Barry Oglesby created GEODE-1797: ------------------------------------ Summary: No gfsh commands are available to readonly members Key: GEODE-1797 URL: https://issues.apache.org/jira/browse/GEODE-1797 Project: Geode Issue Type: Bug Components: gfsh, security Reporter: Barry Oglesby
All the list, fetch, view, show and queryData commands should be available to a read-only user. The {{ReadOpFileAccessController}} controls access to these operations using: {noformat} invoke(ObjectName name, String operationName, Object params[], String signature[]) {noformat} That method compares the input operationName to a regular expression of allowed read-only operations, but it always fails because the input operationName is 'processCommand' instead of 'list members' (for example). The first argument to the params is the real operation. I tried a quick hack that used params\[0\] instead of operationName, and it worked ok. Test configuration: {noformat} gemfire-jmx-access.properties gemfireuser readonly gemfireadmin readwrite gemfire-jmx-users.properties: gemfireuser gemfireuser gemfireadmin gemfireadmin {noformat} With gemfireuser: {noformat} gfsh>connect --locator=localhost[23456] --user=gemfireuser --password=gemfireuser Connecting to Locator at [host=localhost, port=23456] .. Connecting to Manager at [host=boglesbymac-2, port=1099] .. Successfully connected to: [host=boglesbymac-2, port=1099] gfsh>list members Exception occurred. Access denied! Invalid access level for requested MBeanServer operation. {noformat} With gemfireadmin: {noformat} gfsh>connect --locator=localhost[23456] --user=gemfireadmin --password=gemfireadmin Connecting to Locator at [host=localhost, port=23456] .. Connecting to Manager at [host=boglesbymac-2, port=1099] .. Successfully connected to: [host=boglesbymac-2, port=1099] gfsh>list members Name | Id ------- | ------------------------------------------------- locator | boglesbymac-2(locator:52076:locator)<ec><v0>:1024 {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)