Re: Is local access to MBeans also protected

Sun, 22 Mar 2015 07:14:03 -0700

Maybe I'm missing something, but a simple Pax run shows that MBeans are accessible: 
E.g:

@RunWith(PaxExam.class)
@ExamReactorStrategy(PerClass.class)
public class JmxAccessPaxTest {
  public static final String GROUP_ID = "org.apache.karaf";
  public static final String ARTIFACT_ID = "apache-karaf";

  @Configuration
  public Option[] config() {
    return new Option[] {
karafDistributionConfiguration().frameworkUrl(maven().groupId(GROUP_ID).artifactId(ARTIFACT_ID).type("zip").versionAsInProject())
.karafVersion(MavenUtils.getArtifactVersion(GROUP_ID, ARTIFACT_ID)).unpackDirectory(new File("target/paxexam/")).useDeployFolder(false), 
        configureConsole().ignoreLocalConsole().startRemoteShell() };
  }

  @Test
  public void test_jmxAccess() throws Exception {
    MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
ObjectName queryObjectName = new ObjectName("org.apache.karaf:type=*,name=*"); 
    Set<ObjectName> mySet = mbs.queryNames(queryObjectName, null);
    for (ObjectName on : mySet) {
      System.out.println(on.getCanonicalName());
    }
ObjectName karafLog = new ObjectName("org.apache.karaf:type=log,name=root"); System.out.println(karafLog.getCanonicalName() + " Level=" + mbs.getAttribute(karafLog, "Level")); 
  }

}

I'll open a JIRA if this should not be possible.

On 10.03.2015 14:38, Achim Nierbeck wrote:

Hi,

I think I've seen this behavior too. AFAIC this is a bug.
Do you happen to have a scenario where it's really reproducible?
Could you open a issue for it?

Thanks, Achim
2015-03-10 14:23 GMT+01:00 Martin Lichtin <[email protected] <mailto:[email protected]>>: 

    I understand that access to MBeans is protected via RBAC mechanism:

    http://karaf.apache.org/manual/latest/users-guide/monitoring.html

    However, is this also the case for code running inside Karaf?
    E.g. when doing



       MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();

    it seems I can access all MBeans without requiring a
    username/password.

    However, this is not reliable.
    Depending on startup timing (or something else), _sometimes_
    I receive "Insufficient roles/credentials for operation" for a query,
    indicating that KarafMBeanServerGuard is intervening.




--

Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead 
blog <http://notizblog.nierbeck.de/>
Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>

Software Architect / Project Manager / Scrum Master

Reply via email to