[jboss-jira] [JBoss JIRA] (WFCORE-13) End users can call non-published management API operations

Brian Stansberry (JIRA) issues at jboss.org
Tue May 2 16:46:00 EDT 2017 

    [ https://issues.jboss.org/browse/WFCORE-13?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13400949#comment-13400949 ] 

Brian Stansberry commented on WFCORE-13:
----------------------------------------

WFCORE-13 somewhat "blocks" WFCORE-389 because in theory a subsystem that registers a runtime-only op in the domain-wide profile resource tree may want that op executed on servers *only* via the domain, not allowing the user to invoke it on individual servers. The mechanism to do that would be to mark the op as private in the server-level management API.

This is to some extent a purely theoretical situation.

> End users can call non-published management API operations
> ----------------------------------------------------------
>
>                 Key: WFCORE-13
>                 URL: https://issues.jboss.org/browse/WFCORE-13
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Domain Management
>            Reporter: Ladislav Thon
>              Labels: EAP
>
> It's not possible to call "non-published" operations (those that are not visible in the resource tree, e.g. {{describe}}) via JMX, while it's entirely possible to call them via CLI (e.g. {{/subsystem=security:describe}}) and other management interfaces.
> The problem lies in the fact that {{ModelControllerMBeanHelper.invoke}} method checks {{if (!accessControl.isExecutableOperation(operationName))}} and the {{isExecutableOperation}} method assumes that the operation will be visible in the resource tree. In fact, there is a comment stating _should not happen_, but now we know that it indeed _can_ happen.
> What's more, it gives a misleading error message. The {{isExecutableOperation}} returns {{false}} for unknown operations, which results in {{Not authorized to invoke operation}} message. Which is wrong in two different ways simultaneously: 1. the problem isn't authorization, but the fact that the operation can't be found; 2. the user (e.g. in the {{SuperUser}} role) _is_ authorized.
> I'm considering this low priority, because 1. JMX is likely to be very rarely used to access the management interface, 2. hiding information isn't nearly as important as leaking them, 3. non-published operations aren't nearly as important as the published ones. It's worth a JIRA nevertheless.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list