]
Brian Stansberry updated WFCORE-13:
-----------------------------------
Fix Version/s: 3.0.0.Alpha4
(was: 3.0.0.Alpha3)
End users can call non-published management API operations
----------------------------------------------------------
Key: WFCORE-13
URL:
https://issues.jboss.org/browse/WFCORE-13
Project: WildFly Core
Issue Type: Bug
Components: Domain Management
Reporter: Ladislav Thon
Labels: EAP
Fix For: 3.0.0.Alpha4
It's not possible to call "non-published" operations (those that are not
visible in the resource tree, e.g. {{describe}}) via JMX, while it's entirely possible
to call them via CLI (e.g. {{/subsystem=security:describe}}) and other management
interfaces.
The problem lies in the fact that {{ModelControllerMBeanHelper.invoke}} method checks
{{if (!accessControl.isExecutableOperation(operationName))}} and the
{{isExecutableOperation}} method assumes that the operation will be visible in the
resource tree. In fact, there is a comment stating _should not happen_, but now we know
that it indeed _can_ happen.
What's more, it gives a misleading error message. The {{isExecutableOperation}}
returns {{false}} for unknown operations, which results in {{Not authorized to invoke
operation}} message. Which is wrong in two different ways simultaneously: 1. the problem
isn't authorization, but the fact that the operation can't be found; 2. the user
(e.g. in the {{SuperUser}} role) _is_ authorized.
I'm considering this low priority, because 1. JMX is likely to be very rarely used to
access the management interface, 2. hiding information isn't nearly as important as
leaking them, 3. non-published operations aren't nearly as important as the published
ones. It's worth a JIRA nevertheless.