karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré (JIRA) <j...@apache.org>
Subject [jira] [Commented] (KARAF-6251) Jolokia bypasses JMX ACL
Date Fri, 10 May 2019 13:58:01 GMT

    [ https://issues.apache.org/jira/browse/KARAF-6251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16837311#comment-16837311
] 

Jean-Baptiste Onofré commented on KARAF-6251:
---------------------------------------------

Correct, jolokia directly use the local MBeanServer. It's the same in the Decanter JMX collector
when you use {{local}} in the configuration. I won't consider as an issue. However, as an
improvement, we can:

1. update the jolokia default configuration to goes through the local server URI (on localhost)
2. use Karaf realm on jolokia

> Jolokia bypasses JMX ACL
> ------------------------
>
>                 Key: KARAF-6251
>                 URL: https://issues.apache.org/jira/browse/KARAF-6251
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf
>    Affects Versions: 4.2.5
>            Reporter: Tadayoshi Sato
>            Assignee: Grzegorz Grzybek
>            Priority: Major
>             Fix For: 4.3.0, 4.2.6
>
>
> For example, after you install {{jolokia}} feature:
> {code}
> karaf@root()> feature:install jolokia
> {code}
> the invocation to {{Memory.gc()}} over Jolokia always gets successful even if the user
{{viewer}} doesn't have the right:
> {code}
> $ curl -s -u viewer:viewer http://localhost:8181/jolokia/exec/java.lang:type=Memory/gc\(\)
> {"request":{"mbean":"java.lang:type=Memory","type":"exec","operation":"gc()"},"value":null,"timestamp":1556005468,"status":200}
> {code}
> Note {{jmx.acl.java.lang.Memory.cfg}} only allows {{manager}} (not {{viewer}}) to invoke
{{gc()}}:
> {code}
> $ cat etc/jmx.acl.java.lang.Memory.cfg
> ...
> gc = manager
> {code}
> This is actually an old issue, which must have been caused by KARAF-3147, as Jolokia
is considered to be local JMX connection.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message