Hi
The JMX access control will be implemented as follows for *c4*
Since a custom authentication is already implemented the authorization will
be done using the access file. For this the access file will contain the
role names and the JMXPrincipal will be created for role names. This needs
the following changes.
- Currently the authorization is done by checking for permissions of a
user. This will be changed to authorize using the role name.
- User should create two roles as *JMXMonitorRole *(readOnly) and
*JMXControlRole
*(readWrite) and assign either of them to users depending on the
preferred level of access
- The access file will contain entries for *JMXMonitorRole *and
*JMXControlRole
*with readonly and readwrite privileges respectively
- The access file also should be included in the environment map of
jmxConnectorServer using
- The file should be set as system property in wso2server.sh file using
*com.sun.management.jmxremote.access.file=<FILE_PATH>*
The following code changes will be done in CarbonJMXAuthenticator.java [1]
and JMXServerManager.java [2].
*CarbonJMXAuthenticator.java*
*+authorize(userName: String): boolean*
private boolean authorize(String userName) throws UserStoreException {
UserStoreManager authorizer;
boolean isAuthorized = false;
try {
authorizer = userRealm.getUserStoreManager();
} catch (UserStoreException e) {
String msg = "Cannot get authorizer from Realm";
log.error(msg, e);
throw new SecurityException(msg, e);
}
List<String> userRoleslist =
Arrays.asList(authorizer.getRoleListOfUser(userName));
if(userRoleslist.contains("JMXMonitorRole")){
roleName = "JMXMonitorRole";
isAuthorized = true;
} else if(userRoleslist.contains("JMXControlRole")){
roleName = "JMXControlRole";
isAuthorized = true;
}
return isAuthorized;
}
*+authenticate(credentials: Object) : Subject - line 116 in [1]*
Collections.singleton(new JMXPrincipal(userName)) to Collections.singleton(new
JMXPrincipal(roleName))
*JMXServerManager.java*
*+startJMXService(): void - new addition between line 122-123*
String access_file_path;
access_file_path =
System.getProperty("com.sun.management.jmxremote.access.file");
env.put("jmx.remote.x.access.file", access_file_path);
[1]
https://github.com/wso2/carbon-kernel/blob/v4.4.11-rc1/core/org.wso2.carbon.core/src/main/java/org/wso2/carbon/core/security/CarbonJMXAuthenticator.java
[2]
https://github.com/wso2/carbon-kernel/blob/v4.4.11-rc1/core/org.wso2.carbon.core/src/main/java/org/wso2/carbon/core/init/JMXServerManager.java
Thank you
Regards,
Asma
On Wed, Apr 26, 2017 at 10:51 AM, Asma Jabir <[email protected]> wrote:
> Hi Isuru
>
> Yes I have started working on it and after the initial discussion
> following are the approaches that were planned to implement so far.
>
> - Using password and access files
> - Using custom authentication with CAAS [1] to replace the password
> file and using the access file for authorization
>
> If you have any requirements please share so we can discuss and seek
> possibilities to satisfy them.
>
>
> [1] https://github.com/this/carbon-uuf/tree/master/samples/o
> sgi-bundles/org.wso2.carbon.uuf.sample.simple-auth.bundle/sr
> c/main/java/org/wso2/carbon/uuf/sample/simpleauth/bundle
>
> Thank you
>
> Regards,
> Asma
>
> On Tue, Apr 25, 2017 at 8:19 PM, Isuru Perera <[email protected]> wrote:
>
>> Hi Asma,
>>
>> Did you start working on this?
>>
>> On Fri, Apr 7, 2017 at 6:07 PM, Asma Jabir <[email protected]> wrote:
>>
>>> Hi
>>>
>>> With regard to the $subject issue in the c5 repo [1], we could use
>>> several ways to implement a role based access control.
>>>
>>> 1. Using the password and access files
>>>
>>> - This is the inbuilt mechanism in JMX for monitoring and management
>>> which uses 2 properties based text files to restrict access to readOnly
>>> or
>>> readWrite to users. The password file contains username/password pairs
>>> which is used to authenticate and the access file contains
>>> username/privilege pairs which authorizes with readOnly or readWrite
>>> access.
>>> - A user will get either the *control over all* processes *or* just *a
>>> view of all* depending on the access level.
>>> - SSL is enabled by default for remote monitoring and thus the SSL
>>> should be configured properly after setting up a digital certificate.
>>> System properties for keystore and truststore should be set in the
>>> server.
>>>
>>> 2. Using custom authorization
>>>
>>> - If the completely readOnly or readWrite approach is not
>>> appropriate, a fine-grained authorization can be done using either of the
>>> following in lieu of the access file:
>>>
>>> i. Java Policy file - The file should be supplied as a system property
>>> on server startup.
>>>
>>> ii. Custom authorization using a server-side code
>>>
>>>
>>> 3. Using custom authentication
>>>
>>> - JMXAuthenticator [2] interface is based on JAAS login module.
>>> Thus, a custom JAAS authentication can be used for authentication in lieu
>>> of the password file.
>>> - The access file or one of the methods stated in *2.* can be used
>>> for authorization.
>>> - The JAAS configurations should be loaded on server startup by
>>> setting a system property.
>>>
>>> [1] https://github.com/wso2/carbon-kernel/issues/1247
>>> [2] http://docs.oracle.com/javase/7/docs/api/javax/managemen
>>> t/remote/JMXAuthenticator.html
>>>
>>> Thank you
>>>
>>> Regards,
>>> Asma
>>> --
>>> Asma Zinneera Jabir
>>> Software Engineer
>>> WSO2 Inc: http://wso2.com/
>>> Contact No: +94 77 332 4752 <+94%2077%20332%204752>
>>>
>>>
>>>
>>> _______________________________________________
>>> Architecture mailing list
>>> [email protected]
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>>
>> --
>> Isuru Perera
>> Technical Lead | WSO2, Inc. | http://wso2.com/
>> Lean . Enterprise . Middleware
>>
>> about.me/chrishantha
>> Contact: +IsuruPereraWSO2 <https://www.google.com/+IsuruPereraWSO2/about>
>>
>
>
>
> --
> Asma Zinneera Jabir
> Software Engineer
> WSO2 Inc: http://wso2.com/
> Contact No: +94 77 332 4752 <+94%2077%20332%204752>
>
>
>
--
Asma Zinneera Jabir
Software Engineer
WSO2 Inc: http://wso2.com/
Contact No: +94 77 332 4752
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
