[jboss-jira] [JBoss JIRA] (WFLY-9181) ReadOnly user able to perform runtimeOnlly operations on JMS queues thorugh CLI
shailendra singh (JIRA)
issues at jboss.org
Fri Aug 4 01:49:00 EDT 2017
shailendra singh created WFLY-9181:
--------------------------------------
Summary: ReadOnly user able to perform runtimeOnlly operations on JMS queues thorugh CLI
Key: WFLY-9181
URL: https://issues.jboss.org/browse/WFLY-9181
Project: WildFly
Issue Type: Bug
Components: CLI
Affects Versions: 11.0.0.Beta1
Reporter: shailendra singh
Assignee: shailendra singh
ReadOnly user able to perform runtimeOnlly operations on JMS queues thorugh CLI
Like:-
'Monitor' roles have permissions to remove messages from the queue.
{code:java}
[standalone at localhost:9990 /] /subsystem=messaging-activemq/server=default/jms-queue=DLQ:remove-messages()
{
"outcome" => "success",
"result" => 14
}
[standalone at localhost:9990 /]
{code}
So even a read-only role ('Monitor') has access to :remove-messages. To show RBAC is enforced for other CLI operations:
{code:java}
[standalone at localhost:9990 /] /subsystem=messaging-activemq/server=default/jms-queue=DLQ:remove()
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0313: Unauthorized to execute operation 'remove' for resource '[
(\"subsystem\" => \"messaging-activemq\"),
(\"server\" => \"default\"),
(\"jms-queue\" => \"DLQ\")
]' -- \"WFLYCTL0332: Permission denied\"",
"rolled-back" => true
}
[standalone at localhost:9990 /]
{code}
Expectation:-
The permissions between the monitoring console (GUI) and the CLI should be in sync for flushing a JMS queue.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list