Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2061

JMX access unauthorized after RBAC enabled

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • 3.0.0.Alpha14
    • 2.2.0.Final
    • JMX, Security
    • None
    • Hide
      1. Copy the attached standalone.xml to $WFLY_HOME/standalone/configuration/
      2. Add user admin: 
        $ ./bin/add-user.sh -u admin -p p@ssw0rd
      3. Start WildFly 10.1.0.Final: 
        $ ./bin/standalone.sh
      4. Run the attached reproducer wildfly-jmx-auth: 
        $ mvn clean test
      5. You'll see the test fails showing

        javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access

        in the server log

      Show
      Copy the attached standalone.xml to $WFLY_HOME/standalone/configuration/ Add user admin : $ ./bin/add-user.sh -u admin -p p@ssw0rd Start WildFly 10.1.0.Final: $ ./bin/standalone.sh Run the attached reproducer wildfly-jmx-auth : $ mvn clean test You'll see the test fails showing javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access in the server log

      After RBAC is enabled, even a user ("admin") with SuperUser role fails to get authorized access to JMX with the following code:

              MBeanServer mBeanServer = ...
        Subject subject = new Subject();
        // Login
        new LoginContext("test-domain", subject, callbacks -> { ... }).login();
        // Access to JMX
        Subject.doAs(subject, (PrivilegedAction<Object>) () -> {
            mBeanServer.getAttribute(new ObjectName("java.lang:type=Memory"), "HeapMemoryUsage"));
            return null;
        });

      RBAC and role-mapping are enabled in standalone.xml like this:

              <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                        <user name="admin"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>
        [...]
        <subsystem xmlns="urn:jboss:domain:security:1.2">
            <security-domains>
                [...]
                <security-domain name="test-domain" cache-type="default">
                    <authentication>
                        <login-module code="RealmDirect" flag="required">
                            <module-option name="realm" value="ManagementRealm"/>
                        </login-module>
                    </authentication>
                </security-domain>

      The code gets this error in the server log:

      javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access
	at org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1203)
	at org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1190)
	at org.jboss.as.jmx.PluggableMBeanServerImpl.getAttribute(PluggableMBeanServerImpl.java:387)
	at com.redhat.issues.wildfly.JmxServlet.readMBeanAttribute(JmxServlet.java:87)
	at com.redhat.issues.wildfly.JmxServlet.lambda$process$0(JmxServlet.java:53)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:360)
	at com.redhat.issues.wildfly.JmxServlet.process(JmxServlet.java:52)
	at com.redhat.issues.wildfly.JmxServlet.doGet(JmxServlet.java:44)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

        1. standalone.xml
          21 kB
          Tadayoshi Sato

              darran.lofthouse@redhat.com Darran Lofthouse
              rhn-support-tasato Tadayoshi Sato
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: