You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/11/30 17:13:00 UTC

[jira] [Commented] (ARTEMIS-3014) Console Jolokia isn't guarded by JMX RBAC

    [ https://issues.apache.org/jira/browse/ARTEMIS-3014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17240895#comment-17240895 ] 

ASF subversion and git services commented on ARTEMIS-3014:
----------------------------------------------------------

Commit 7eb22c18db4bd81ef79c619173579cb54442fa9e in activemq-artemis's branch refs/heads/master from Domenico Francesco Bruscino
[ https://gitbox.apache.org/repos/asf?p=activemq-artemis.git;h=7eb22c1 ]

ARTEMIS-3014 Fix JMX RBAC guard


> Console Jolokia isn't guarded by JMX RBAC
> -----------------------------------------
>
>                 Key: ARTEMIS-3014
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3014
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: JMX, Web Console
>    Affects Versions: 2.16.0
>            Reporter: Tadayoshi Sato
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Management RBAC configuration with {{management.xml}} doesn't seem to be adhered to if a MBean operation is invoked via Console Jolokia.
> For example, when I have a RBAC config in {{etc/management.xml}} as follow:
> {code:xml}
>       <role-access>
>          <match domain="java.lang" key="type=Memory">
>             <access method="gc" roles="notamq"/>
>          </match>
>          [...]
>       </role-access>
> {code}
> directly invoking {{java.lang:type=Memory/gc()}} from Jolokia still passes (note the user {{admin}} has role {{amq}} not {{notamq}}):
> {code}
> $ curl -s -u admin:admin http://localhost:8161/console/jolokia/exec/java.lang:type=Memory/gc\(\) | jq 
> {
>   "request": {
>     "mbean": "java.lang:type=Memory",
>     "type": "exec",
>     "operation": "gc()"
>   },
>   "value": null,
>   "timestamp": 1606375060,
>   "status": 200
> }
> {code}
> It appears Artemis share the same problem with Karaf KARAF-6251, where authenticated JMX invocations via Jolokia aren't guarded.
> Note for 2.16.0 I removed Hawtio's {{RBACRestrictor}} for Artemis as I thought Artemis would guard RBAC for JMX by itself instead of relying on this Hawtio feature but do we really need {{RBACRestrictor}} for Artemis?
> https://github.com/hawtio/hawtio/issues/2650



--
This message was sent by Atlassian Jira
(v8.3.4#803005)