You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@servicemix.apache.org by "Gert Vanthienen (JIRA)" <ji...@apache.org> on 2009/11/15 22:55:53 UTC
[jira] Created: (SM-1915) Support more fine-grained authorization
on JMX access
Support more fine-grained authorization on JMX access
-----------------------------------------------------
Key: SM-1915
URL: https://issues.apache.org/activemq/browse/SM-1915
Project: ServiceMix
Issue Type: Bug
Components: servicemix-core
Affects Versions: 3.3.1, 3.2.3
Reporter: Gert Vanthienen
Assignee: Gert Vanthienen
Fix For: 3.2.4, 3.3.2
Currently, access to the JMX console access is being controlled by a JAAS login module. Once logged in to the JMX console, every user is allowed to do anything with the provided MBeans.
This issue aims to add support for basic authorization control as well as provide a hook for implementing more fine-grained authorization schemes. The basic scheme should allow 'admin' users to do anything and limit the normal users to read-only operations.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SM-1915) Support more fine-grained authorization
on JMX access
Posted by "Claus Ibsen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/SM-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=55427#action_55427 ]
Claus Ibsen commented on SM-1915:
---------------------------------
I am still amazed/wondering why that the JMX doesn't offer such a security scheme out of the box? Or does it?
BTW: I like the way you implemented with the proxy and for checking what the operation is performed is a read only or not.
> Support more fine-grained authorization on JMX access
> -----------------------------------------------------
>
> Key: SM-1915
> URL: https://issues.apache.org/activemq/browse/SM-1915
> Project: ServiceMix
> Issue Type: Bug
> Components: servicemix-core
> Affects Versions: 3.2.3, 3.3.1
> Reporter: Gert Vanthienen
> Assignee: Gert Vanthienen
> Fix For: 3.2.4, 3.3.2
>
> Attachments: SM-1915.diff
>
>
> Currently, access to the JMX console access is being controlled by a JAAS login module. Once logged in to the JMX console, every user is allowed to do anything with the provided MBeans.
> This issue aims to add support for basic authorization control as well as provide a hook for implementing more fine-grained authorization schemes. The basic scheme should allow 'admin' users to do anything and limit the normal users to read-only operations.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SM-1915) Support more fine-grained authorization
on JMX access
Posted by "Gert Vanthienen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/SM-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gert Vanthienen updated SM-1915:
--------------------------------
Attachment: SM-1915.diff
Currently, Apache infrastructure is down, but this is the patch that is waiting to get committed.
It allows people to configure a policy for checking remote JMX invocations and we provide an out-of-the-box policy for giving normal users read-only access and only allow read-write access to the admin group. It can be configured in conf/jmx.xml like this
{noformat}
<sm:jmxConnector ...
policy="#policy"/>
<sm:adminReadWritePolicy id="policy"/>
{noformat}
> Support more fine-grained authorization on JMX access
> -----------------------------------------------------
>
> Key: SM-1915
> URL: https://issues.apache.org/activemq/browse/SM-1915
> Project: ServiceMix
> Issue Type: Bug
> Components: servicemix-core
> Affects Versions: 3.2.3, 3.3.1
> Reporter: Gert Vanthienen
> Assignee: Gert Vanthienen
> Fix For: 3.2.4, 3.3.2
>
> Attachments: SM-1915.diff
>
>
> Currently, access to the JMX console access is being controlled by a JAAS login module. Once logged in to the JMX console, every user is allowed to do anything with the provided MBeans.
> This issue aims to add support for basic authorization control as well as provide a hook for implementing more fine-grained authorization schemes. The basic scheme should allow 'admin' users to do anything and limit the normal users to read-only operations.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SM-1915) Support more fine-grained authorization
on JMX access
Posted by "Gert Vanthienen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/SM-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=56455#action_56455 ]
Gert Vanthienen commented on SM-1915:
-------------------------------------
The previous fix was working fine on Java 6, but on Java 5 the interceptor had to be set on the connector server before starting it. Fixed for both versions now in:
* http://svn.apache.org/viewvc?view=revision&revision=890842 for the 3.3.x trunk
* http://svn.apache.org/viewvc?view=revision&revision=890843 for the 3.2.x branch
> Support more fine-grained authorization on JMX access
> -----------------------------------------------------
>
> Key: SM-1915
> URL: https://issues.apache.org/activemq/browse/SM-1915
> Project: ServiceMix
> Issue Type: Bug
> Components: servicemix-core
> Affects Versions: 3.2.3, 3.3.1
> Reporter: Gert Vanthienen
> Assignee: Gert Vanthienen
> Fix For: 3.2.4, 3.3.2
>
> Attachments: SM-1915.diff
>
>
> Currently, access to the JMX console access is being controlled by a JAAS login module. Once logged in to the JMX console, every user is allowed to do anything with the provided MBeans.
