[jboss-jira] [JBoss JIRA] (WFLY-9181) ReadOnly user able to perform runtimeOnlly operations on JMS queues thorugh CLI

ReadOnly user able to perform runtimeOnlly operations on JMS queues thorugh CLI ------------------------------------------------------------------------------- Key: WFLY-9181 URL: https://issues.jboss.org/browse/WFLY-9181 Project: WildFly Issue Type: Bug Components: CLI, JMS Affects Versions: 11.0.0.Beta1 Reporter: shailendra singh Assignee: shailendra singh ReadOnly user able to perform runtimeOnlly operations on JMS queues thorugh CLI Like:- 'Monitor' roles have permissions to remove messages from the queue. {code:java} [standalone@localhost:9990 /] /subsystem=messaging-activemq/server=default/jms-queue=DLQ:remove-messages() { "outcome" => "success", "result" => 14 } [standalone@localhost:9990 /] {code} So even a read-only role ('Monitor') has access to :remove-messages. To show RBAC is enforced for other CLI operations: {code:java} [standalone@localhost:9990 /] /subsystem=messaging-activemq/server=default/jms-queue=DLQ:remove() { "outcome" => "failed", "failure-description" => "WFLYCTL0313: Unauthorized to execute operation 'remove' for resource '[ (\"subsystem\" => \"messaging-activemq\"), (\"server\" => \"default\"), (\"jms-queue\" => \"DLQ\") ]' -- \"WFLYCTL0332: Permission denied\"", "rolled-back" => true } [standalone@localhost:9990 /] {code} Expectation:- The permissions between the monitoring console (GUI) and the CLI should be in sync for flushing a JMS queue.