RBAC + JMX: auditor can't read sensitive non-core MBeans -------------------------------------------------------- Key: WFLY-2040 URL: https://issues.jboss.org/browse/WFLY-2040 Project: WildFly Issue Type: Sub-task Components: Domain Management, JMX Reporter: Ladislav Thon Assignee: Kabir Khan Labels: rbac-filed-by-qa If I set non-core MBeans to be sensitive, like {code:xml} <subsystem xmlns="urn:jboss:domain:jmx:1.3"> <expose-resolved-model/> <expose-expression-model/> <remoting-connector/> <sensitivity non-core-mbeans="true"/> </subsystem> {code} then I expect all roles that can read sensitive data (administrator, auditor, superuser) to be able to read non-core MBeans too. This is currently broken, as only administrator and superuser can read non-core MBeans, auditor cannot. I have a test case for this that I will submit later, but the important part is: {code} boolean successExpected = ...; // 'true' for auditor MBeanServerConnection connection = ...; ObjectName domain = new ObjectName("java.lang:type=OperatingSystem"); try { Object attribute = connection.getAttribute(domain, "Name"); assertTrue("Failure was expected", successExpected); assertEquals(System.getProperty("os.name"), attribute.toString()); } catch (IOException e) { if (e.getCause() instanceof RuntimeMBeanException && e.getCause().getMessage().contains("11360")) { assertFalse("Success was expected but failure happened: " + e, successExpected); } else { throw e; } } {code} Please note that I'm speaking about _reading_ sensitive data, which, if I understand correctly, auditor _can_ do.