[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=905958&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-905958 ]
ASF GitHub Bot logged work on ARTEMIS-4582: ------------------------------------------- Author: ASF GitHub Bot Created on: 20/Feb/24 14:52 Start Date: 20/Feb/24 14:52 Worklog Time Spent: 10m Work Description: gtully commented on PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#issuecomment-1954384492 > Couple of question... > > 1. One of the things that `management.xml` let you do was configure remote JMX connectivity. How do I do that with this? management.xml will remain, this will just replace the authorization section. > 2. One nice thing about `management.xml` is that you didn't have to muck around with system properties. Any chance this could be configured via `broker.xml` instead of `javax.management.builder.initial`? Perhaps a new `<management>` block would be useful here. the system property is important because I want to guard the platform mbean server, and this is created on startup. Typically our logging causes it is be instantiated. When the platform mbean server is guarded and jolokia exposes it, the need for a jmx connector diminishes. With the management wrapper of the broker, we were late setting the guard in the past. > 3. There is a fair bit of documentation about `management.xml` in `management.adoc`. Could you provide something analogous (or even more comprehensive) for this? A few simple use-cases with corresponding configuration would go a long way in helping users & developers understand how it works. sure. it is considerably simpler, with a mapping from objectName to address, and methods split into update or view permissions. > 4. The existing default `management.xml` has recommended settings (e.g. read-only access to non-Artemis MBeans). I think we should have something similar for this as well. Is that possible? that is a good idea, one thing that may get in the way is the default # security-settings-match. that will be applicable to jmx too but won't typically have the view role. but a security-settings-match jmx.# view role would do it. Issue Time Tracking ------------------- Worklog Id: (was: 905958) Time Spent: 0.5h (was: 20m) > add view and update permissions to augment the manage rbac for control > resources > -------------------------------------------------------------------------------- > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console > Affects Versions: 2.31.0 > Reporter: Gary Tully > Assignee: Gary Tully > Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)