Thursday, October 17, 2013

Access not allowed for subject: principals on ResourceType: JMSDestinationRuntime Action: execute, Target: getMessages

Not anybody can view the messages in a plain vanilla JMS queue in WebLogic. By default only Administrators can.
/ 
cd('/SecurityConfiguration/mydomain/Realms/myrealm')
cmo.setDelegateMBeanAuthorization(true) 

(this requires immediate restart>
Changes to XACMLAuthorizer to add a policy to JMSDestinationRuntimeMBean invoke operation is not recorded by the WLS console, unfortunately, so I will have to study how to script it.

see Oracle Doc "WebLogic Server: Error When Attempting to View JMS Messages in Admin Console: Access not allowed for subject (Doc ID 1327324.1)": 
Please go to Security Realms ->  -> Configuration -> General.

    Please check the "Use Authorization Providers to Protect JMX Access" parameter.
    Go to "Roles and Policies" -> Realm Policies.
    In the Policy table, select "JMX Policy Editor."
    Select "Global Scope" and click Next.
    From MBean Types, select "weblogic.management.runtime."
    Select "JMSDestinationRuntimeMBean" and click next.
    In Attributes and Operations, select "Operations: Permission to Invoke."
    Click on "Create Policy" button and save.
    Click on "Add Condition" and select "User/Group" in "Predicate List." Click next.
    Type username (USER)/Group, and click Add. Click Finish.
    Reboot the server and login using the user you just created.




In fact it's better to combine these 2 rules: group = IntegrationOperators OR Administrators, so that weblogic user can still see the JMS messages.
The resulting policy added to XACMLAuthorizer.dat is: 
<Policy PolicyId="urn:bea:xacml:2.0:entitlement:resource:type@E@Fjmx@G@M@Ooperation@Einvoke@M@Oapplication@E@M@OmbeanType@Eweblogic.management.runtime.JMSDestinationRuntimeMBean" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"><Description>Grp(IntegrationOperators)</Description><Target><Resources><Resource><ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=<jmx>, operation=invoke, application=, mbeanType=weblogic.management.runtime.JMSDestinationRuntimeMBean</AttributeValue><ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/></ResourceMatch></Resource></Resources></Target><Rule RuleId="primary-rule" Effect="Permit"><Condition><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IntegrationOperators</AttributeValue><SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:group" DataType="http://www.w3.org/2001/XMLSchema#string"/></Apply></Condition></Rule><Rule RuleId="deny-rule" Effect="Deny"></Rule></Policy>


An extra entry will be added to the file:
<WLSMetaData PolicyId="urn:bea:xacml:2.0:entitlement:resource:type@E@Fjmx@G@M@Ooperation@Einvoke@M@Oapplication@E@M@OmbeanType@Eweblogic.management.runtime.JMSDestinationRuntimeMBean" Status="3"><WLSPolicyInfo wlsCreatorInfo="mbean"/>


The relative WLST is: 

def allowJMSAccessForGroup(domainName):
    try:
        print "applying JMS access policy for domain", domainName
        policy = '<Policy PolicyId="urn:bea:xacml:2.0:entitlement:resource:type@E@Fjmx@G@M@Ooperation@Einvoke@M@Oapplication@E@M@OmbeanType@Eweblogic.management.runtime.JMSDestinationRuntimeMBean" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"><Description>Grp(IntegrationOperators)</Description><Target><Resources><Resource><ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=<jmx>, operation=invoke, application=, mbeanType=weblogic.management.runtime.JMSDestinationRuntimeMBean</AttributeValue><ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/></ResourceMatch></Resource></Resources></Target><Rule RuleId="primary-rule" Effect="Permit"><Condition><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IntegrationOperators</AttributeValue><SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:group" DataType="http://www.w3.org/2001/XMLSchema#string"/></Apply></Condition></Rule><Rule RuleId="deny-rule" Effect="Deny"></Rule></Policy>'
        print "applying policy", policy.replace("<", "&lt;") #the second one is ampersand followed by lt;
        print "cd('/SecurityConfiguration/' + domainName + '/DefaultRealm/myrealm/Authorizers/XACMLAuthorizer')"
        cd('/SecurityConfiguration/' + domainName + '/DefaultRealm/myrealm/Authorizers/XACMLAuthorizer')
        cmo.addPolicy(policy)
        print "done applying policy"
        return True
    except Exception, inst:
        print inst
        print sys.exc_info()[0]
        dumpStack()
        sys.stderr.write("unable to apply JMS access policy for domain " + domainName)
        return False

  
serverConfig()
allowJMSAccessForGroup(domain)

(no edit() statement is necessary to apply this change)
BE VERY CAREFUL; authorization information is cached in WebLogic console, so to see the effect of this change it's saver to logout and login again.
If you get a "weblogic.management.utils.AlreadyExistsException: Policy with matching ID and version already exists in store" don't worry, it's all right. Just check that the policy is in place.
Be aware that for old versions of WebLogic there are several bugs:
Bug 8912918
Bug 9764721
Bug 11778631
so make sure you apply the patches.

Posted by vernetto at 5:44 PM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)