[ https://issues.apache.org/jira/browse/ARTEMIS-3014?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Bertram resolved ARTEMIS-3014. ------------------------------------- Fix Version/s: 2.17.0 Resolution: Fixed > Console Jolokia isn't guarded by JMX RBAC > ----------------------------------------- > > Key: ARTEMIS-3014 > URL: https://issues.apache.org/jira/browse/ARTEMIS-3014 > Project: ActiveMQ Artemis > Issue Type: Bug > Components: JMX, Web Console > Affects Versions: 2.16.0 > Reporter: Tadayoshi Sato > Priority: Major > Fix For: 2.17.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Management RBAC configuration with {{management.xml}} doesn't seem to be > adhered to if a MBean operation is invoked via Console Jolokia. > For example, when I have a RBAC config in {{etc/management.xml}} as follow: > {code:xml} > <role-access> > <match domain="java.lang" key="type=Memory"> > <access method="gc" roles="notamq"/> > </match> > [...] > </role-access> > {code} > directly invoking {{java.lang:type=Memory/gc()}} from Jolokia still passes > (note the user {{admin}} has role {{amq}} not {{notamq}}): > {code} > $ curl -s -u admin:admin > http://localhost:8161/console/jolokia/exec/java.lang:type=Memory/gc\(\) | jq > { > "request": { > "mbean": "java.lang:type=Memory", > "type": "exec", > "operation": "gc()" > }, > "value": null, > "timestamp": 1606375060, > "status": 200 > } > {code} > It appears Artemis share the same problem with Karaf KARAF-6251, where > authenticated JMX invocations via Jolokia aren't guarded. > Note for 2.16.0 I removed Hawtio's {{RBACRestrictor}} for Artemis as I > thought Artemis would guard RBAC for JMX by itself instead of relying on this > Hawtio feature but do we really need {{RBACRestrictor}} for Artemis? > https://github.com/hawtio/hawtio/issues/2650 -- This message was sent by Atlassian Jira (v8.3.4#803005)