[jboss-jira] [JBoss JIRA] (WFCORE-2061) JMX access unauthorized after RBAC enabled
[
https://issues.jboss.org/browse/WFCORE-2061?page=com.atlassian.jira.plugi...
]
Tadayoshi Sato updated WFCORE-2061:
-----------------------------------
Steps to Reproduce:
# Copy the attached {{standalone.xml}} to {{$WFLY_HOME/standalone/configuration/}}
# Add user {{admin}}:
{code}
$ ./bin/add-user.sh -u admin -p p@ssw0rd
{code}
# Start WildFly 10.1.0.Final:
{code}
$ ./bin/standalone.sh
{code}
# Run the attached reproducer {{wildfly-jmx-auth}}:
{code}
$ mvn clean test
{code}
# You'll see the test fails showing
{quote}javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access{quote}
in the server log
was:
# Copy the attached {{standalone.xml}} to {{$WFLY_HOME/standalone/configuration/}}
# Add user {{admin}}:
{code}
$ ./bin/add-user.sh -u admin -p p@ssw0rd
{code}
# Start WildFly:
{code}
$ ./bin/standalone.sh
{code}
# Run the attached reproducer {{wildfly-jmx-auth}}:
{code}
$ mvn clean test
{code}
# You'll see the test fails showing
{quote}javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access{quote}
in the server log
JMX access unauthorized after RBAC enabled
------------------------------------------
Key: WFCORE-2061
URL: https://issues.jboss.org/browse/WFCORE-2061
Project: WildFly Core
Issue Type: Bug
Components: JMX, Security
Affects Versions: 2.2.0.Final
Reporter: Tadayoshi Sato
Assignee: Kabir Khan
Priority: Critical
Attachments: standalone.xml, wildfly-jmx-auth.zip
After RBAC is enabled, even a user ({{"admin"}}) with {{SuperUser}} role fails
to get authorized access to JMX with the following code:
{code:java}
MBeanServer mBeanServer = ...
Subject subject = new Subject();
// Login
new LoginContext("test-domain", subject, callbacks -> { ...
}).login();
// Access to JMX
Subject.doAs(subject, (PrivilegedAction<Object>) () -> {
mBeanServer.getAttribute(new ObjectName("java.lang:type=Memory"),
"HeapMemoryUsage"));
return null;
});
{code}
RBAC and role-mapping are enabled in {{standalone.xml}} like this:
{code:xml}
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
<user name="admin"/>
</include>
</role>
</role-mapping>
</access-control>
[...]
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
[...]
<security-domain name="test-domain"
cache-type="default">
<authentication>
<login-module code="RealmDirect"
flag="required">
<module-option name="realm"
value="ManagementRealm"/>
</login-module>
</authentication>
</security-domain>
{code}
The code gets this error in the server log:
{code}
javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access
at
org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1203)
at
org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1190)
at
org.jboss.as.jmx.PluggableMBeanServerImpl.getAttribute(PluggableMBeanServerImpl.java:387)
at com.redhat.issues.wildfly.JmxServlet.readMBeanAttribute(JmxServlet.java:87)
at com.redhat.issues.wildfly.JmxServlet.lambda$process$0(JmxServlet.java:53)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at com.redhat.issues.wildfly.JmxServlet.process(JmxServlet.java:52)
at com.redhat.issues.wildfly.JmxServlet.doGet(JmxServlet.java:44)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)