You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Dejan Bosanac (JIRA)" <ji...@apache.org> on 2013/07/02 12:56:22 UTC
[jira] [Commented] (AMQ-4567) JMX operations on broker bypass
authorization plugin
[ https://issues.apache.org/jira/browse/AMQ-4567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13697684#comment-13697684 ]
Dejan Bosanac commented on AMQ-4567:
------------------------------------
With svn revision 1498875 I implemented read-only setup for the web console. You can login with user/user and then you'll be able to look at all the pages, but you'll be forbidden to make any actions. The similar setup can be made in karaf environment as well.
I think this is what most people want. After a bit of research it looks like crossing various security realms is pretty hard problem to overcome. For example, going from web to jmx to broker. For JMX we can get principal, but only if JMX is secured and that doesn't solve web console problem as we only use single principal to connect to the broker no matter who is using it. And in embedded mode we just go and use API directly.
I think we need to keep JMX access administration only and secured. But we can allow people read-only access to the web console and that should cover most use cases.
> JMX operations on broker bypass authorization plugin
> -----------------------------------------------------
>
> Key: AMQ-4567
> URL: https://issues.apache.org/jira/browse/AMQ-4567
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.8.0
> Reporter: Torsten Mielke
> Labels: authorization
>
> When securing the broker using authentication and authorization, any JMX operations on the broker completely bypass the authorization plugin.
> So anyone can modify the broker bypassing the security checks. Also, because of this its not possible to define a read only user for the web console.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira