You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Domenico Francesco Bruscino (Jira)" <ji...@apache.org> on 2021/06/03 08:58:00 UTC

[jira] [Commented] (ARTEMIS-3325) JMX guard blocks local access to Artemis MBeans

    [ https://issues.apache.org/jira/browse/ARTEMIS-3325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17356295#comment-17356295 ] 

Domenico Francesco Bruscino commented on ARTEMIS-3325:
------------------------------------------------------

ActiveMQ Artemis 2.16 MBean guards don't work as expected because of a bug fixed by ARTEMIS-3014. ActiveMQ Artemis 2.17 restored the right behavior as ActiveMQ Artemis 2.15 and earlier versions.
Finally, allowing local read access without the RBAC limitations could cause security issues.

> JMX guard blocks local access to Artemis MBeans
> -----------------------------------------------
>
>                 Key: ARTEMIS-3325
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3325
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: JMX
>    Affects Versions: 2.17.0
>            Reporter: Andrew
>            Priority: Minor
>              Labels: JConsole, JMX, artemis, documentation
>         Attachments: image-2021-06-02-14-48-40-876.png
>
>
> In 2.17.0, there were some changes to JMX RBAC which enforces guarded JMX access.
> While this is fine for remote access to JMX, or the HTTP access to JMX via Hawtio/Jolokia, it does seem that local connections are blocked from reading the Mbeans for:
> {code:java}
>  org.apache.activemq.artemis.*{code}
> This wasn't the case for 2.16.0 and earlier.
> Since there doesn't seem to be a way to pass authentication on the JMX Attach API with something like Jconsole, therefore we need a bypass for the guarded access to enable read-only access to the Artemis Mbeans for monitoring purposes. As you can see, they are in 'unavailable' state for Jconsole.
> !image-2021-06-02-14-48-40-876.png!
> The Artemis documentation on security states that Jconsole will use BasicSecurityManager, not JAAS, but it's not made clear that this means only remote access: [https://activemq.apache.org/components/artemis/documentation/latest/security.html#basic-security-manager]
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)