karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tadayoshi Sato (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (KARAF-4600) RBAC - MBean fails to resolve ACL if the order of properties in object name differs
Date Fri, 01 Jul 2016 05:26:11 GMT

     [ https://issues.apache.org/jira/browse/KARAF-4600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Tadayoshi Sato closed KARAF-4600.
       Resolution: Won't Fix
    Fix Version/s:     (was: 2.4.5)
                       (was: 3.0.8)
                       (was: 4.0.6)
                       (was: 4.1.0)

Having discussed with [~ffang], it turns out that currently the order of properties in an
object name is essential for Karaf RBAC, e.g. Karaf has {{etc/jmx.acl.osgi.compendium.cm.cfg}}
where its canonical object name resolves differently. So it's the Karaf users' responsibility
to keep the object names in original form as much as possible.

With regard to the original ActiveMQ issue, I found another way to eschew the issue, so I'm
closing it for now. Thanks anyway for your attentions, Freeman and Jean!

> RBAC - MBean fails to resolve ACL if the order of properties in object name differs
> -----------------------------------------------------------------------------------
>                 Key: KARAF-4600
>                 URL: https://issues.apache.org/jira/browse/KARAF-4600
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf-security
>    Affects Versions: 4.0.5
>            Reporter: Tadayoshi Sato
>            Assignee: Freeman Fang
> An MBean:
> {code}
> org.apache.activemq:type=Broker,brokerName=amq-broker,destinationType=Queue,destinationName=TEST
> {code}
> has an ACL file with the following configuration:
> {{etc/jmx.acl.org.apache.activemq.Broker._.Queue.cfg}}
> {code}
> browse* = viewer
> {code}
> While {{JMXSecurityMBean#canInvoke(String, String)}} returns {{true}} for the viewer
role on this object name:
> {code}
> org.apache.activemq:type=Broker,brokerName=amq-broker,destinationType=Queue,destinationName=TEST
> {code}
> and operation {{"browse"}}, it returns {{false}} on the canonical form of the same object
name and operation, i.e.:
> {code}
> org.apache.activemq:brokerName=amq-broker,destinationName=TEST,destinationType=Queue,type=Broker
> {code}
> and RBAC doesn't work correctly.
> The root cause is that the resolution of ACL configuration is affected by the order of
properties in an object name. In the original form of the object name, ACL resolves as:
> {code}
> org.apache.activemq.Broker.amq-broker.Queue.TEST
> {code}
> whereas in the canonical form it resolves as:
> {code}
> org.apache.activemq.Broker.amq-broker.TEST.Queue
> {code}
> and thus cannot find the correct ACL file (note the {{"type"}} property precedes others
due to KARAF-3020).

This message was sent by Atlassian JIRA

View raw message