Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-9181

ReadOnly user able to perform runtimeOnly operations on JMS queues and Topic thorugh CLI

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 11.0.0.CR1
    • 11.0.0.Beta1
    • CLI, JMS
    • None
    • Hide

      1. Enable RBSC and create a Management User with Monitor role

      <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="admin"/>
                    </include>
                </role>
                <role name="Monitor">
                    <include>
                        <user name="adminM"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>

      2. Login to Management console with Monitor user, you will not be able to Flush any queue.

      3. Login to CLI with Monitor user and you will be able to remove messages from queue.

      [shsingh@shsingh bin]$ ./jboss-cli.sh -c -u=adminM -p=admin@123
standalone@localhost:9990 /] /subsystem=messaging-activemq/server=default/jms-queue=DLQ:remove-messages()
{
    "outcome" => "success",
    "result" => 14
}
      Show
      1. Enable RBSC and create a Management User with Monitor role <access-control provider= "rbac" > <role-mapping> <role name= "SuperUser" > <include> <user name= "admin" /> </include> </role> <role name= "Monitor" > <include> <user name= "adminM" /> </include> </role> </role-mapping> </access-control> 2. Login to Management console with Monitor user, you will not be able to Flush any queue. 3. Login to CLI with Monitor user and you will be able to remove messages from queue. [shsingh@shsingh bin]$ ./jboss-cli.sh -c -u=adminM -p=admin@123 standalone@localhost:9990 /] /subsystem=messaging-activemq/server= default /jms-queue=DLQ:remove-messages() { "outcome" => "success" , "result" => 14 }

    Description

      ReadOnly user able to perform runtimeOnlly operations on JMS queues thorugh CLI

      Like:-
      'Monitor' roles have permissions to remove messages from the queue.

      [standalone@localhost:9990 /] /subsystem=messaging-activemq/server=default/jms-queue=DLQ:remove-messages()
{
    "outcome" => "success",
    "result" => 14
}
[standalone@localhost:9990 /]

      Also drop-all-subscriptions on a topic.

      [[standalone@localhost:9990 /] /subsystem=messaging-activemq/server=default/jms-topic=testTopic:drop-all-subscriptions()
{
    "outcome" => "success",
    "result" => undefined
}
[standalone@localhost:9990 /]

      So even a read-only role ('Monitor') has access to :remove-messages. To show RBAC is enforced for other CLI operations:

      [standalone@localhost:9990 /] /subsystem=messaging-activemq/server=default/jms-queue=DLQ:remove()         
{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0313: Unauthorized to execute operation 'remove' for resource '[
    (\"subsystem\" => \"messaging-activemq\"),
    (\"server\" => \"default\"),
    (\"jms-queue\" => \"DLQ\")
]' -- \"WFLYCTL0332: Permission denied\"",
    "rolled-back" => true
}
[standalone@localhost:9990 /]

      Expectation:-

      The permissions between the monitoring console (GUI) and the CLI should be in sync for flushing a JMS queue.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-12546 ReadOnly user able to perform runtimeOnly operations on JMS queues and Topic thorugh CLI

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              rhn-support-shsingh Shailendra Singh
              rhn-support-shsingh Shailendra Singh
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: