X

Proactive insights, news and tips from Oracle WebLogic Server Support. Learn Oracle from Oracle.

  • November 12, 2015

JMX Authorization policies

With the introduction of the Partition conception in 12.2.1 Weblogic, there is an impact on how an MBean is authorized to a Weblogic user. This is due to the fact that an MBean can now be scoped to either 1) Domain or 2) Partition. A Partition is a slice of a Weblogic Domain which can have its own set of users defined. The users from one Partition are separate from the users from another Partition and also from the users from the Domain. Historically, when there was no concept of a Partition, a user in a Weblogic Domain can have four roles namely 1) Administrator 2) Deployer 3) Monitor 4) Operator. The basic rules of whether an MBean can be authorized can be summarized as follows.

  1. Any user can read any MBean except the Encrypted one
  2. A user with Administrator role can write/execute any MBean
  3. A user with other roles (Deployer, Monitor, Operator) can access an MBean as long as that MBean is annotated with the specific role. E.g

@roleAllowed Deployer

Public class MyMBean {

}


In the case above, a user with Deployer role can write/execute that MBean but a user with Monitor role cannot write/execute on that MBean.

In 12.2.1 release, with the introduction of Multi-tenancy, the authorization rules have been changed significantly.  An MBean can now be located either in a Domain scope or in a Partition scope. This scoping is sometimes referred to as “owned by”. E.g. in 12.2.1, the DomainMBean is owned by the Domain because the MBean is located in the Domain level in the MBean tree. The MBeans in Weblogic can be visualized as a tree-like structure.

 The image above describes how MBeans in Weblogic are now scoped either to a Partition or to the Domain. When a Partition is created in Weblogic, a config MBean named PartitionMBean is created representing that Partition. If you look carefully in the image above, you will see that the PartitionMBean is scoped to the Domain not to the Partition. Any MBean under that PartitionMBean is scoped to a Partition.

So, whether a Partition user can access an MBean depends on where that MBean is located in the MBean tree. The location of the MBean in the MBean tree defines whether a Partition owns that MBean or whether the Domain owns that MBean. Users from the Domain are allowed to write/execute the Partition MBeans but the users from the Partitions are not allowed to write/execute MBeans unless they are granted permission by explicit annotations.

                In 12.2.1, we have introduced a new annotation named @owner which overrides the ownership behavior of an MBean based on the location to explicitly specified ownership. There are three values of @owner namely 1) Domain 2) Partition 3) Context.

@owner Domain will mark an MBean
owned by the Domain regardless of its location in the MBean tree.

@owner Partition will mark an
MBean owned by the Partition regardless of its location in the MBean tree.

@owner Context will change the
ownership of an MBean based on the login Context of the user that is trying to
access the MBean.

if a user tries to access an MBean
from the Domain context then the MBean will behave as @owner Domain

If a user tries to access an MBean
from the Partition context then the MBean will behave as @owner Partition.

The @owner Context is particularly
useful when an MBean needs to be accessed by both the Domain users and the Partition
users of a Partition. The MBean acts like a shared MBean between the Domain and
the Partitions. You must remember that when an MBean scoped to a Domain in the
MBean tree is marked with @owner Context, it means that that MBean can be written/executed
by all the Partition users not by the users from a particular Partition. There
is no way to selectively allow users from a particular Partition to access a
Domain scoped MBean.

Each attribute or operation of an
MBean can be marked with @owner to have finer control on the MBean. Putting
@owner on an MBean interface acts like putting @owner on all the attributes and
operations of that MBean.

Example usage

Annotating an MBean like below will allow a user from the Domain with Deployer role and a user from a Partition with Deployer role access to any operations or attributes on DomainRuntimeMBean 


/**

* @roleAllowed Deployer

* @owner Context

*/

public interface DomainRuntimeMBean


Authorization’s relation to visibility of an MBean

In  the 12.2.1 release because of the introduction of Multi-tenancy, there are some changes in terms of what MBeans can be seen by a user. Not all MBeans are visible to a user. The authorization rule applies if an MBean is only visible to an end user. Please look at the MBean Visibility for details about the visibility rules in Weblogic 12.2.1.

Default Security Policies in 12.2.1

The Domain user with Administrator
role has full access on all MBeans across the domain and the Partitions

The getter for any MBean attribute
and the lookupXXX operation is authorized for any user from the Domain and the Partitions
without any annotation required.

Setter of an attribute or an
operation of a Domain scoped MBean needs to be marked with @owner context if Partition
users need to access it.

The Partition owned MBean will not
require @owner annotation to be accessible by the users of that particular Partition.

If a Domain user with other roles (Deployer,
Monitor, and Operator) requires access to Domain scoped MBeans then they must
be annotated with @roleAllowed annotation. Remember, unlike Domain
Administrator, these users can only access Domain scoped MBeans not the Partition
scoped MBeans.

A user from a Partition with
Administrator role can access any MBean in that Partition but not to MBeans in
other Partitions. This is protected by Visibility rule

A Partition user can have similar
roles (Administrator,Deployer,Monitor or Operator) as in the Domain.

If a user from a Partition with other
roles (Deployer, Operator and Monitor) needs access(write and execute) on the Partition
scoped MBean then the MBean needs to be annotated with @roleAllowed.

Summary of Authorization rules for users in Weblogic 12.2.1

Table 1: WLS MBeans without any @roleAllowed annotation 

  • Domain MBean: an MBean located in a Domain Scope, an MBean marked with @owner Domain or an Mbean marked with @owner Context and the subject is in domain Context
  • Partition MBean: an MBean located in a Partition Scope, an MBean marked with @owner Partition or an MBean marked with @owner Context and the subject is in a Partition context when trying to access the MBean
  • Table 2: WLS MBeans with @roleAllowed annotation. This annotation can appear on MBean Interface, Attribute or Operation

  • Domain MBean: an MBean located in a Domain Scope, an MBean marked with @owner Domain or an Mbean marked with @owner Context and the subject is in domain Context
  • Partition MBean: an MBean located in a Partition Scope, an MBean marked with @owner Partition or an MBean marked with @owner Context and the subject is in a Partition context when trying to access the MBean

    Table 3: Previlege of Different Domain Roles

      Table 4: Previlege of Different Partition Roles



Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.