Details

      Description

      If I set non-core MBeans to be sensitive, like

      <subsystem xmlns="urn:jboss:domain:jmx:1.3">
          <expose-resolved-model/>
          <expose-expression-model/>
          <remoting-connector/>
          <sensitivity non-core-mbeans="true"/>
      </subsystem>
      

      then I expect all roles that can read sensitive data (administrator, auditor, superuser) to be able to read non-core MBeans too. This is currently broken, as only administrator and superuser can read non-core MBeans, auditor cannot. I have a test case for this that I will submit later, but the important part is:

      boolean successExpected = ...; // 'true' for auditor
      
      MBeanServerConnection connection = ...;
      ObjectName domain = new ObjectName("java.lang:type=OperatingSystem");
      try {
          Object attribute = connection.getAttribute(domain, "Name");
          assertTrue("Failure was expected", successExpected);
          assertEquals(System.getProperty("os.name"), attribute.toString());
      } catch (IOException e) {
          if (e.getCause() instanceof RuntimeMBeanException && e.getCause().getMessage().contains("11360")) {
              assertFalse("Success was expected but failure happened: " + e, successExpected);
          } else {
              throw e;
          }
      }
      

      Please note that I'm speaking about reading sensitive data, which, if I understand correctly, auditor can do.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  kabirkhan Kabir Khan
                  Reporter:
                  lthon Ladislav Thon
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: