[
https://issues.apache.org/jira/browse/KARAF-6251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16823943#comment-16823943
]
Grzegorz Grzybek commented on KARAF-6251:
-----------------------------------------
So here the problem is that Jolokia uses local MBeanServer reference which
isn't guarded with
{{org.apache.karaf.management.internal.MBeanInvocationHandler}}...
We did something around this back in fabric8v1 days, let me review what can be
done here.
> Jolokia bypasses JMX ACL
> ------------------------
>
> Key: KARAF-6251
> URL: https://issues.apache.org/jira/browse/KARAF-6251
> Project: Karaf
> Issue Type: Bug
> Components: karaf
> Affects Versions: 4.2.5
> Reporter: Tadayoshi Sato
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Fix For: 4.3.0, 4.2.6
>
>
> For example, after you install {{jolokia}} feature:
> {code}
> karaf@root()> feature:install jolokia
> {code}
> the invocation to {{Memory.gc()}} over Jolokia always gets successful even if
> the user {{viewer}} doesn't have the right:
> {code}
> $ curl -s -u viewer:viewer
> http://localhost:8181/jolokia/exec/java.lang:type=Memory/gc\(\)
> {"request":{"mbean":"java.lang:type=Memory","type":"exec","operation":"gc()"},"value":null,"timestamp":1556005468,"status":200}
> {code}
> Note {{jmx.acl.java.lang.Memory.cfg}} only allows {{manager}} (not
> {{viewer}}) to invoke {{gc()}}:
> {code}
> $ cat etc/jmx.acl.java.lang.Memory.cfg
> ...
> gc = manager
> {code}
> This is actually an old issue, which must have been caused by KARAF-3147, as
> Jolokia is considered to be local JMX connection.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
