[
https://issues.apache.org/jira/browse/KARAF-3147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14580089#comment-14580089
]
Freeman Fang commented on KARAF-3147:
-------------------------------------
Hi,
I just reopen this issue so that we can reconsider this.
Honestly I'm concerned about bypassing the RBAC for "local jmx request".
IMO all jmx request(local or remote) should have appropriate crendentials.
Think about this scenario, one person with Deployer role can deploy a bundleA
into Karaf, if the "local jmx request" can bypass the the RBAC check, then
bundleA basically can do everything inside Karaf through the "local jmx
request" as it's the in-JVM process, like shutdown/remove the instance which
Deployer role can't do.
We have the jmx.acl.whitelist.cfg configuration which can let you bypass the
RBAC check through list the MBean OName and method specifically, this means you
know what you wanna bypass and this way let your "local jmx request" pass
without crendentials. However I don't think bypass the JMX RBAC check when
using local jmx connection by default is a strict safe idea.
Freeman
> Local JMX connect is not possible
> ---------------------------------
>
> Key: KARAF-3147
> URL: https://issues.apache.org/jira/browse/KARAF-3147
> Project: Karaf
> Issue Type: Bug
> Components: karaf-core
> Affects Versions: 3.0.1
> Environment: OS X, JDK 7
> Reporter: Achim Nierbeck
> Assignee: Jean-Baptiste Onofré
> Priority: Critical
> Fix For: 3.0.4, 4.0.0.M3, 2.4.3
>
>
> With neither local process nor with remote jmx connection
> {code}
> service:jmx:rmi://0.0.0.0:44444/jndi/rmi://0.0.0.0:1099/karaf-root
> {code}
> it's possible to connect to Karaf via JMX.
> Neither JConsole nor VisualVM is usable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
