You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "Freeman Fang (JIRA)" <ji...@apache.org> on 2016/07/01 02:47:10 UTC

[jira] [Commented] (KARAF-4600) RBAC - MBean fails to resolve ACL if the order of properties in object name differs

    [ https://issues.apache.org/jira/browse/KARAF-4600?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15358280#comment-15358280 ] 

Freeman Fang commented on KARAF-4600:
-------------------------------------

Thanks JB for the reminder, will reverted this change soon.

Talked with Tadayoshi Sato about another solution and the patch is on the way

> RBAC - MBean fails to resolve ACL if the order of properties in object name differs
> -----------------------------------------------------------------------------------
>
>                 Key: KARAF-4600
>                 URL: https://issues.apache.org/jira/browse/KARAF-4600
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf-security
>    Affects Versions: 4.0.5
>            Reporter: Tadayoshi Sato
>            Assignee: Freeman Fang
>             Fix For: 4.1.0, 4.0.6, 3.0.8, 2.4.5
>
>
> An MBean:
> {code}
> org.apache.activemq:type=Broker,brokerName=amq-broker,destinationType=Queue,destinationName=TEST
> {code}
> has an ACL file with the following configuration:
> {{etc/jmx.acl.org.apache.activemq.Broker._.Queue.cfg}}
> {code}
> browse* = viewer
> {code}
> While {{JMXSecurityMBean#canInvoke(String, String)}} returns {{true}} for the viewer role on this object name:
> {code}
> org.apache.activemq:type=Broker,brokerName=amq-broker,destinationType=Queue,destinationName=TEST
> {code}
> and operation {{"browse"}}, it returns {{false}} on the canonical form of the same object name and operation, i.e.:
> {code}
> org.apache.activemq:brokerName=amq-broker,destinationName=TEST,destinationType=Queue,type=Broker
> {code}
> and RBAC doesn't work correctly.
> The root cause is that the resolution of ACL configuration is affected by the order of properties in an object name. In the original form of the object name, ACL resolves as:
> {code}
> org.apache.activemq.Broker.amq-broker.Queue.TEST
> {code}
> whereas in the canonical form it resolves as:
> {code}
> org.apache.activemq.Broker.amq-broker.TEST.Queue
> {code}
> and thus cannot find the correct ACL file (note the {{"type"}} property precedes others due to KARAF-3020).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)