Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.16.0
-
None
Description
Management RBAC configuration with management.xml doesn't seem to be adhered to if a MBean operation is invoked via Console Jolokia.
For example, when I have a RBAC config in etc/management.xml as follow:
<role-access>
<match domain="java.lang" key="type=Memory">
<access method="gc" roles="notamq"/>
</match>
[...]
</role-access>
directly invoking java.lang:type=Memory/gc() from Jolokia still passes (note the user admin has role amq not notamq):
$ curl -s -u admin:admin http://localhost:8161/console/jolokia/exec/java.lang:type=Memory/gc\(\) | jq { "request": { "mbean": "java.lang:type=Memory", "type": "exec", "operation": "gc()" }, "value": null, "timestamp": 1606375060, "status": 200 }
It appears Artemis share the same problem with Karaf KARAF-6251, where authenticated JMX invocations via Jolokia aren't guarded.
Note for 2.16.0 I removed Hawtio's RBACRestrictor for Artemis as I thought Artemis would guard RBAC for JMX by itself instead of relying on this Hawtio feature but do we really need RBACRestrictor for Artemis?
https://github.com/hawtio/hawtio/issues/2650
Attachments
Issue Links
- links to
