Details
-
Bug
-
Resolution: Done
-
Blocker
-
7.0.0.GA, 7.1.0.DR19
-
None
Description
ReadOnly user able to perform runtimeOnlly operations on JMS queues thorugh CLI
Like:-
'Monitor' roles have permissions to remove messages from the queue.
[standalone@localhost:9990 /] /subsystem=messaging-activemq/server=default/jms-queue=DLQ:remove-messages() { "outcome" => "success", "result" => 14 } [standalone@localhost:9990 /]
Also drop-all-subscriptions on a topic.
[[standalone@localhost:9990 /] /subsystem=messaging-activemq/server=default/jms-topic=testTopic:drop-all-subscriptions() { "outcome" => "success", "result" => undefined } [standalone@localhost:9990 /]
So even a read-only role ('Monitor') has access to :remove-messages. To show RBAC is enforced for other CLI operations:
[standalone@localhost:9990 /] /subsystem=messaging-activemq/server=default/jms-queue=DLQ:remove() { "outcome" => "failed", "failure-description" => "WFLYCTL0313: Unauthorized to execute operation 'remove' for resource '[ (\"subsystem\" => \"messaging-activemq\"), (\"server\" => \"default\"), (\"jms-queue\" => \"DLQ\") ]' -- \"WFLYCTL0332: Permission denied\"", "rolled-back" => true } [standalone@localhost:9990 /]
Expectation:-
The permissions between the monitoring console (GUI) and the CLI should be in sync for flushing a JMS queue.
Attachments
Issue Links
- is cloned by
-
WFLY-9181 ReadOnly user able to perform runtimeOnly operations on JMS queues and Topic thorugh CLI
- Closed
- relates to
-
JBEAP-12560 Messaging queue operations are not flagged with read-only
- Closed