[jira] Created: (AMQ-2471) Add fine-grained authorization to the web console

Fri, 30 Oct 2009 08:25:16 -0700 

Add fine-grained authorization to the web console
-------------------------------------------------

                 Key: AMQ-2471
                 URL: https://issues.apache.org/activemq/browse/AMQ-2471
             Project: ActiveMQ
          Issue Type: New Feature
          Components: Broker
    Affects Versions: 5.4.0
         Environment: For all environments
            Reporter: Mark Gellings
            Priority: Minor
             Fix For: 5.4.0


The web console doesn't support fine-grained authorization at the moment.

http://old.nabble.com/Dynamically-setting-activemq-username-password-when-logging-into-web-console-to26118677.html#a26126782
 

Scenario with a guest and admin user:  I'd like guest to have read privs (see 
messages on queues, etc.), and admin to have read/write privs (see messages on 
queues, delete messages, delete queues, etc.).  In our scenario guest is 
producing a message and just wants to verify the message has been created 
successfully on the queue.  Admin owns the queue and the broker as they are on 
a separate development team than user guest.  They do not want guest to be able 
to delete messages/queues etc.  Right now we have no way to let guest see for 
themselves that the message is on the queue unless we give them the admin 
user/password for the basic authentication prompt when using the web console.  
If we give that out, we give out read/write privs to guest which we don't want 
to do.

I think for this to be possible two separate connections would need to be 
maintained to the broker, one for guest and one for admin so as the 
simpleAuthenticationPlugin and authorizationPlugin can be used based on the 
user/password used to log on.  Ideally the user/password entered during a basic 
authentication prompt could be mapped to the same user/password used to connect 
to the broker.  Maybe this isn't possible if the web console only maintains one 
connection to the broker.  Maybe the web console would need to be enhanced with 
a user/group security section to control what privs in the web console the 
logged on user has.  An admin could then control whether a user has the right 
to delete a message, a queue, etc. and the web console has the smarts to 
display the delete link or not based on the privs of the logged on user. 




-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to