[
https://issues.apache.org/jira/browse/KARAF-4600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Freeman Fang reassigned KARAF-4600:
-----------------------------------
Assignee: Freeman Fang
> RBAC - MBean fails to resolve ACL if the order of properties in object name
> differs
> -----------------------------------------------------------------------------------
>
> Key: KARAF-4600
> URL: https://issues.apache.org/jira/browse/KARAF-4600
> Project: Karaf
> Issue Type: Bug
> Components: karaf-security
> Affects Versions: 4.0.5
> Reporter: Tadayoshi Sato
> Assignee: Freeman Fang
>
> An MBean:
> {code}
> org.apache.activemq:type=Broker,brokerName=amq-broker,destinationType=Queue,destinationName=TEST
> {code}
> has an ACL file with the following configuration:
> {{etc/jmx.acl.org.apache.activemq.Broker._.Queue.cfg}}
> {code}
> browse* = viewer
> {code}
> While {{JMXSecurityMBean#canInvoke(String, String)}} returns {{true}} for the
> viewer role on this object name:
> {code}
> org.apache.activemq:type=Broker,brokerName=amq-broker,destinationType=Queue,destinationName=TEST
> {code}
> and operation {{"browse"}}, it returns {{false}} on the canonical form of the
> same object name and operation, i.e.:
> {code}
> org.apache.activemq:brokerName=amq-broker,destinationName=TEST,destinationType=Queue,type=Broker
> {code}
> and RBAC doesn't work correctly.
> The root cause is that the resolution of ACL configuration is affected by the
> order of properties in an object name. In the original form of the object
> name, ACL resolves as:
> {code}
> org.apache.activemq.Broker.amq-broker.Queue.TEST
> {code}
> whereas in the canonical form it resolves as:
> {code}
> org.apache.activemq.Broker.amq-broker.TEST.Queue
> {code}
> and thus cannot find the correct ACL file (note the {{"type"}} property
> precedes others due to KARAF-3020).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
