You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "Tadayoshi Sato (JIRA)" <ji...@apache.org> on 2019/04/23 07:48:00 UTC

[jira] [Created] (KARAF-6251) Jolokia bypasses JMX ACL

Tadayoshi Sato created KARAF-6251:
-------------------------------------

             Summary: Jolokia bypasses JMX ACL
                 Key: KARAF-6251
                 URL: https://issues.apache.org/jira/browse/KARAF-6251
             Project: Karaf
          Issue Type: Bug
          Components: karaf
    Affects Versions: 4.2.5
            Reporter: Tadayoshi Sato


For example, after you install {{jolokia}} feature:
{code}
karaf@root()> feature:install jolokia
{code}
the invocation to {{Memory.gc()}} over Jolokia always gets successful even if the user {{viewer}} doesn't have the right:
{code}
$ curl -s -u viewer:viewer http://localhost:8181/jolokia/exec/java.lang:type=Memory/gc\(\)
{"request":{"mbean":"java.lang:type=Memory","type":"exec","operation":"gc()"},"value":null,"timestamp":1556005468,"status":200}
{code}
Note {{jmx.acl.java.lang.Memory.cfg}} only allows {{manager}} (not {{viewer}}) to invoke {{gc()}}:
{code}
$ cat etc/jmx.acl.java.lang.Memory.cfg
...
gc = manager
{code}

This is actually an old issue, which must have been caused by KARAF-3147, as Jolokia is considered to be local JMX connection.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)