Repository: karaf
Updated Branches:
refs/heads/master ad559c07a -> 7623268d6
[KARAF-3293]more fine-grained way to specify the jmx.acl.whitelist.cfg
(cherry picked from commit edb7b1bc40be6ad65d65c9e1b3c18ba2a2ca80a3)
Conflicts:
management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
(cherry picked from commit 92047740249b2492c33673a99d1bf9f998f2606a)
Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/7623268d
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/7623268d
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/7623268d
Branch: refs/heads/master
Commit: 7623268d6bdb2a9ce27456c3eb9fc56bdfc034b0
Parents: ad559c0
Author: Freeman Fang <[email protected]>
Authored: Thu Oct 16 15:39:07 2014 +0800
Committer: Freeman Fang <[email protected]>
Committed: Thu Oct 16 16:02:07 2014 +0800
----------------------------------------------------------------------
.../karaf/management/KarafMBeanServerGuard.java | 35 ++++++++++++++------
1 file changed, 25 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/karaf/blob/7623268d/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
----------------------------------------------------------------------
diff --git
a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
index 1a9ebe7..9776346 100644
---
a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
+++
b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
@@ -31,7 +31,10 @@ import java.lang.reflect.Method;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Principal;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.List;
import java.util.regex.Pattern;
import org.slf4j.Logger;
@@ -180,7 +183,7 @@ public class KarafMBeanServerGuard implements
InvocationHandler {
}
private boolean canInvoke(ObjectName objectName, String methodName,
String[] signature) throws IOException {
- if (canBypassRBAC(objectName)) {
+ if (canBypassRBAC(objectName, methodName)) {
return true;
}
for (String role : getRequiredRoles(objectName, methodName,
signature)) {
@@ -201,9 +204,9 @@ public class KarafMBeanServerGuard implements
InvocationHandler {
}
if (prefix == null) {
LOG.debug("Attribute " + attributeName + " can not be found for
MBean " + objectName.toString());
+ } else {
+ handleInvoke(objectName, prefix + attributeName, new Object[]{},
new String[]{});
}
-
- handleInvoke(objectName, prefix + attributeName, new Object[]{}, new
String[]{});
}
private void handleGetAttributes(MBeanServer proxy, ObjectName objectName,
String[] attributeNames) throws JMException, IOException {
@@ -233,8 +236,8 @@ public class KarafMBeanServerGuard implements
InvocationHandler {
handleSetAttribute(proxy, objectName, attr);
}
}
-
- private boolean canBypassRBAC(ObjectName objectName) {
+
+ private boolean canBypassRBAC(ObjectName objectName, String operationName)
{
List<String> allBypassObjectName = new ArrayList<String>();
try {
Configuration[] configs =
configAdmin.listConfigurations("(service.pid=" + JMX_ACL_WHITELIST + ")");
@@ -254,16 +257,28 @@ public class KarafMBeanServerGuard implements
InvocationHandler {
}
for (String pid : iterateDownPids(getNameSegments(objectName))) {
- if (!pid.equals("jmx.acl")
- &&
allBypassObjectName.contains(pid.substring("jmx.acl.".length()))) {
- return true;
+ if (!pid.equals("jmx.acl")) {
+ for (String bypassObjectName : allBypassObjectName) {
+ String objectNameAndMethod[] = bypassObjectName.split(";");
+ if (objectNameAndMethod.length > 1) {
+ //check both the ObjectName and MethodName
+ if
(bypassObjectName.equals(pid.substring("jmx.acl.".length())
+ + ";" + operationName)) {
+ return true;
+ }
+ } else {
+ if
(bypassObjectName.equals(pid.substring("jmx.acl.".length()))) {
+ return true;
+ }
+ }
+ }
}
}
return false;
}
void handleInvoke(ObjectName objectName, String operationName, Object[]
params, String[] signature) throws IOException {
- if (canBypassRBAC(objectName)) {
+ if (canBypassRBAC(objectName, operationName)) {
return;
}
for (String role : getRequiredRoles(objectName, operationName, params,
signature)) {
