[jboss-jira] [JBoss JIRA] (WFCORE-2061) JMX access unauthorized after RBAC enabled

Darran Lofthouse (JIRA) issues at jboss.org
Wed Nov 30 03:46:04 EST 2016 

     [ https://issues.jboss.org/browse/WFCORE-2061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse resolved WFCORE-2061.
--------------------------------------
    Fix Version/s: 3.0.0.Alpha14
       Resolution: Rejected


Changing the identity for the IN-VM call to JMX is not currently supported.

However if you avoid the Subject.doAs entirely the call should be IN-VM anyway which means SuperUser would be granted by default.

>From WildFly 11 we are switching the security framework to WildFly Elytron where we will offer a lot more control of identity switching for calls.

> JMX access unauthorized after RBAC enabled
> ------------------------------------------
>
>                 Key: WFCORE-2061
>                 URL: https://issues.jboss.org/browse/WFCORE-2061
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: JMX, Security
>    Affects Versions: 2.2.0.Final
>            Reporter: Tadayoshi Sato
>            Assignee: Darran Lofthouse
>             Fix For: 3.0.0.Alpha14
>
>         Attachments: standalone.xml, wildfly-jmx-auth.zip
>
>
> After RBAC is enabled, even a user ({{"admin"}}) with {{SuperUser}} role fails to get authorized access to JMX  with the following code:
> {code:java}
>         MBeanServer mBeanServer = ...
>         Subject subject = new Subject();
>         // Login
>         new LoginContext("test-domain", subject, callbacks -> { ... }).login();
>         // Access to JMX
>         Subject.doAs(subject, (PrivilegedAction<Object>) () -> {
>             mBeanServer.getAttribute(new ObjectName("java.lang:type=Memory"), "HeapMemoryUsage"));
>             return null;
>         });
> {code}
> RBAC and role-mapping are enabled in {{standalone.xml}} like this:
> {code:xml}
>         <access-control provider="rbac">
>             <role-mapping>
>                 <role name="SuperUser">
>                     <include>
>                         <user name="$local"/>
>                         <user name="admin"/>
>                     </include>
>                 </role>
>             </role-mapping>
>         </access-control>
>         [...]
>         <subsystem xmlns="urn:jboss:domain:security:1.2">
>             <security-domains>
>                 [...]
>                 <security-domain name="test-domain" cache-type="default">
>                     <authentication>
>                         <login-module code="RealmDirect" flag="required">
>                             <module-option name="realm" value="ManagementRealm"/>
>                         </login-module>
>                     </authentication>
>                 </security-domain>
> {code}
> The code gets this error in the server log:
> {code}
> javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access
> 	at org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1203)
> 	at org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1190)
> 	at org.jboss.as.jmx.PluggableMBeanServerImpl.getAttribute(PluggableMBeanServerImpl.java:387)
> 	at com.redhat.issues.wildfly.JmxServlet.readMBeanAttribute(JmxServlet.java:87)
> 	at com.redhat.issues.wildfly.JmxServlet.lambda$process$0(JmxServlet.java:53)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:360)
> 	at com.redhat.issues.wildfly.JmxServlet.process(JmxServlet.java:52)
> 	at com.redhat.issues.wildfly.JmxServlet.doGet(JmxServlet.java:44)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> {code}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list