Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-9260

Restricting access to profile-display for a role works in Karaf console, but not Hawtio

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Major Major
    • None
    • jboss-fuse-6.3, fuse-6.x-GA
    • Hawtio, Karaf, Security
    • % %
    • Hide
      • Install Red Hat JBoss Fuse 6.3
      • Create a Fabric (fabric:create --wait-for-provisioning
      • Create a user with only Monitor / viewer roles
        (We used the LDAPLoginModule to simulate the end user environment)
      • Edit org.apache.karaf.command.acl.fabric.properties in profile acls to remove the Monitor and viewer roles from the profile-display command
      • Log into the Karaf shell as the Monitor / viewer user and verify that access is denied to the profile-display command
      • Log into Hawtio as the restricted user and verify that profiles and confiuration pids are stil visible to the user

      We had to also remove the roles from the read* operation in jmx.acl.hawtio.GitFacade.properties to prevent profile details from being visible to restricted users in Hawtio.

      Show
      Install Red Hat JBoss Fuse 6.3 Create a Fabric (fabric:create --wait-for-provisioning Create a user with only Monitor / viewer roles (We used the LDAPLoginModule to simulate the end user environment) Edit org.apache.karaf.command.acl.fabric.properties in profile acls to remove the Monitor and viewer roles from the profile-display command Log into the Karaf shell as the Monitor / viewer user and verify that access is denied to the profile-display command Log into Hawtio as the restricted user and verify that profiles and confiuration pids are stil visible to the user We had to also remove the roles from the read* operation in jmx.acl.hawtio.GitFacade.properties to prevent profile details from being visible to restricted users in Hawtio.

      In a Fabric environment, restricting access to operation "profile-display" in PID org.apache.karaf.command.acl.fabric correctly prevents a user without the required role from viewing profile resources at the Karaf console; however, the same user can log into Hawtio and view profile details including configuration resources.

      It appears that the only way to prevent this is to also restrict access to read* in jmx.acl.hawtio.GitFacade.properties which does work to prevent a restricted user from displaying details for any profile, but also prevents the user from listing profiles at all via Hawtio

              rhn-support-tasato Tadayoshi Sato
              rhn-support-dhawkins Duane Hawkins
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: