ActiveMQ
  1. ActiveMQ
  2. AMQ-4567

JMX operations on broker bypass authorization plugin

    Details

    • Type: New Feature New Feature
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.8.0
    • Fix Version/s: 5.9.0
    • Component/s: Broker
    • Labels:

      Description

      When securing the broker using authentication and authorization, any JMX operations on the broker completely bypass the authorization plugin.
      So anyone can modify the broker bypassing the security checks. Also, because of this its not possible to define a read only user for the web console.

        Activity

        Hide
        Christian Posta added a comment -

        I suppose the original idea was for read/write access to JMX to be a admin-priviledged function... Should we enhance that to enforce authn authz at the jmx level with the thought users might be using JMX?

        Show
        Christian Posta added a comment - I suppose the original idea was for read/write access to JMX to be a admin-priviledged function... Should we enhance that to enforce authn authz at the jmx level with the thought users might be using JMX?
        Hide
        Torsten Mielke added a comment -

        Hi Christian,

        Yes, I think we should enhance it.
        Using the authorization plugin we can fine tune what operations a user is allowed to invoke. There are admin rights to be given to users for creating/destroying destinations.

        If JMX access to the broker was only done by JMX tools like jconsole, this bug would be less relevant. But the AMQ web console uses JMX for creating/deleting destinations and IIRC subscriptions as well. Right now its impossible to secure the web console in a way that certain users cannot invoke these administrative functions but have read access in general to the console.

        Show
        Torsten Mielke added a comment - Hi Christian, Yes, I think we should enhance it. Using the authorization plugin we can fine tune what operations a user is allowed to invoke. There are admin rights to be given to users for creating/destroying destinations. If JMX access to the broker was only done by JMX tools like jconsole, this bug would be less relevant. But the AMQ web console uses JMX for creating/deleting destinations and IIRC subscriptions as well. Right now its impossible to secure the web console in a way that certain users cannot invoke these administrative functions but have read access in general to the console.
        Hide
        Ramzy Jelassi added a comment -

        Well , enhancing the web console should be done too i think. Actually , it will be great to have a reliable authorization context to allow users once authenticated to access only AMQ objects already assigned to them in the container.

        Regards

        Show
        Ramzy Jelassi added a comment - Well , enhancing the web console should be done too i think. Actually , it will be great to have a reliable authorization context to allow users once authenticated to access only AMQ objects already assigned to them in the container. Regards
        Hide
        Dejan Bosanac added a comment -

        With svn revision 1498875 I implemented read-only setup for the web console. You can login with user/user and then you'll be able to look at all the pages, but you'll be forbidden to make any actions. The similar setup can be made in karaf environment as well.

        I think this is what most people want. After a bit of research it looks like crossing various security realms is pretty hard problem to overcome. For example, going from web to jmx to broker. For JMX we can get principal, but only if JMX is secured and that doesn't solve web console problem as we only use single principal to connect to the broker no matter who is using it. And in embedded mode we just go and use API directly.

        I think we need to keep JMX access administration only and secured. But we can allow people read-only access to the web console and that should cover most use cases.

        Show
        Dejan Bosanac added a comment - With svn revision 1498875 I implemented read-only setup for the web console. You can login with user/user and then you'll be able to look at all the pages, but you'll be forbidden to make any actions. The similar setup can be made in karaf environment as well. I think this is what most people want. After a bit of research it looks like crossing various security realms is pretty hard problem to overcome. For example, going from web to jmx to broker. For JMX we can get principal, but only if JMX is secured and that doesn't solve web console problem as we only use single principal to connect to the broker no matter who is using it. And in embedded mode we just go and use API directly. I think we need to keep JMX access administration only and secured. But we can allow people read-only access to the web console and that should cover most use cases.
        Hide
        Claus Ibsen added a comment -

        Dejan is there more work on this? Seems like your solutions is securing the JMX operations in acceptable way.

        Show
        Claus Ibsen added a comment - Dejan is there more work on this? Seems like your solutions is securing the JMX operations in acceptable way.
        Hide
        Dejan Bosanac added a comment -

        Yes, I think it's the most we can do at this moment. There are two roles for the web console and we should always assume JMX access is the admin access to the broker.

        Show
        Dejan Bosanac added a comment - Yes, I think it's the most we can do at this moment. There are two roles for the web console and we should always assume JMX access is the admin access to the broker.

          People

          • Assignee:
            Dejan Bosanac
            Reporter:
            Torsten Mielke
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development