You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/11/30 17:13:00 UTC
[jira] [Commented] (ARTEMIS-3014) Console Jolokia isn't guarded by
JMX RBAC
[ https://issues.apache.org/jira/browse/ARTEMIS-3014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17240895#comment-17240895 ]
ASF subversion and git services commented on ARTEMIS-3014:
----------------------------------------------------------
Commit 7eb22c18db4bd81ef79c619173579cb54442fa9e in activemq-artemis's branch refs/heads/master from Domenico Francesco Bruscino
[ https://gitbox.apache.org/repos/asf?p=activemq-artemis.git;h=7eb22c1 ]
ARTEMIS-3014 Fix JMX RBAC guard
> Console Jolokia isn't guarded by JMX RBAC
> -----------------------------------------
>
> Key: ARTEMIS-3014
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3014
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: JMX, Web Console
> Affects Versions: 2.16.0
> Reporter: Tadayoshi Sato
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Management RBAC configuration with {{management.xml}} doesn't seem to be adhered to if a MBean operation is invoked via Console Jolokia.
> For example, when I have a RBAC config in {{etc/management.xml}} as follow:
> {code:xml}
> <role-access>
> <match domain="java.lang" key="type=Memory">
> <access method="gc" roles="notamq"/>
> </match>
> [...]
> </role-access>
> {code}
> directly invoking {{java.lang:type=Memory/gc()}} from Jolokia still passes (note the user {{admin}} has role {{amq}} not {{notamq}}):
> {code}
> $ curl -s -u admin:admin http://localhost:8161/console/jolokia/exec/java.lang:type=Memory/gc\(\) | jq
> {
> "request": {
> "mbean": "java.lang:type=Memory",
> "type": "exec",
> "operation": "gc()"
> },
> "value": null,
> "timestamp": 1606375060,
> "status": 200
> }
> {code}
> It appears Artemis share the same problem with Karaf KARAF-6251, where authenticated JMX invocations via Jolokia aren't guarded.
> Note for 2.16.0 I removed Hawtio's {{RBACRestrictor}} for Artemis as I thought Artemis would guard RBAC for JMX by itself instead of relying on this Hawtio feature but do we really need {{RBACRestrictor}} for Artemis?
> https://github.com/hawtio/hawtio/issues/2650
--
This message was sent by Atlassian Jira
(v8.3.4#803005)