You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "Jean-Baptiste Onofré (Jira)" <ji...@apache.org> on 2020/05/17 05:48:00 UTC

[jira] [Resolved] (KARAF-6251) Jolokia bypasses JMX ACL

     [ https://issues.apache.org/jira/browse/KARAF-6251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jean-Baptiste Onofré resolved KARAF-6251.
-----------------------------------------
    Fix Version/s:     (was: 4.2.9)
                       (was: 4.3.0)
         Assignee: Jean-Baptiste Onofré  (was: Grzegorz Grzybek)
       Resolution: Not A Problem

> Jolokia bypasses JMX ACL
> ------------------------
>
>                 Key: KARAF-6251
>                 URL: https://issues.apache.org/jira/browse/KARAF-6251
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf
>    Affects Versions: 4.2.5
>            Reporter: Tadayoshi Sato
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>
> For example, after you install {{jolokia}} feature:
> {code}
> karaf@root()> feature:install jolokia
> {code}
> the invocation to {{Memory.gc()}} over Jolokia always gets successful even if the user {{viewer}} doesn't have the right:
> {code}
> $ curl -s -u viewer:viewer http://localhost:8181/jolokia/exec/java.lang:type=Memory/gc\(\)
> {"request":{"mbean":"java.lang:type=Memory","type":"exec","operation":"gc()"},"value":null,"timestamp":1556005468,"status":200}
> {code}
> Note {{jmx.acl.java.lang.Memory.cfg}} only allows {{manager}} (not {{viewer}}) to invoke {{gc()}}:
> {code}
> $ cat etc/jmx.acl.java.lang.Memory.cfg
> ...
> gc = manager
> {code}
> This is actually an old issue, which must have been caused by KARAF-3147, as Jolokia is considered to be local JMX connection.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)