You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Tadayoshi Sato (Jira)" <ji...@apache.org> on 2020/11/26 08:19:00 UTC
[jira] [Created] (ARTEMIS-3014) Console Jolokia isn't guarded by
JMX RBAC
Tadayoshi Sato created ARTEMIS-3014:
---------------------------------------
Summary: Console Jolokia isn't guarded by JMX RBAC
Key: ARTEMIS-3014
URL: https://issues.apache.org/jira/browse/ARTEMIS-3014
Project: ActiveMQ Artemis
Issue Type: Bug
Components: JMX, Web Console
Affects Versions: 2.16.0
Reporter: Tadayoshi Sato
Management RBAC configuration with {{management.xml}} doesn't seem to be adhered to if a MBean operation is invoked via Console Jolokia.
For example, when I have a RBAC config in {{etc/management.xml}} as follow:
{code:xml}
<role-access>
<match domain="java.lang" key="type=Memory">
<access method="gc" roles="notamq"/>
</match>
[...]
</role-access>
{code}
directly invoking {{java.lang:type=Memory/gc()}} from Jolokia still passes (note the user {{admin}} has role {{amq}} not {{notamq}}):
{code}
$ curl -s -u admin:admin http://localhost:8161/console/jolokia/exec/java.lang:type=Memory/gc\(\) | jq
{
"request": {
"mbean": "java.lang:type=Memory",
"type": "exec",
"operation": "gc()"
},
"value": null,
"timestamp": 1606375060,
"status": 200
}
{code}
It appears Artemis share the same problem with Karaf KARAF-6251, where authenticated JMX invocations via Jolokia aren't guarded.
Note for 2.16.0 I removed Hawtio's {{RBACRestrictor}} for Artemis as I thought Artemis would guard RBAC for JMX by itself instead of relying on this Hawtio feature but do we really need {{RBACRestrictor}} for Artemis?
https://github.com/hawtio/hawtio/issues/2650
--
This message was sent by Atlassian Jira
(v8.3.4#803005)