activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Torsten Mielke (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMQ-4567) JMX operations on broker bypass authorization plugin
Date Mon, 03 Jun 2013 15:07:20 GMT

    [ https://issues.apache.org/jira/browse/AMQ-4567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13673192#comment-13673192
] 

Torsten Mielke commented on AMQ-4567:
-------------------------------------

Hi Christian,

Yes, I think we should enhance it. 
Using the authorization plugin we can fine tune what operations a user is allowed to invoke.
There are admin rights to be given to users for creating/destroying destinations.

If JMX access to the broker was only done by JMX tools like jconsole, this bug would be less
relevant. But the AMQ web console uses JMX for creating/deleting destinations and IIRC subscriptions
as well. Right now its impossible to secure the web console in a way that certain users cannot
invoke these administrative functions but have read access in general to the console.


                
>  JMX operations on broker bypass authorization plugin
> -----------------------------------------------------
>
>                 Key: AMQ-4567
>                 URL: https://issues.apache.org/jira/browse/AMQ-4567
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.8.0
>            Reporter: Torsten Mielke
>              Labels: authorization
>
> When securing the broker using authentication and authorization, any JMX operations on
the broker completely bypass the authorization plugin.
> So anyone can modify the broker bypassing the security checks. Also, because of this
its not possible to define a read only user for the web console.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message