Barry Oglesby created GEODE-1797:
------------------------------------
Summary: No gfsh commands are available to readonly members
Key: GEODE-1797
URL: https://issues.apache.org/jira/browse/GEODE-1797
Project: Geode
Issue Type: Bug
Components: gfsh, security
Reporter: Barry Oglesby
All the list, fetch, view, show and queryData commands should be available to a
read-only user.
The {{ReadOpFileAccessController}} controls access to these operations using:
{noformat}
invoke(ObjectName name, String operationName, Object params[], String
signature[])
{noformat}
That method compares the input operationName to a regular expression of allowed
read-only operations, but it always fails because the input operationName is
'processCommand' instead of 'list members' (for example). The first argument to
the params is the real operation.
I tried a quick hack that used params\[0\] instead of operationName, and it
worked ok.
Test configuration:
{noformat}
gemfire-jmx-access.properties
gemfireuser readonly
gemfireadmin readwrite
gemfire-jmx-users.properties:
gemfireuser gemfireuser
gemfireadmin gemfireadmin
{noformat}
With gemfireuser:
{noformat}
gfsh>connect --locator=localhost[23456] --user=gemfireuser
--password=gemfireuser
Connecting to Locator at [host=localhost, port=23456] ..
Connecting to Manager at [host=boglesbymac-2, port=1099] ..
Successfully connected to: [host=boglesbymac-2, port=1099]
gfsh>list members
Exception occurred. Access denied! Invalid access level for requested
MBeanServer operation.
{noformat}
With gemfireadmin:
{noformat}
gfsh>connect --locator=localhost[23456] --user=gemfireadmin
--password=gemfireadmin
Connecting to Locator at [host=localhost, port=23456] ..
Connecting to Manager at [host=boglesbymac-2, port=1099] ..
Successfully connected to: [host=boglesbymac-2, port=1099]
gfsh>list members
Name | Id
------- | -------------------------------------------------
locator | boglesbymac-2(locator:52076:locator)<ec><v0>:1024
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
