You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/11/27 17:12:02 UTC

[jira] [Work logged] (ARTEMIS-3014) Console Jolokia isn't guarded by JMX RBAC

     [ https://issues.apache.org/jira/browse/ARTEMIS-3014?focusedWorklogId=517410&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-517410 ]

ASF GitHub Bot logged work on ARTEMIS-3014:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 27/Nov/20 17:11
            Start Date: 27/Nov/20 17:11
    Worklog Time Spent: 10m 
      Work Description: brusdev opened a new pull request #3364:
URL: https://github.com/apache/activemq-artemis/pull/3364


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 517410)
    Remaining Estimate: 0h
            Time Spent: 10m

> Console Jolokia isn't guarded by JMX RBAC
> -----------------------------------------
>
>                 Key: ARTEMIS-3014
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3014
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: JMX, Web Console
>    Affects Versions: 2.16.0
>            Reporter: Tadayoshi Sato
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Management RBAC configuration with {{management.xml}} doesn't seem to be adhered to if a MBean operation is invoked via Console Jolokia.
> For example, when I have a RBAC config in {{etc/management.xml}} as follow:
> {code:xml}
>       <role-access>
>          <match domain="java.lang" key="type=Memory">
>             <access method="gc" roles="notamq"/>
>          </match>
>          [...]
>       </role-access>
> {code}
> directly invoking {{java.lang:type=Memory/gc()}} from Jolokia still passes (note the user {{admin}} has role {{amq}} not {{notamq}}):
> {code}
> $ curl -s -u admin:admin http://localhost:8161/console/jolokia/exec/java.lang:type=Memory/gc\(\) | jq 
> {
>   "request": {
>     "mbean": "java.lang:type=Memory",
>     "type": "exec",
>     "operation": "gc()"
>   },
>   "value": null,
>   "timestamp": 1606375060,
>   "status": 200
> }
> {code}
> It appears Artemis share the same problem with Karaf KARAF-6251, where authenticated JMX invocations via Jolokia aren't guarded.
> Note for 2.16.0 I removed Hawtio's {{RBACRestrictor}} for Artemis as I thought Artemis would guard RBAC for JMX by itself instead of relying on this Hawtio feature but do we really need {{RBACRestrictor}} for Artemis?
> https://github.com/hawtio/hawtio/issues/2650



--
This message was sent by Atlassian Jira
(v8.3.4#803005)