Activate/enable/configure RBAC roles in JBoss EAP 6 / 7 / 8

Solution Verified - Updated

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6
    • 7
    • 8
  • Role-based Access Control (RBAC)

Issue

  • Need to give a user only specific (admin/read-only/etc) access

  • Trying to add a user to a specific management console role:

      <management>
      <access-control provider="rbac">
          <role-mapping>
              <role name="SuperUser">
                  <include>
                      <user name="$local"/>
                  </include>
              </role>
          </role-mapping>
      </access-control>
  </management>

    However, when trying to log into the WebConsole I get.

      Access Denied: Insufficient privileges to access this interface.

  • Browser console errors similar to o.j.h.m.security.AuthorisationDecision No security context found for executable(server-group=main-server-group:reload-servers)

Resolution

If RBAC is already enabled, the user must be in the SuperUser or Admin to group to make modifications.

  1. To enable RBAC use following CLI command:

     /core-service=management/access=authorization:write-attribute(name=provider,value=rbac)

  2. To add one of the Supported roles to the RBAC configuration

     /core-service=management/access=authorization/role-mapping=Monitor:add()

    Monitor, for example, has read-only access, Adiminstrator has full access.

    See Security Architecture - Role-Based Access Control for a description of the supported Roles.

  3. To add a user to a specific role, for example the role Monitor:

     /core-service=management/access=authorization/role-mapping=Monitor/include=user-timRO:add(name=timRO,type=USER)

  4. To add a group from the authentication system to a Role, for example LDAP or properties files:

     /core-service=management/access=authorization/role-mapping=Monitor/include=group-LDAP_MONITORS:add(name=LDAP_MONITORS, type=GROUP)

  5. Users and groups may also be excluded from roles by switching include for exclude, which is useful if they would be included from another external group.

     /core-service=management/access=authorization/role-mapping=Monitor/exclude=group-LDAP_MONITORS:add(name=LDAP_, type=GROUP)

  6. After enabling RBAC or adding the users to the role, the server or the host needs to be restarted, for example if the host master is restarted as below:

    For managed domain:

     reload --host=master

    For Standalone mode simply:

     reload

Root Cause

When seeing the "Access Denied: Insufficient privileges to access this interface", then RBAC is already enabled, and the current user does not have Admin or SuperUser privileges, which are required to modify RBAC.

Diagnostic Steps

  • Browser console errors similar to o.j.h.m.security.AuthorisationDecision No security context found for executable(server-group=main-server-group:reload-servers) mean that the current user is in a role that has access permission, but does not have permission to perform the listed task. In this example the user cannot do a server reload reload-servers on selected current server group.
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.