[
https://issues.apache.org/activemq/browse/AMQ-2471?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bruce Snyder updated AMQ-2471:
------------------------------
Fix Version/s: 5.5.0
(was: 5.4.1)
> Add fine-grained authorization to the web console
> -------------------------------------------------
>
> Key: AMQ-2471
> URL: https://issues.apache.org/activemq/browse/AMQ-2471
> Project: ActiveMQ
> Issue Type: New Feature
> Components: Broker
> Affects Versions: 5.4.0
> Environment: For all environments
> Reporter: Mark Gellings
> Priority: Minor
> Fix For: 5.5.0
>
> Original Estimate: 4 weeks
> Remaining Estimate: 4 weeks
>
> The web console doesn't support fine-grained authorization at the moment.
> http://old.nabble.com/Dynamically-setting-activemq-username-password-when-logging-into-web-console-to26118677.html#a26126782
>
> Scenario with a guest and admin user: I'd like guest to have read privs (see
> messages on queues, etc.), and admin to have read/write privs (see messages
> on queues, delete messages, delete queues, etc.). In our scenario guest is
> producing a message and just wants to verify the message has been created
> successfully on the queue. Admin owns the queue and the broker as they are
> on a separate development team than user guest. They do not want guest to be
> able to delete messages/queues etc. Right now we have no way to let guest
> see for themselves that the message is on the queue unless we give them the
> admin user/password for the basic authentication prompt when using the web
> console. If we give that out, we give out read/write privs to guest which we
> don't want to do.
> I think for this to be possible two separate connections would need to be
> maintained to the broker, one for guest and one for admin so as the
> simpleAuthenticationPlugin and authorizationPlugin can be used based on the
> user/password used to log on. Ideally the user/password entered during a
> basic authentication prompt could be mapped to the same user/password used to
> connect to the broker. Maybe this isn't possible if the web console only
> maintains one connection to the broker. Maybe the web console would need to
> be enhanced with a user/group security section to control what privs in the
> web console the logged on user has. An admin could then control whether a
> user has the right to delete a message, a queue, etc. and the web console has
> the smarts to display the delete link or not based on the privs of the logged
> on user.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
