Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-1962

Hawtio RBAC bypassed if com.sun.management.jmxremote Java system properties are set

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • AMQ 7.2.2.GA
    • AMQ 7.2.0.GA
    • documentation
    • None
    • Documentation (Ref Guide, User Guide, etc.)
    • Hide

      Configure a view only user for the broker:
      artemis-roles.properties

      viewer = fred

      management.xml

      <default-access>
         <access method="list*" roles="amq,viewer"/>
         <access method="get*" roles="amq,viewer"/>
         <access method="is*" roles="amq,viewer"/>
         <access method="browse*" roles="amq,viewer"/>
         <access method="set*" roles="amq"/>
         <access method="*" roles="amq"/>
      </default-access>
      <role-access>
         <match domain="org.apache.activemq.artemis">
            <access method="list*" roles="amq,viewer"/>
            <access method="get*" roles="amq,viewer"/>
            <access method="is*" roles="amq,viewer"/>
            <access method="browse*" roles="amq,viewer"/>
            <access method="set*" roles="amq"/>
            <access method="*" roles="amq"/>
         </match>
         <!--example of how to configure a specific object-->
         <!--<match domain="org.apache.activemq.artemis" key="subcomponent=queues">
            <access method="list*" roles="view,update,amq"/>
            <access method="get*" roles="view,update,amq"/>
            <access method="is*" roles="view,update,amq"/>
            <access method="set*" roles="update,amq"/>
            <access method="*" roles="amq"/>
         </match>-->
      </role-access>

      artemis.profile:

      # Java Opts
JAVA_ARGS=" -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx2G -Dhawtio.realm=activemq  -Dhawtio.offline="true" -Dhawtio.roles=amq,viewer -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml -Djon.id=amq"

#
# There might be options that you only want to enable on specifc commands, like setting a JMX port
# See https://issues.apache.org/jira/browse/ARTEMIS-318
if [ "$1" = "run" ]; then
  JAVA_ARGS="$JAVA_ARGS -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.rmi.port=1098 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false"
fi

      Using the a user with the viewer role, log into Hawtio and attempt to delete a message on queue

      Expected Result
      User should be prevented from deleting message

      Actual Result
      Message is deleted from the queue

      If the com.sun.management.jmxremote Java system properties are commented out, the expected behavior occurs.

      Show
      Configure a view only user for the broker: artemis-roles.properties viewer = fred management.xml < default -access> <access method= "list*" roles= "amq,viewer" /> <access method= "get*" roles= "amq,viewer" /> <access method= "is*" roles= "amq,viewer" /> <access method= "browse*" roles= "amq,viewer" /> <access method= "set*" roles= "amq" /> <access method= "*" roles= "amq" /> </ default -access> <role-access> <match domain= "org.apache.activemq.artemis" > <access method= "list*" roles= "amq,viewer" /> <access method= "get*" roles= "amq,viewer" /> <access method= "is*" roles= "amq,viewer" /> <access method= "browse*" roles= "amq,viewer" /> <access method= "set*" roles= "amq" /> <access method= "*" roles= "amq" /> </match> <!--example of how to configure a specific object--> <!--<match domain= "org.apache.activemq.artemis" key= "subcomponent=queues" > <access method= "list*" roles= "view,update,amq" /> <access method= "get*" roles= "view,update,amq" /> <access method= "is*" roles= "view,update,amq" /> <access method= "set*" roles= "update,amq" /> <access method= "*" roles= "amq" /> </match>--> </role-access> artemis.profile: # Java Opts JAVA_ARGS= " -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx2G -Dhawtio.realm=activemq -Dhawtio.offline=" true " -Dhawtio.roles=amq,viewer -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml -Djon.id=amq" # # There might be options that you only want to enable on specifc commands, like setting a JMX port # See https: //issues.apache.org/jira/browse/ARTEMIS-318 if [ "$1" = "run" ]; then JAVA_ARGS= "$JAVA_ARGS -Dcom.sun.management.jmxremote= true -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.rmi.port=1098 -Dcom.sun.management.jmxremote.ssl= false -Dcom.sun.management.jmxremote.authenticate= false " fi Using the a user with the viewer role, log into Hawtio and attempt to delete a message on queue Expected Result User should be prevented from deleting message Actual Result Message is deleted from the queue If the com.sun.management.jmxremote Java system properties are commented out, the expected behavior occurs.

      If the com.sun.management.jmxremote Java system properties are set in the artemis.profile, RBAC is bypassed in Hawtio.

            rh-ee-ataylor Andy Taylor
            rhn-support-jsherman Jason Sherman
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: