[ https://issues.apache.org/jira/browse/ARTEMIS-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17842433#comment-17842433 ]
Luís Alves commented on ARTEMIS-4582: ------------------------------------- Thanks [~gtully]. I will have a look. On hawtio (console), I've already have it integrated with OIDC (Keycloak). Was easy, because it's a via a browser and we can complete Auth code flow. For the messaging part is more complex, because I don't want to disclose the client credentials, so I need to pass the token in the password field. Looks quite similar on what is done on KubernetesLoginModule, but need to understand how the token gets into the password field. Then my module has more complexity on the AuthZ, as I don't map the roles in the token to the Artemis managed roles. I do it by conventions. E.g.: * CONSUME_<address> will allow a client to subscribe * SEND_<address> will allow a client to produce to address So the AuthZ logic is all on Keycloak. > add view and edit permissions to extend security-settings rbac for management > operations > ---------------------------------------------------------------------------------------- > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console > Affects Versions: 2.31.0 > Reporter: Gary Tully > Assignee: Gary Tully > Priority: Major > Fix For: 2.33.0 > > Time Spent: 4h 40m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > edit for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)