Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-490 Domain Management Role Based Access Control
  3. WFLY-2040

RBAC + JMX: auditor can't read sensitive non-core MBeans

XMLWordPrintable

      If I set non-core MBeans to be sensitive, like

      <subsystem xmlns="urn:jboss:domain:jmx:1.3">
    <expose-resolved-model/>
    <expose-expression-model/>
    <remoting-connector/>
    <sensitivity non-core-mbeans="true"/>
</subsystem>

      then I expect all roles that can read sensitive data (administrator, auditor, superuser) to be able to read non-core MBeans too. This is currently broken, as only administrator and superuser can read non-core MBeans, auditor cannot. I have a test case for this that I will submit later, but the important part is:

      boolean successExpected = ...; // 'true' for auditor

MBeanServerConnection connection = ...;
ObjectName domain = new ObjectName("java.lang:type=OperatingSystem");
try {
    Object attribute = connection.getAttribute(domain, "Name");
    assertTrue("Failure was expected", successExpected);
    assertEquals(System.getProperty("os.name"), attribute.toString());
} catch (IOException e) {
    if (e.getCause() instanceof RuntimeMBeanException && e.getCause().getMessage().contains("11360")) {
        assertFalse("Success was expected but failure happened: " + e, successExpected);
    } else {
        throw e;
    }
}

      Please note that I'm speaking about reading sensitive data, which, if I understand correctly, auditor can do.

              kkhan1@redhat.com Kabir Khan
              lthon@redhat.com Ladislav Thon
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: