[jboss-jira] [JBoss JIRA] (WFCORE-2061) JMX access unauthorized after RBAC enabled

Tue Nov 29 21:07:02 EST 2016

Tadayoshi Sato created WFCORE-2061:
--------------------------------------

             Summary: JMX access unauthorized after RBAC enabled
                 Key: WFCORE-2061
                 URL: https://issues.jboss.org/browse/WFCORE-2061
             Project: WildFly Core
          Issue Type: Bug
          Components: JMX, Security
    Affects Versions: 2.2.0.Final
            Reporter: Tadayoshi Sato
            Assignee: Kabir Khan
            Priority: Critical
         Attachments: standalone.xml

After RBAC is enabled, even a user ({{"admin"}}) with {{SuperUser}} role fails to get authorized access to JMX  with the following code:
{code:java}
        MBeanServer mBeanServer = ...
        Subject subject = new Subject();
        // Login
        new LoginContext("test-domain", subject, callbacks -> { ... }).login();
        // Access to JMX
        Subject.doAs(subject, (PrivilegedAction<Object>) () -> {
            mBeanServer.getAttribute(new ObjectName("java.lang:type=Memory"), "HeapMemoryUsage"));
            return null;
        });
{code}

RBAC and role-mapping are enabled in {{standalone.xml}} like this:
{code:xml}
        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                        <user name="admin"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>
        [...]
        <subsystem xmlns="urn:jboss:domain:security:1.2">
            <security-domains>
                [...]
                <security-domain name="test-domain" cache-type="default">
                    <authentication>
                        <login-module code="RealmDirect" flag="required">
                            <module-option name="realm" value="ManagementRealm"/>
                        </login-module>
                    </authentication>
                </security-domain>
{code}

The code gets this error in the server log:
{code}
javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access
	at org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1203)
	at org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1190)
	at org.jboss.as.jmx.PluggableMBeanServerImpl.getAttribute(PluggableMBeanServerImpl.java:387)
	at com.redhat.issues.wildfly.JmxServlet.readMBeanAttribute(JmxServlet.java:87)
	at com.redhat.issues.wildfly.JmxServlet.lambda$process$0(JmxServlet.java:53)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:360)
	at com.redhat.issues.wildfly.JmxServlet.process(JmxServlet.java:52)
	at com.redhat.issues.wildfly.JmxServlet.doGet(JmxServlet.java:44)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
{code}


--
This message was sent by Atlassian JIRA
(v7.2.3#72005)