You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/06/30 02:29:12 UTC

[jira] [Commented] (KARAF-4600) RBAC - MBean fails to resolve ACL if the order of properties in object name differs

    [ https://issues.apache.org/jira/browse/KARAF-4600?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15356338#comment-15356338 ] 

ASF GitHub Bot commented on KARAF-4600:
---------------------------------------

GitHub user tadayosi opened a pull request:

    https://github.com/apache/karaf/pull/205

    [KARAF-4600] RBAC - MBean fails to resolve ACL if the order of properties in object name differs

    https://issues.apache.org/jira/browse/KARAF-4600
    
    This fix makes `KarafMBeanServerGuard` always use the canonical object name when resolving ACL.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/tadayosi/karaf KARAF-4600

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/karaf/pull/205.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #205
    
----
commit ce1b778138d4eee7992b25386aa19c6a7edaf384
Author: Tadayoshi Sato <sa...@gmail.com>
Date:   2016-06-30T02:22:17Z

    [KARAF-4600] RBAC - MBean fails to resolve ACL if the order of properties in object name differs

----


> RBAC - MBean fails to resolve ACL if the order of properties in object name differs
> -----------------------------------------------------------------------------------
>
>                 Key: KARAF-4600
>                 URL: https://issues.apache.org/jira/browse/KARAF-4600
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf-security
>    Affects Versions: 4.0.5
>            Reporter: Tadayoshi Sato
>
> An MBean:
> {code}
> org.apache.activemq:type=Broker,brokerName=amq-broker,destinationType=Queue,destinationName=TEST
> {code}
> has an ACL file with the following configuration:
> {{etc/jmx.acl.org.apache.activemq.Broker._.Queue.cfg}}
> {code}
> browse* = viewer
> {code}
> While {{JMXSecurityMBean#canInvoke(String, String)}} returns {{true}} for the viewer role on this object name:
> {code}
> org.apache.activemq:type=Broker,brokerName=amq-broker,destinationType=Queue,destinationName=TEST
> {code}
> and operation {{"browse"}}, it returns {{false}} on the canonical form of the same object name and operation, i.e.:
> {code}
> org.apache.activemq:brokerName=amq-broker,destinationName=TEST,destinationType=Queue,type=Broker
> {code}
> and RBAC doesn't work correctly.
> The root cause is that the resolution of ACL configuration is affected by the order of properties in an object name. In the original form of the object name, ACL resolves as:
> {code}
> org.apache.activemq.Broker.amq-broker.Queue.TEST
> {code}
> whereas in the canonical form it resolves as:
> {code}
> org.apache.activemq.Broker.amq-broker.TEST.Queue
> {code}
> and thus cannot find the correct ACL file (note the {{"type"}} property precedes others due to KARAF-3020).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)