Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
4.0.5
-
None
-
None
Description
An MBean:
org.apache.activemq:type=Broker,brokerName=amq-broker,destinationType=Queue,destinationName=TEST
has an ACL file with the following configuration:
etc/jmx.acl.org.apache.activemq.Broker._.Queue.cfg
browse* = viewer
While JMXSecurityMBean#canInvoke(String, String) returns true for the viewer role on this object name:
org.apache.activemq:type=Broker,brokerName=amq-broker,destinationType=Queue,destinationName=TEST
and operation "browse", it returns false on the canonical form of the same object name and operation, i.e.:
org.apache.activemq:brokerName=amq-broker,destinationName=TEST,destinationType=Queue,type=Broker
and RBAC doesn't work correctly.
The root cause is that the resolution of ACL configuration is affected by the order of properties in an object name. In the original form of the object name, ACL resolves as:
org.apache.activemq.Broker.amq-broker.Queue.TEST
whereas in the canonical form it resolves as:
org.apache.activemq.Broker.amq-broker.TEST.Queue
and thus cannot find the correct ACL file (note the "type" property precedes others due to KARAF-3020).
Attachments
Issue Links
- links to
