security configuration.
A role is a named set of permissions. These permissions include constraints, for example the read permissions for the Monitor role is constrained to non-sensitive actions and targets. Redefinition of the permissions and constraints associated with the above mentioned standard roles is not permitted.
A limited form of creation of new roles is allowed. These new roles are equivalent to the standard roles, but with an additional constraint applied to all permission, for example the target must be related to a particular host or server group.
All administrative operations are stored in configuration files (either
domain.xml or standalone.xml depending on the startup mode). The administrative interfaces are an in-memory image of the data stored in the configuration file. Once the in-memory image is modified, the modified configuration file is stored.
The role-based access control mechanism can only be enforced if the administrator accesses the JBoss EAP 6.2.2 system configuration via the CLI or management interface. If an administrator has shell access to the host, the underlying operating system may grant direct read or write access to the JBoss EAP system configuration files. Such access would imply that the role-based access control mechanism is not enforced. It is assumed that the host is located in a protected environment where direct access to the JBoss EAP system configuration files is not allowed.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}