[jira] [Created] (ARTEMIS-3014) Console Jolokia isn't guarded by JMX RBAC

["Tadayoshi Sato (Jira)" <ji...@apache.org>]

Tadayoshi Sato created ARTEMIS-3014:
---------------------------------------

             Summary: Console Jolokia isn't guarded by JMX RBAC
                 Key: ARTEMIS-3014
                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3014
             Project: ActiveMQ Artemis
          Issue Type: Bug
          Components: JMX, Web Console
    Affects Versions: 2.16.0
            Reporter: Tadayoshi Sato


Management RBAC configuration with {{management.xml}} doesn't seem to be adhered to if a MBean operation is invoked via Console Jolokia.

For example, when I have a RBAC config in {{etc/management.xml}} as follow:
{code:xml}
      <role-access>
         <match domain="java.lang" key="type=Memory">
            <access method="gc" roles="notamq"/>
         </match>
         [...]
      </role-access>
{code}
directly invoking {{java.lang:type=Memory/gc()}} from Jolokia still passes (note the user {{admin}} has role {{amq}} not {{notamq}}):
{code}
$ curl -s -u admin:admin http://localhost:8161/console/jolokia/exec/java.lang:type=Memory/gc\(\) | jq 
{
  "request": {
    "mbean": "java.lang:type=Memory",
    "type": "exec",
    "operation": "gc()"
  },
  "value": null,
  "timestamp": 1606375060,
  "status": 200
}
{code}

It appears Artemis share the same problem with Karaf KARAF-6251, where authenticated JMX invocations via Jolokia aren't guarded.

Note for 2.16.0 I removed Hawtio's {{RBACRestrictor}} for Artemis as I thought Artemis would guard RBAC for JMX by itself instead of relying on this Hawtio feature but do we really need {{RBACRestrictor}} for Artemis?
https://github.com/hawtio/hawtio/issues/2650



--
This message was sent by Atlassian Jira
(v8.3.4#803005)