[
https://issues.apache.org/jira/browse/AMQ-4567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13673192#comment-13673192
]
Torsten Mielke commented on AMQ-4567:
-------------------------------------
Hi Christian,
Yes, I think we should enhance it.
Using the authorization plugin we can fine tune what operations a user is
allowed to invoke. There are admin rights to be given to users for
creating/destroying destinations.
If JMX access to the broker was only done by JMX tools like jconsole, this bug
would be less relevant. But the AMQ web console uses JMX for creating/deleting
destinations and IIRC subscriptions as well. Right now its impossible to secure
the web console in a way that certain users cannot invoke these administrative
functions but have read access in general to the console.
> JMX operations on broker bypass authorization plugin
> -----------------------------------------------------
>
> Key: AMQ-4567
> URL: https://issues.apache.org/jira/browse/AMQ-4567
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.8.0
> Reporter: Torsten Mielke
> Labels: authorization
>
> When securing the broker using authentication and authorization, any JMX
> operations on the broker completely bypass the authorization plugin.
> So anyone can modify the broker bypassing the security checks. Also, because
> of this its not possible to define a read only user for the web console.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
