Details
-
Bug
-
Resolution: Done
-
Critical
-
None
-
jboss-fuse-6.2
-
None
-
None
-
%
Description
In the Fuse distro at least (could also be in the AMQ one as well) I noticed the following settings in etc/jmx.acl.whitelist.cfg:
jmx.acl.whitelist.properties
# open this up so we can check available plugins before authenticating hawtio.plugin=bypass # open this up so that permissions can validated by anyone org.apache.karaf.security.jmx=bypass io.fabric8.cxf=bypass org.apache.activemq.Broker=bypass
The last line totally disables RBAC for brokers deployed in the ESB and should be removed or refined to only be the method call that's required by whatever component required this in the first place. I would also suggest we validate the io.fabric8.cxf whitelist, would be good to comment each entry so that the reason a given mbean/operation is whitelisted is clear.
Also the same setting needs to be checked in fabric8's default profile so it's consistent when the user creates a fabric.
