[jboss-jira] [JBoss JIRA] (WFCORE-2061) JMX access unauthorized after RBAC enabled

Tadayoshi Sato (JIRA) issues at jboss.org
Tue Nov 29 23:02:07 EST 2016 

    [ https://issues.jboss.org/browse/WFCORE-2061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13331241#comment-13331241 ] 

Tadayoshi Sato edited comment on WFCORE-2061 at 11/29/16 11:01 PM:
-------------------------------------------------------------------

The direct cause is clear: After it's logged in with {{LoginContext}}, the subject is only attached with simple principals. However, wildfly-core-security expects a {{RealmUser}} principal in it and thus fails to resolve its name with the subject when role mapping is executed at:
https://github.com/wildfly/wildfly-core/blob/2.2.0.Final/controller/src/main/java/org/jboss/as/controller/access/rbac/StandardRoleMapper.java#L101

So if you manually add a {{RealmUser}} to the subject after login, then the issue doesn't happen:
{code:java}
            subject.getPrincipals().add(new RealmUser("admin"));
{code}
However, I think the login module should automatically attach a {{RealmUser}} to the subject under the hood.


was (Author: tadayosi):
The direct cause is clear: After it's logged in with {{LoginContext}}, the subject is only attached with simple principals. However, wildfly-core-security expects a {{RealmUser}} principal in it and thus fails to resolve its name with the subject when role mapping is executed. So if you manually add a {{RealmUser}} to the subject after login, then the issue doesn't happen:
{code:java}
            subject.getPrincipals().add(new RealmUser("admin"));
{code}
However, I think the login module should automatically attach a {{RealmUser}} to the subject under the hood.

> JMX access unauthorized after RBAC enabled
> ------------------------------------------
>
>                 Key: WFCORE-2061
>                 URL: https://issues.jboss.org/browse/WFCORE-2061
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: JMX, Security
>    Affects Versions: 2.2.0.Final
>            Reporter: Tadayoshi Sato
>            Assignee: Kabir Khan
>            Priority: Critical
>         Attachments: standalone.xml, wildfly-jmx-auth.zip
>
>
> After RBAC is enabled, even a user ({{"admin"}}) with {{SuperUser}} role fails to get authorized access to JMX  with the following code:
> {code:java}
>         MBeanServer mBeanServer = ...
>         Subject subject = new Subject();
>         // Login
>         new LoginContext("test-domain", subject, callbacks -> { ... }).login();
>         // Access to JMX
>         Subject.doAs(subject, (PrivilegedAction<Object>) () -> {
>             mBeanServer.getAttribute(new ObjectName("java.lang:type=Memory"), "HeapMemoryUsage"));
>             return null;
>         });
> {code}
> RBAC and role-mapping are enabled in {{standalone.xml}} like this:
> {code:xml}
>         <access-control provider="rbac">
>             <role-mapping>
>                 <role name="SuperUser">
>                     <include>
>                         <user name="$local"/>
>                         <user name="admin"/>
>                     </include>
>                 </role>
>             </role-mapping>
>         </access-control>
>         [...]
>         <subsystem xmlns="urn:jboss:domain:security:1.2">
>             <security-domains>
>                 [...]
>                 <security-domain name="test-domain" cache-type="default">
>                     <authentication>
>                         <login-module code="RealmDirect" flag="required">
>                             <module-option name="realm" value="ManagementRealm"/>
>                         </login-module>
>                     </authentication>
>                 </security-domain>
> {code}
> The code gets this error in the server log:
> {code}
> javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access
> 	at org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1203)
> 	at org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1190)
> 	at org.jboss.as.jmx.PluggableMBeanServerImpl.getAttribute(PluggableMBeanServerImpl.java:387)
> 	at com.redhat.issues.wildfly.JmxServlet.readMBeanAttribute(JmxServlet.java:87)
> 	at com.redhat.issues.wildfly.JmxServlet.lambda$process$0(JmxServlet.java:53)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:360)
> 	at com.redhat.issues.wildfly.JmxServlet.process(JmxServlet.java:52)
> 	at com.redhat.issues.wildfly.JmxServlet.doGet(JmxServlet.java:44)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> {code}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list