[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909214&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909214
]
ASF GitHub Bot logged work on ARTEMIS-4582:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 11/Mar/24 14:17
Start Date: 11/Mar/24 14:17
Worklog Time Spent: 10m
Work Description: gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519799536
##########
docs/user-manual/management.adoc:
##########
@@ -250,8 +251,11 @@ It can be disabled by setting `jmx-management-enabled` to
`false` in `broker.xml
==== Role Based Authorisation for JMX
-Although by default Artemis uses the Java Virtual Machine's `Platform
MBeanServer` this is guarded using role based authorisation that leverages the
broker's JAAS plugin support.
-This is configured via the `authorisation` element in the `management.xml`
configuration file and can be used to restrict access to attributes and methods
on MBeans.
+Artemis uses the Java Virtual Machine's `Platform MBeanServer` by default.
This is guarded using role based authorisation that leverages the broker's JAAS
plugin support.
+
+The RBAC used to restrict access to Mbeans and their operations can be
configured in two ways, via security-settings in broker.xml, described in
xref:management.adoc#jmx-authorisation-in-broker-xml[JMX authorisation in
broker.xml], or via the `authorisation` element in the `management.xml` that is
described below.
+
Review Comment:
going with "one of two", thanks.
Issue Time Tracking
-------------------
Worklog Id: (was: 909214)
Time Spent: 3h 10m (was: 3h)
> add view and update permissions to augment the manage rbac for control
> resources
> --------------------------------------------------------------------------------
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
> Affects Versions: 2.31.0
> Reporter: Gary Tully
> Assignee: Gary Tully
> Priority: Major
> Time Spent: 3h 10m
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
