[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=905958&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-905958
]
ASF GitHub Bot logged work on ARTEMIS-4582:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 20/Feb/24 14:52
Start Date: 20/Feb/24 14:52
Worklog Time Spent: 10m
Work Description: gtully commented on PR #4820:
URL:
https://github.com/apache/activemq-artemis/pull/4820#issuecomment-1954384492
> Couple of question...
>
> 1. One of the things that `management.xml` let you do was configure remote
JMX connectivity. How do I do that with this?
management.xml will remain, this will just replace the authorization
section.
> 2. One nice thing about `management.xml` is that you didn't have to muck
around with system properties. Any chance this could be configured via
`broker.xml` instead of `javax.management.builder.initial`? Perhaps a new
`<management>` block would be useful here.
the system property is important because I want to guard the platform mbean
server, and this is created on startup. Typically our logging causes it is be
instantiated. When the platform mbean server is guarded and jolokia exposes it,
the need for a jmx connector diminishes. With the management wrapper of the
broker, we were late setting the guard in the past.
> 3. There is a fair bit of documentation about `management.xml` in
`management.adoc`. Could you provide something analogous (or even more
comprehensive) for this? A few simple use-cases with corresponding
configuration would go a long way in helping users & developers understand how
it works.
sure. it is considerably simpler, with a mapping from objectName to address,
and methods split into update or view permissions.
> 4. The existing default `management.xml` has recommended settings (e.g.
read-only access to non-Artemis MBeans). I think we should have something
similar for this as well. Is that possible?
that is a good idea, one thing that may get in the way is the default #
security-settings-match. that will be applicable to jmx too but won't typically
have the view role.
but a security-settings-match jmx.# view role would do it.
Issue Time Tracking
-------------------
Worklog Id: (was: 905958)
Time Spent: 0.5h (was: 20m)
> add view and update permissions to augment the manage rbac for control
> resources
> --------------------------------------------------------------------------------
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
> Affects Versions: 2.31.0
> Reporter: Gary Tully
> Assignee: Gary Tully
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
