11.8.2. Enabling Role-Based Access Control
By default the Role-Based Access Control (RABC) system is disabled. It is enabled by changing the provider attribute from
simple
to rbac
. This can be done using the jboss-cli.sh
tool or by editing the server configuration XML file if the server is off-line. When RBAC is disabled or enabled on a running server, the server configuration must be reloaded before it takes effect.
Once enabled it can only be disabled by a user of the Administrator or SuperUser roles. By default the
jboss-cli.sh
runs as the SuperUser role if it is run on the same machine as the server.
Procedure 11.1. Enabling RBAC
- To enable RBAC with
jboss-cli.sh
use thewrite-attribute
operation of the access authorization resource to set the provider attribute torbac
./core-service=management/access=authorization:write-attribute(name=provider, value=rbac)
[standalone@localhost:9999 /] /core-service=management/access=authorization:write-attribute(name=provider, value=rbac) { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } [standalone@localhost:9999 /] /:reload { "outcome" => "success", "result" => undefined } [standalone@localhost:9999 /]
Procedure 11.2. Disabling RBAC
- To disable RBAC with
jboss-cli.sh
use thewrite-attribute
operation of the access authorization resource to set the provider attribute tosimple
./core-service=management/access=authorization:write-attribute(name=provider, value=simple)
[standalone@localhost:9999 /] /core-service=management/access=authorization:write-attribute(name=provider, value=simple) { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } [standalone@localhost:9999 /] /:reload { "outcome" => "success", "result" => undefined } [standalone@localhost:9999 /]
If the server is off-line the XML configuration can be edited to enabled or disable RBAC. To do this, edit the
provider
attribute of the access-control element of the management element. Set the value to rbac
to enable, and simple
to disable.
<management> <access-control provider="rbac"> <role-mapping> <role name="SuperUser"> <include> <user name="$local"/> </include> </role> </role-mapping> </access-control> </management>