[JBoss JIRA] (WFCORE-2061) JMX access unauthorized after RBAC enabled

Thursday, 1 December 2016

    [
https://issues.jboss.org/browse/WFCORE-2061?page=com.atlassian.jira.plugi...
] 

Darran Lofthouse commented on WFCORE-2061:
------------------------------------------

Sorry we just do not support RBAC at all for applications accessing JMX directly.  Your
workaround may fork for now but will certainly be broken by WildFly 11 where we switch to
WildFly Elytron.

A separate feature request could be justified though.

In our upstream work we are also having to preserve this apps get full access behaviour
but I would really like to make sure at some point at least we can switch to identity
based authorization for in-vm calls as well. 

...
 JMX access unauthorized after RBAC enabled
 ------------------------------------------

                 Key: WFCORE-2061
                 URL: https://issues.jboss.org/browse/WFCORE-2061
             Project: WildFly Core
          Issue Type: Bug
          Components: JMX, Security
    Affects Versions: 2.2.0.Final
            Reporter: Tadayoshi Sato
            Assignee: Darran Lofthouse
             Fix For: 3.0.0.Alpha14

         Attachments: standalone.xml, wildfly-jmx-auth.zip

 After RBAC is enabled, even a user ({{"admin"}}) with {{SuperUser}} role fails
to get authorized access to JMX  with the following code:
 {code:java}
         MBeanServer mBeanServer = ...
         Subject subject = new Subject();
         // Login
         new LoginContext("test-domain", subject, callbacks -> { ...
}).login();
         // Access to JMX
         Subject.doAs(subject, (PrivilegedAction<Object>) () -> {
             mBeanServer.getAttribute(new ObjectName("java.lang:type=Memory"),
"HeapMemoryUsage"));
             return null;
         });
 {code}
 RBAC and role-mapping are enabled in {{standalone.xml}} like this:
 {code:xml}
         <access-control provider="rbac">
             <role-mapping>
                 <role name="SuperUser">
                     <include>
                         <user name="$local"/>
                         <user name="admin"/>
                     </include>
                 </role>
             </role-mapping>
         </access-control>
         [...]
         <subsystem xmlns="urn:jboss:domain:security:1.2">
             <security-domains>
                 [...]
                 <security-domain name="test-domain"
cache-type="default">
                     <authentication>
                         <login-module code="RealmDirect"
flag="required">
                             <module-option name="realm"
value="ManagementRealm"/>
                         </login-module>
                     </authentication>
                 </security-domain>
 {code}
 The code gets this error in the server log:
 {code}
 javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access
 	at
org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1203)
 	at
org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1190)
 	at
org.jboss.as.jmx.PluggableMBeanServerImpl.getAttribute(PluggableMBeanServerImpl.java:387)
 	at com.redhat.issues.wildfly.JmxServlet.readMBeanAttribute(JmxServlet.java:87)
 	at com.redhat.issues.wildfly.JmxServlet.lambda$process$0(JmxServlet.java:53)
 	at java.security.AccessController.doPrivileged(Native Method)
 	at javax.security.auth.Subject.doAs(Subject.java:360)
 	at com.redhat.issues.wildfly.JmxServlet.process(JmxServlet.java:52)
 	at com.redhat.issues.wildfly.JmxServlet.doGet(JmxServlet.java:44)
 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
 {code} 

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006