[jboss-jira] [JBoss JIRA] (WFLY-2040) RBAC + JMX: auditor can't read sensitive non-core MBeans
Ladislav Thon (JIRA)
jira-events at lists.jboss.org
Tue Sep 10 08:56:03 EDT 2013
Ladislav Thon created WFLY-2040:
-----------------------------------
Summary: RBAC + JMX: auditor can't read sensitive non-core MBeans
Key: WFLY-2040
URL: https://issues.jboss.org/browse/WFLY-2040
Project: WildFly
Issue Type: Bug
Components: Domain Management, JMX
Reporter: Ladislav Thon
Assignee: Kabir Khan
If I set non-core MBeans to be sensitive, like
{code:xml}
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
<sensitivity non-core-mbeans="true"/>
</subsystem>
{code}
then I expect all roles that can read sensitive data (administrator, auditor, superuser) to be able to read non-core MBeans too. This is currently broken, as only administrator and superuser can read non-core MBeans, auditor cannot. I have a test case for this that I will submit later, but the important part is:
{code}
boolean successExpected = ...; // 'true' for auditor
MBeanServerConnection connection = ...;
ObjectName domain = new ObjectName("java.lang:type=OperatingSystem");
try {
Object attribute = connection.getAttribute(domain, "Name");
assertTrue("Failure was expected", successExpected);
assertEquals(System.getProperty("os.name"), attribute.toString());
} catch (IOException e) {
if (e.getCause() instanceof RuntimeMBeanException && e.getCause().getMessage().contains("11360")) {
assertFalse("Success was expected but failure happened: " + e, successExpected);
} else {
throw e;
}
}
{code}
Please note that I'm speaking about _reading_ sensitive data, which, if I understand correctly, auditor _can_ do.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list