[
https://issues.apache.org/jira/browse/ARTEMIS-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17842317#comment-17842317
]
Luís Alves commented on ARTEMIS-4582:
-------------------------------------
hi [~gtully]
I've seen you added to ActiveMQSecurityManager:
{code:java}
default String getUserFromSubject(Subject subject) {
return SecurityManagerUtil.getUserFromSubject(subject,
UserPrincipal.class);
}
{code}
That caused a side effect on my implementation of ActiveMQSecurityManager5 as
my subject extends from Principal and not UserPrincipal. Therefore I always get
a null subject and cannot authorize.
Is this intended and I need to change my code? your this will be changed to
Principal.class?
> add view and edit permissions to extend security-settings rbac for management
> operations
> ----------------------------------------------------------------------------------------
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
> Affects Versions: 2.31.0
> Reporter: Gary Tully
> Assignee: Gary Tully
> Priority: Major
> Fix For: 2.33.0
>
> Time Spent: 4h 40m
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> edit for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
