]
Darran Lofthouse commented on WFCORE-2061:
------------------------------------------
Sorry we just do not support RBAC at all for applications accessing JMX directly. Your
workaround may fork for now but will certainly be broken by WildFly 11 where we switch to
WildFly Elytron.
A separate feature request could be justified though.
In our upstream work we are also having to preserve this apps get full access behaviour
but I would really like to make sure at some point at least we can switch to identity
based authorization for in-vm calls as well.
JMX access unauthorized after RBAC enabled
------------------------------------------
Key: WFCORE-2061
URL:
https://issues.jboss.org/browse/WFCORE-2061
Project: WildFly Core
Issue Type: Bug
Components: JMX, Security
Affects Versions: 2.2.0.Final
Reporter: Tadayoshi Sato
Assignee: Darran Lofthouse
Fix For: 3.0.0.Alpha14
Attachments: standalone.xml, wildfly-jmx-auth.zip
After RBAC is enabled, even a user ({{"admin"}}) with {{SuperUser}} role fails
to get authorized access to JMX with the following code:
{code:java}
MBeanServer mBeanServer = ...
Subject subject = new Subject();
// Login
new LoginContext("test-domain", subject, callbacks -> { ...
}).login();
// Access to JMX
Subject.doAs(subject, (PrivilegedAction<Object>) () -> {
mBeanServer.getAttribute(new ObjectName("java.lang:type=Memory"),
"HeapMemoryUsage"));
return null;
});
{code}
RBAC and role-mapping are enabled in {{standalone.xml}} like this:
{code:xml}
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
<user name="admin"/>
</include>
</role>
</role-mapping>
</access-control>
[...]
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
[...]
<security-domain name="test-domain"
cache-type="default">
<authentication>
<login-module code="RealmDirect"
flag="required">
<module-option name="realm"
value="ManagementRealm"/>
</login-module>
</authentication>
</security-domain>
{code}
The code gets this error in the server log:
{code}
javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access
at
org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1203)
at
org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1190)
at
org.jboss.as.jmx.PluggableMBeanServerImpl.getAttribute(PluggableMBeanServerImpl.java:387)
at com.redhat.issues.wildfly.JmxServlet.readMBeanAttribute(JmxServlet.java:87)
at com.redhat.issues.wildfly.JmxServlet.lambda$process$0(JmxServlet.java:53)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at com.redhat.issues.wildfly.JmxServlet.process(JmxServlet.java:52)
at com.redhat.issues.wildfly.JmxServlet.doGet(JmxServlet.java:44)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
{code}