[jira] [Commented] (ARTEMIS-4582) add view and edit permissions to extend security-settings rbac for management operations

Tue, 30 Apr 2024 09:19:05 -0700 


    [ 
https://issues.apache.org/jira/browse/ARTEMIS-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17842433#comment-17842433
 ] 

Luís Alves commented on ARTEMIS-4582:
-------------------------------------

Thanks [~gtully]. I will have a look.
On hawtio (console), I've already have it integrated with OIDC (Keycloak). Was 
easy, because it's a via a browser and we can complete Auth code flow. For the 
messaging part is more complex, because I don't want to disclose the client 
credentials, so I need to pass the token in the password field. Looks quite 
similar on what is done on KubernetesLoginModule, but need to understand how 
the token gets into the password field. Then my module has more complexity on 
the AuthZ, as I don't map the roles in the token to the Artemis managed roles.

I do it by conventions. E.g.:
* CONSUME_<address>    will allow a client to subscribe
* SEND_<address>            will allow a client to produce to address
 
So the AuthZ logic is all on Keycloak.





> add view and edit permissions to extend security-settings rbac for management 
> operations
> ----------------------------------------------------------------------------------------
>
>                 Key: ARTEMIS-4582
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: Broker, Configuration, JMX, Web Console
>    Affects Versions: 2.31.0
>            Reporter: Gary Tully
>            Assignee: Gary Tully
>            Priority: Major
>             Fix For: 2.33.0
>
>          Time Spent: 4h 40m
>  Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address, 
> to access any control resource. We don't however distinguish what a user can 
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> edit for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access 
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac 
> model (that supports config reload) and more granularity on control resource 
> access from the management address.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to