Bug 1023100 - End users can call non-published management API operations
End users can call non-published management API operations
Status: NEW
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management, JMX (Show other bugs)
Unspecified Unspecified
unspecified Severity low
: ---
: EAP 6.4.0
Assigned To: Brian Stansberry
Ladislav Thon
Depends On:
  Show dependency treegraph
Reported: 2013-10-24 11:33 EDT by Ladislav Thon
Modified: 2017-10-09 20:25 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-2379 Major Open End users can call non-published management API operations 2016-11-27 23:30 EST

  None (edit)
Description Ladislav Thon 2013-10-24 11:33:59 EDT
Description of problem:

It's not possible to call "non-published" operations (those that are not visible in the resource tree, e.g. "describe") via JMX, while it's entirely possible to call them via CLI (e.g. "/subsystem=security:describe") and other management interfaces.

The problem lies in the fact that "ModelControllerMBeanHelper.invoke" method checks "if (!accessControl.isExecutableOperation(operationName))" and the "isExecutableOperation" method assumes that the operation will be visible in the resource tree. In fact, there is a comment stating "should not happen", but now we know that it indeed _can_ happen.

What's more, it gives a misleading error message. The "isExecutableOperation" returns "false" for unknown operations, which results in "Not authorized to invoke operation" message. Which is wrong in two different ways simultaneously: 1. the problem isn't authorization, but the fact that the operation can't be found; 2. the user (e.g. in the SuperUser role) is authorized.

I'm considering this low priority, because 1. JMX is likely to be very rarely used to access the management interface, 2. hiding information isn't nearly as important as leaking them, 3. non-published operations aren't nearly as important as the published ones.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Start EAP in standalone mode
2. Try to invoke the equivalent of "/subsystem=security:describe" via JMX programmatically against the running EAP

Actual results:

JBAS011363: Not authorized to invoke operation: 'describe'

Expected results:

The equivalent of the result in CLI.
Comment 1 JBoss JIRA Server 2013-10-24 11:38:12 EDT
Ladislav Thon <lthon@redhat.com> made a comment on jira WFLY-2379

I'm not asking to publicize it. In fact, I would be entirely satisfied if the non-published operations were only accessible via the native protocol and other management interfaces gave a "not found" response. We can reformulate this issue to say "give me a proper error message, please".
Comment 2 JBoss JIRA Server 2013-10-24 12:04:30 EDT
Ladislav Thon <lthon@redhat.com> made a comment on jira WFLY-2379

(To make myself entirely clear: what I'm asking for is consistency. I can't see a reason why it's possible to invoke {{:describe}} via the HTTP interface, but not via JMX. Either both should  succeed, or both should fail with a _not found_ message.)
Comment 3 Brian Stansberry 2013-10-24 12:16:38 EDT
I changed the title. We won't be exposing these over the other interfaces. This isn't really related to RBAC.

Note You need to log in before you can comment on or make changes to this bug.