[jboss-jira] [JBoss JIRA] (WFCORE-13) End users can call non-published management API operations

[Brian Stansberry (JIRA)]

    [ https://issues.jboss.org/browse/WFCORE-13?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13400964#comment-13400964 ] 

Brian Stansberry commented on WFCORE-13:
----------------------------------------

Uses of SimpleOperationDefinitionBuilder.setPrivateEntry(), with a note for each re whether there are any concerns with preventing outside execution:

controller/src/main/java/org/jboss/as/controller/AbstractControllerService.java: INIT_CONTROLLER_OP (ok)
controller/src/main/java/org/jboss/as/controller/CompositeOperationHandler.java: INTERNAL_DEFINITION (ok)
controller/src/main/java/org/jboss/as/controller/operations/common/GenericSubsystemDescribeHandler.java: (consider 'hidden')
controller/src/main/java/org/jboss/as/controller/operations/common/ValidateOperationHandler.java: DEFINITION_PRIVATE (ok)
controller/src/main/java/org/jboss/as/controller/operations/global/ReadResourceDescriptionHandler.java: CheckResourceAccessHandler (ok)
controller/src/main/java/org/jboss/as/controller/registry/ProxyControllerRegistration.java: ProxyStepHandler (ok)
controller/src/main/java/org/jboss/as/controller/transform/SubsystemDescriptionDump.java: (consider 'hidden')
controller/src/test/java/org/jboss/as/controller/notification/NotificationCompositeOperationTestCase.java: (test)
controller/src/test/java/org/jboss/as/controller/notification/OperationWithManyStepsTestCase.java: (test)
controller/src/test/java/org/jboss/as/controller/notification/OperationWithNotificationTestCase.java: (test)
controller/src/test/java/org/jboss/as/controller/test/CastAttributeOperationTestCase.java: (test)
controller/src/test/java/org/jboss/as/controller/test/ReadResourceChildOrderingTestCase.java: (test)
controller/src/test/java/org/jboss/as/controller/test/TestUtils.java: (test)
controller/src/test/java/org/jboss/as/controller/test/WriteAttributeOperationTestCase.java: (test)
domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationDomainSlaveConfigHandler.java: (ok)
host-controller/src/main/java/org/jboss/as/domain/controller/operations/ApplyExtensionsHandler.java: (ok)
host-controller/src/main/java/org/jboss/as/domain/controller/operations/GenericModelDescribeOperationHandler.java: (consider 'hidden')
host-controller/src/main/java/org/jboss/as/domain/controller/operations/ReadMasterDomainOperationsHandler.java: (ok)
host-controller/src/main/java/org/jboss/as/domain/controller/resources/ProfileResourceDefinition.java: DESCRIBE  (consider 'hidden')
host-controller/src/main/java/org/jboss/as/host/controller/operations/HostModelRegistrationHandler.java: (ok)
host-controller/src/main/java/org/jboss/as/host/controller/operations/InstallationReportHandler.java: (ok)
host-controller/src/main/java/org/jboss/as/host/controller/operations/StartServersHandler.java: (ok)
host-controller/src/main/java/org/jboss/as/host/controller/resources/StoppedServerResource.java: (unused; remove)
server/src/main/java/org/jboss/as/server/DeployerChainAddHandler.java: (ok)
server/src/main/java/org/jboss/as/server/operations/InstallationReportHandler.java: (ok)
server/src/main/java/org/jboss/as/server/operations/ServerDomainProcessReloadHandler.java: (ok)
server/src/main/java/org/jboss/as/server/operations/ServerDomainProcessShutdownHandler.java: (ok)
server/src/main/java/org/jboss/as/server/operations/ServerProcessStateHandler.java: (should be ok but may have to use 'hidden' as this op was documented)
server/src/main/java/org/jboss/as/server/operations/ServerProcessStateHandler.java:  (should be ok but may have to use 'hidden' as this op was documented)
server/src/main/java/org/jboss/as/server/operations/ServerResumeHandler.java: DOMAIN_DEFINITION (ok)
server/src/main/java/org/jboss/as/server/operations/ServerSuspendHandler.java: DOMAIN_DEFINITION (ok)
server/src/main/java/org/jboss/as/server/operations/SetServerGroupHostHandler.java: (ok)
subsystem-test/framework/src/main/java/org/jboss/as/subsystem/test/ReadTransformedResourceOperation.java: (test)


By "consider 'hidden'" in the notes above, I mean a new flag on the operation entry that would result in the current behavior of setPrivateEntry -- i.e. the op is not described in the API but will work if invoked. This is basically meant for things that we suspect people may be using and we don't want to break them, but where don't want to commit to the op as part of the published API.

> End users can call non-published management API operations
> ----------------------------------------------------------
>
>                 Key: WFCORE-13
>                 URL: https://issues.jboss.org/browse/WFCORE-13
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Domain Management
>            Reporter: Ladislav Thon
>              Labels: EAP
>
> It's not possible to call "non-published" operations (those that are not visible in the resource tree, e.g. {{describe}}) via JMX, while it's entirely possible to call them via CLI (e.g. {{/subsystem=security:describe}}) and other management interfaces.
> The problem lies in the fact that {{ModelControllerMBeanHelper.invoke}} method checks {{if (!accessControl.isExecutableOperation(operationName))}} and the {{isExecutableOperation}} method assumes that the operation will be visible in the resource tree. In fact, there is a comment stating _should not happen_, but now we know that it indeed _can_ happen.
> What's more, it gives a misleading error message. The {{isExecutableOperation}} returns {{false}} for unknown operations, which results in {{Not authorized to invoke operation}} message. Which is wrong in two different ways simultaneously: 1. the problem isn't authorization, but the fact that the operation can't be found; 2. the user (e.g. in the {{SuperUser}} role) _is_ authorized.
> I'm considering this low priority, because 1. JMX is likely to be very rarely used to access the management interface, 2. hiding information isn't nearly as important as leaking them, 3. non-published operations aren't nearly as important as the published ones. It's worth a JIRA nevertheless.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)