Bug 1230394 - [GSS](6.4.z) ManagementPermissionAuthorizer is limited to the standard roles for its authorizeJmxOperation impl
Summary: [GSS](6.4.z) ManagementPermissionAuthorizer is limited to the standard roles ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.4.2
Assignee: dhorton
QA Contact: Martin Simka
URL:
Whiteboard:
Depends On:
Blocks: 1219165
TreeView+ depends on / blocked
 
Reported: 2015-06-10 19:32 UTC by Derek Horton
Modified: 2019-07-11 09:21 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-01-17 10:13:15 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
ee6-singleton-mbean.jar (3.13 KB, application/zip)
2015-06-10 19:52 UTC, Derek Horton 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker WFCORE-639 0 Major Resolved ManagementPermissionAuthorizer is limited to the standard roles for its authorizeJmxOperation impl 2017-11-09 13:22:52 UTC

Description Derek Horton 2015-06-10 19:32:30 UTC 
Description of problem:

ManagementPermissionAuthorizer.authorizeJmxOperation uses hard coded decision making based on the standard 7 roles. This is inflexible and specifically doesn't allow scoped roles to function properly.

Steps to Reproduce:
1.  Create a server-group-scoped-role and assign a user ("testuser") to that role:

    <management>
        <access-control provider="rbac">
            <server-group-scoped-roles>
                <role name="test_main_server_grp" base-role="SuperUser">
                    <server-group name="main-server-group"/>
                </role>
            </server-group-scoped-roles>
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                        <user alias="jconsole" realm="ApplicationRealm" name="jconsole"/>
                    </include>
                </role>
                <role name="test_main_server_grp">
                    <include>
                        <user alias="testuser" realm="ApplicationRealm" name="testuser"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>
    </management>

2.  Deploy an mbean

3.  Use bin/jconsole.sh to connect as the "testuser" 

4.  Try to modify the mbean.  "testuser" should have access to modify the mbean.
Comment 2 Derek Horton 2015-06-10 19:52:48 UTC 
Created attachment 1037416 [details]
ee6-singleton-mbean.jar
Comment 3 Derek Horton 2015-06-10 19:53:56 UTC 
More reproducer notes:

- deploy the attached ee6-singleton-mbean.jar

- try to modify attribute of "com.jboss.examples.ee6.ejb:type=EE6ExampleSingleton"
Comment 5 Petr Penicka 2017-01-17 10:13:15 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.
Note You need to log in before you can comment on or make changes to this bug.