> This issue aims to add support for basic authorization control as well as provide a hook for implementing more fine-grained authorization schemes. The basic scheme should allow 'admin' users to do anything and limit the normal users to read-only operations.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SM-1915) Support more fine-grained authorization
on JMX access
Posted by "Claus Ibsen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/SM-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=55435#action_55435 ]
Claus Ibsen commented on SM-1915:
---------------------------------
Yeah great idea about spring-security.
I was just thinking out loud whether the spring JMX annotations had some security stuff so you could indicate a Principal should be in role X to be able to invoke the mbean operation.
> Support more fine-grained authorization on JMX access
> -----------------------------------------------------
>
> Key: SM-1915
> URL: https://issues.apache.org/activemq/browse/SM-1915
> Project: ServiceMix
> Issue Type: Bug
> Components: servicemix-core
> Affects Versions: 3.2.3, 3.3.1
> Reporter: Gert Vanthienen
> Assignee: Gert Vanthienen
> Fix For: 3.2.4, 3.3.2
>
> Attachments: SM-1915.diff
>
>
> Currently, access to the JMX console access is being controlled by a JAAS login module. Once logged in to the JMX console, every user is allowed to do anything with the provided MBeans.
> This issue aims to add support for basic authorization control as well as provide a hook for implementing more fine-grained authorization schemes. The basic scheme should allow 'admin' users to do anything and limit the normal users to read-only operations.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SM-1915) Support more fine-grained authorization
on JMX access
Posted by "Gert Vanthienen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/SM-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=55431#action_55431 ]
Gert Vanthienen commented on SM-1915:
-------------------------------------
Claus,
With ServiceMix' support for JAAS authentication on the JMX connector, you can also write a java policy file and use that when starting ServiceMix and the the MBeanServer will use that policy to control access. I first tried this but it became very troublesome to maintain the policy file because you can only grant privileges and not revoke them, so you have to write a full list of all permissions like this:
{code}
grant {
permission java.io.FilePermission "-", "read,write,execute,delete";
permission java.lang.RuntimePermission "*";
// a few dozen other standard java permissions here
permission javax.management.MBeanPermission "getAttribute", "*", "*", "*";
//all the other read-only access permission here
}
// all the above just so we can do...
grant principal "admin" {
permission java.security.AllPermission;
};
{code}
In the end, the proxy-based approach just seemed a lot easier to implement. I do agree there should be an easier to specify a policy like this in the policy files, perhaps it can be done by writing your own permission that implies the necessary MBean permissions but I'm afraid that's a bit beyond my current knowledge of Java security.
> Support more fine-grained authorization on JMX access
> -----------------------------------------------------
>
> Key: SM-1915
> URL: https://issues.apache.org/activemq/browse/SM-1915
> Project: ServiceMix
> Issue Type: Bug
> Components: servicemix-core
> Affects Versions: 3.2.3, 3.3.1
> Reporter: Gert Vanthienen
> Assignee: Gert Vanthienen
> Fix For: 3.2.4, 3.3.2
>
> Attachments: SM-1915.diff
>
>
> Currently, access to the JMX console access is being controlled by a JAAS login module. Once logged in to the JMX console, every user is allowed to do anything with the provided MBeans.
