[GLASSFISH-14785] Direct JMX access to instances should allow only monitoring access, not control access Created: 18/Nov/10  Updated: 18/Jul/12  Resolved: 18/Jul/12

Status: Resolved
Project: glassfish
Component/s: amx
Affects Version/s: 3.1
Fix Version/s: 3.1.2.2, 4.0_b35

Type: Bug Priority: Major
Reporter: Tim Quinn Assignee: Tim Quinn
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All


Issue Links:
Related
is related to GLASSFISH-18450 failed to connect a cluster instance ... Resolved
Issuezilla Id: 14,785
Tags: 3_1-exclude

 Description   

One of our security requirements is to prevent users from contacting instances
directly and making configuration changes. Direct access connections to
instances using JMX are OK but the user should not be able to make config changes.



 Comments   
Comment by prasads [ 12/Dec/10 ]

This has to be achieved by making significant changes to the DynamicInterceptor using the user credentials passed during authentication phase. Since the DynamicInterceptor itself is new and is being stabilized, I feel we should defer this for 3.2

Comment by prasads [ 20/Feb/11 ]

Assigning issues to Naman

Comment by Tim Quinn [ 30/Apr/12 ]

Fix checked in.

Project: glassfish
Repository: svn
Revision: 53698
Author: tjquinn
Date: 2012-04-30 20:26:19 UTC
Link:

Log Message:
------------
Fix for 14785

These changes allows JMX clients to connect directly to instances and perform monitoring (read-only) work. Attempts to change attribute values or to invoke operations with affect other than INFO are rejected.

Revisions:
----------
53698

Modified Paths:
---------------
trunk/main/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/GenericAdminAuthenticator.java
trunk/main/nucleus/common/mbeanserver/src/main/java/org/glassfish/admin/mbeanserver/JMXStartupService.java
trunk/main/nucleus/admin/rest/rest-service/src/main/java/org/glassfish/admin/rest/adapter/RestAdapter.java
trunk/main/nucleus/common/internal-api/src/main/java/org/glassfish/internal/api/AdminAccessController.java
trunk/main/nucleus/common/mbeanserver/src/main/resources/com/sun/logging/enterprise/system/jmx/LogStrings.properties

Added Paths:
------------
trunk/main/nucleus/common/mbeanserver/src/main/java/org/glassfish/admin/mbeanserver/AdminAuthorizedMBeanServer.java
trunk/main/nucleus/common/internal-api/src/main/java/org/glassfish/internal/api/JMXAdminPrincipal.java

Comment by Tim Quinn [ 11/Jun/12 ]

Further fix checked in.

The changes allow read-only access to GlassFish MBeans in instances but all access to other MBeans (such as the JVM ones).

Project: glassfish
Repository: svn
Revision: 54532
Author: tjquinn
Date: 2012-06-10 16:00:42 UTC
Link:

Log Message:
------------
Refinements to allowing JMX access to instances.

The earlier changes to allow JMX access to instances prohibited any access that had non-INFO impact, regardless of which MBean was used. That unnecessarily limited access to, for example, JVM MBeans. The goal is to prevent changes being made to GlassFish config directly to instances; other MBean access should be unrestricted.

These changes impose the restriction only on GlassFish MBeans.

Tests: QL, admin devtests

Revisions:
----------
54532

Modified Paths:
---------------
trunk/main/nucleus/common/mbeanserver/src/main/java/org/glassfish/admin/mbeanserver/AdminAuthorizedMBeanServer.java
trunk/main/nucleus/common/mbeanserver/src/main/java/org/glassfish/admin/mbeanserver/JMXStartupService.java

Comment by Tim Quinn [ 18/Jul/12 ]

Re-opening to update fixed-in list.

Comment by Tim Quinn [ 18/Jul/12 ]

Adding 3.1.2.2 to fixed-in list.

Generated at Mon Apr 27 17:55:43 UTC 2015 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.