-
Bug
-
Resolution: Done
-
Major
-
jboss-fuse-6.3
-
%
-
Authorization plugin does not work correctly with Karaf jaasAuthenticationPlugin.
for instance, I have three groups configured in my ldap server:
dn: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org cn: admins member: uid=admin objectClass: groupOfNames objectClass: top dn: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org cn: users member: uid=client objectClass: groupOfNames objectClass: top dn: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org cn: Operator member: uid=jdoe objectClass: groupOfNames objectClass: top
The group "cn=Operator" has a matched name as a pre-configured Karaf RBAC role "Operator".
If I do not add this group "cn=Operator" to any of "cn=read", "cn=write" and "cn=admin" privilege group on any of destinations, for instance:
dn: cn=admin,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org cn: admin description: Admin privilege group, members are roles member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org #member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org objectclass: groupOfNames objectclass: top dn: cn=write,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org cn: write member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org #member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org objectclass: groupOfNames objectclass: top dn: cn=read,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org cn: read member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org #member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org objectclass: groupOfNames objectclass: top ... ... dn: cn=read,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org cn: read member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org #member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org objectClass: groupOfNames objectClass: top dn: cn=write,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org cn: write member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org #member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org objectClass: groupOfNames objectClass: top dn: cn=admin,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org cn: admin member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org #member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org objectClass: groupOfNames objectClass: top
Then even my "admin" user could not send any messages to a queue destination as I'd get:
javax.jms.JMSSecurityException: User admin is not authorized to create: topic://ActiveMQ.Advisory.Connection
although I have added the "cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org" group to all of "ActiveMQ.Advisory.$" destinations as required.
If I uncommented out the following line from above LDAP samples:
member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
instead, I am adding this "cn=Operator" group to all of destination's "cn=admin", "cn=read" and "cn=write" privileges, then the "admin" user would work.
However, the consequences is that even the "client" user can create a new queue or write messages to a queue despite the fact that it is not supposed to do anything with a queue because it's group "cn=users" is not added there under any queue destinations (see above sample). It means by adding the group "cn=Operator", effectively, it allowed any user to have all permissions to all destinations, somehow.
You could test with any other user group name such as "cn=viewer" or "cn=Deployer" etc. They will have the same effect as the "cn=Operator" group as long as the name matches one of Karaf's pre-configured RBAC roles.
I'll attach a activemq.xml file with relevant <jaasAuthenticationPlugin> and <authorizationPlugin> elements, a ldap-module.xml for Karaf to use LDAPLogginModule and a activemq-openldap.ldif file to this JIRA for testing.
