[jboss-jira] [JBoss JIRA] (WFCORE-2061) JMX access unauthorized after RBAC enabled
Tadayoshi Sato (JIRA)
issues at jboss.org
Tue Nov 29 21:17:02 EST 2016
[ https://issues.jboss.org/browse/WFCORE-2061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tadayoshi Sato updated WFCORE-2061:
-----------------------------------
Steps to Reproduce:
# Copy the attached {{standalone.xml}} to {{$WFLY_HOME/standalone/configuration/}}
# Add user {{admin}}:
{code}
$ ./bin/add-user.sh -u admin -p p at ssw0rd
{code}
# Start WildFly 10.1.0.Final:
{code}
$ ./bin/standalone.sh
{code}
# Run the attached reproducer {{wildfly-jmx-auth}}:
{code}
$ mvn clean test
{code}
# You'll see the test fails showing
{quote}javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access{quote}
in the server log
was:
# Copy the attached {{standalone.xml}} to {{$WFLY_HOME/standalone/configuration/}}
# Add user {{admin}}:
{code}
$ ./bin/add-user.sh -u admin -p p at ssw0rd
{code}
# Start WildFly:
{code}
$ ./bin/standalone.sh
{code}
# Run the attached reproducer {{wildfly-jmx-auth}}:
{code}
$ mvn clean test
{code}
# You'll see the test fails showing
{quote}javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access{quote}
in the server log
> JMX access unauthorized after RBAC enabled
> ------------------------------------------
>
> Key: WFCORE-2061
> URL: https://issues.jboss.org/browse/WFCORE-2061
> Project: WildFly Core
> Issue Type: Bug
> Components: JMX, Security
> Affects Versions: 2.2.0.Final
> Reporter: Tadayoshi Sato
> Assignee: Kabir Khan
> Priority: Critical
> Attachments: standalone.xml, wildfly-jmx-auth.zip
>
>
> After RBAC is enabled, even a user ({{"admin"}}) with {{SuperUser}} role fails to get authorized access to JMX with the following code:
> {code:java}
> MBeanServer mBeanServer = ...
> Subject subject = new Subject();
> // Login
> new LoginContext("test-domain", subject, callbacks -> { ... }).login();
> // Access to JMX
> Subject.doAs(subject, (PrivilegedAction<Object>) () -> {
> mBeanServer.getAttribute(new ObjectName("java.lang:type=Memory"), "HeapMemoryUsage"));
> return null;
> });
> {code}
> RBAC and role-mapping are enabled in {{standalone.xml}} like this:
> {code:xml}
> <access-control provider="rbac">
> <role-mapping>
> <role name="SuperUser">
> <include>
> <user name="$local"/>
> <user name="admin"/>
> </include>
> </role>
> </role-mapping>
> </access-control>
> [...]
> <subsystem xmlns="urn:jboss:domain:security:1.2">
> <security-domains>
> [...]
> <security-domain name="test-domain" cache-type="default">
> <authentication>
> <login-module code="RealmDirect" flag="required">
> <module-option name="realm" value="ManagementRealm"/>
> </login-module>
> </authentication>
> </security-domain>
> {code}
> The code gets this error in the server log:
> {code}
> javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access
> at org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1203)
> at org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1190)
> at org.jboss.as.jmx.PluggableMBeanServerImpl.getAttribute(PluggableMBeanServerImpl.java:387)
> at com.redhat.issues.wildfly.JmxServlet.readMBeanAttribute(JmxServlet.java:87)
> at com.redhat.issues.wildfly.JmxServlet.lambda$process$0(JmxServlet.java:53)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:360)
> at com.redhat.issues.wildfly.JmxServlet.process(JmxServlet.java:52)
> at com.redhat.issues.wildfly.JmxServlet.doGet(JmxServlet.java:44)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list