> This issue aims to add support for basic authorization control as well as provide a hook for implementing more fine-grained authorization schemes. The basic scheme should allow 'admin' users to do anything and limit the normal users to read-only operations.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SM-1915) Support more fine-grained authorization
on JMX access
Posted by "Gert Vanthienen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/SM-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=55434#action_55434 ]
Gert Vanthienen commented on SM-1915:
-------------------------------------
@Claus: I don't think the annotations themselves support it and the goal was not only to provide the basic authorization scheme, but also to allow people who e.g. use an LDAP JAAS LoginModule to implement more sophisticated policies. However, I do think we should be able to integrate this with something like AspectJ e.g. so we can use the pointcut language to describe the security constraints in a format that's easier to work with than the standard java policy file.
> Support more fine-grained authorization on JMX access
> -----------------------------------------------------
>
> Key: SM-1915
> URL: https://issues.apache.org/activemq/browse/SM-1915
> Project: ServiceMix
> Issue Type: Bug
> Components: servicemix-core
> Affects Versions: 3.2.3, 3.3.1
> Reporter: Gert Vanthienen
> Assignee: Gert Vanthienen
> Fix For: 3.2.4, 3.3.2
>
> Attachments: SM-1915.diff
>
>
> Currently, access to the JMX console access is being controlled by a JAAS login module. Once logged in to the JMX console, every user is allowed to do anything with the provided MBeans.
> This issue aims to add support for basic authorization control as well as provide a hook for implementing more fine-grained authorization schemes. The basic scheme should allow 'admin' users to do anything and limit the normal users to read-only operations.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SM-1915) Support more fine-grained authorization
on JMX access
Posted by "Gert Vanthienen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/SM-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gert Vanthienen resolved SM-1915.
---------------------------------
Resolution: Fixed
The basic JMX authorization policy fix has been applied:
- in http://svn.apache.org/viewvc?view=revision&revision=880669 for the 3.3.x trunk
- in http://svn.apache.org/viewvc?view=revision&revision=880679 for the 3.2.x branch
Based on Claus' suggestions, I have raised SMX4-433 to look into creating a more integrated solution for ServiceMix 4.x
> Support more fine-grained authorization on JMX access
> -----------------------------------------------------
>
> Key: SM-1915
> URL: https://issues.apache.org/activemq/browse/SM-1915
> Project: ServiceMix
> Issue Type: Bug
> Components: servicemix-core
> Affects Versions: 3.2.3, 3.3.1
> Reporter: Gert Vanthienen
> Assignee: Gert Vanthienen
> Fix For: 3.2.4, 3.3.2
>
> Attachments: SM-1915.diff
>
>
> Currently, access to the JMX console access is being controlled by a JAAS login module. Once logged in to the JMX console, every user is allowed to do anything with the provided MBeans.
> This issue aims to add support for basic authorization control as well as provide a hook for implementing more fine-grained authorization schemes. The basic scheme should allow 'admin' users to do anything and limit the normal users to read-only operations.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SM-1915) Support more fine-grained authorization
on JMX access
Posted by "Claus Ibsen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/SM-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=55432#action_55432 ]
Claus Ibsen commented on SM-1915:
---------------------------------
Gert yeah I do agree that I know of none who uses the java policy files for security.
Only frameworks does it a little bit, and/or when you need to get that export restricted key length policy file from the US to use it in EU on your JDK.
I wonder though if on the spring JMX annotations is an attribute to specify a role? Then you could maybe do it on the mbean itself?
e.g. in Camel we have annotated mbean classes for JMX management. So if we could set role="admin" for the special write operations that would be cool.
> Support more fine-grained authorization on JMX access
> -----------------------------------------------------
>
> Key: SM-1915
> URL: https://issues.apache.org/activemq/browse/SM-1915
> Project: ServiceMix
> Issue Type: Bug
> Components: servicemix-core
> Affects Versions: 3.2.3, 3.3.1
> Reporter: Gert Vanthienen
> Assignee: Gert Vanthienen
> Fix For: 3.2.4, 3.3.2
>
> Attachments: SM-1915.diff
>
>
> Currently, access to the JMX console access is being controlled by a JAAS login module. Once logged in to the JMX console, every user is allowed to do anything with the provided MBeans.
> This issue aims to add support for basic authorization control as well as provide a hook for implementing more fine-grained authorization schemes. The basic scheme should allow 'admin' users to do anything and limit the normal users to read-only operations.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.