[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909214&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909214 ]
ASF GitHub Bot logged work on ARTEMIS-4582: ------------------------------------------- Author: ASF GitHub Bot Created on: 11/Mar/24 14:17 Start Date: 11/Mar/24 14:17 Worklog Time Spent: 10m Work Description: gtully commented on code in PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519799536 ########## docs/user-manual/management.adoc: ########## @@ -250,8 +251,11 @@ It can be disabled by setting `jmx-management-enabled` to `false` in `broker.xml ==== Role Based Authorisation for JMX -Although by default Artemis uses the Java Virtual Machine's `Platform MBeanServer` this is guarded using role based authorisation that leverages the broker's JAAS plugin support. -This is configured via the `authorisation` element in the `management.xml` configuration file and can be used to restrict access to attributes and methods on MBeans. +Artemis uses the Java Virtual Machine's `Platform MBeanServer` by default. This is guarded using role based authorisation that leverages the broker's JAAS plugin support. + +The RBAC used to restrict access to Mbeans and their operations can be configured in two ways, via security-settings in broker.xml, described in xref:management.adoc#jmx-authorisation-in-broker-xml[JMX authorisation in broker.xml], or via the `authorisation` element in the `management.xml` that is described below. + Review Comment: going with "one of two", thanks. Issue Time Tracking ------------------- Worklog Id: (was: 909214) Time Spent: 3h 10m (was: 3h) > add view and update permissions to augment the manage rbac for control > resources > -------------------------------------------------------------------------------- > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console > Affects Versions: 2.31.0 > Reporter: Gary Tully > Assignee: Gary Tully > Priority: Major > Time Spent: 3h 10m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)