[jboss-jira] [JBoss JIRA] (WFLY-9181) ReadOnly user able to perform runtimeOnlly operations on JMS queues thorugh CLI
shailendra singh (JIRA)
issues at jboss.org
Fri Aug 4 04:51:00 EDT 2017
[ https://issues.jboss.org/browse/WFLY-9181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
shailendra singh updated WFLY-9181:
-----------------------------------
Component/s: JMS
> ReadOnly user able to perform runtimeOnlly operations on JMS queues thorugh CLI
> -------------------------------------------------------------------------------
>
> Key: WFLY-9181
> URL: https://issues.jboss.org/browse/WFLY-9181
> Project: WildFly
> Issue Type: Bug
> Components: CLI, JMS
> Affects Versions: 11.0.0.Beta1
> Reporter: shailendra singh
> Assignee: shailendra singh
>
> ReadOnly user able to perform runtimeOnlly operations on JMS queues thorugh CLI
> Like:-
> 'Monitor' roles have permissions to remove messages from the queue.
> {code:java}
> [standalone at localhost:9990 /] /subsystem=messaging-activemq/server=default/jms-queue=DLQ:remove-messages()
> {
> "outcome" => "success",
> "result" => 14
> }
> [standalone at localhost:9990 /]
> {code}
> So even a read-only role ('Monitor') has access to :remove-messages. To show RBAC is enforced for other CLI operations:
> {code:java}
> [standalone at localhost:9990 /] /subsystem=messaging-activemq/server=default/jms-queue=DLQ:remove()
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0313: Unauthorized to execute operation 'remove' for resource '[
> (\"subsystem\" => \"messaging-activemq\"),
> (\"server\" => \"default\"),
> (\"jms-queue\" => \"DLQ\")
> ]' -- \"WFLYCTL0332: Permission denied\"",
> "rolled-back" => true
> }
> [standalone at localhost:9990 /]
> {code}
> Expectation:-
> The permissions between the monitoring console (GUI) and the CLI should be in sync for flushing a JMS queue.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list