[GitHub] [activemq-artemis] jbertram commented on a change in pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match

Mon, 14 Oct 2019 12:10:59 -0700 

jbertram commented on a change in pull request #2851: ARTEMIS-2503 Improve 
wildcards for the roles access match
URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r334624011
 
 

 ##########
 File path: 
artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java
 ##########
 @@ -25,12 +25,22 @@
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
+import org.apache.activemq.artemis.core.config.WildcardConfiguration;
+import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
+import 
org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository;
+
 public class JMXAccessControlList {
 
    private Access defaultAccess = new Access("*");
-   private Map<String, Access> domainAccess = new HashMap<>();
+   private HierarchicalRepository<Access> domainAccess;
    private ConcurrentHashMap<String, List<String>> whitelist = new 
ConcurrentHashMap<>();
 
+   public JMXAccessControlList() {
+      WildcardConfiguration domainAccessWildcardConfiguration = new 
WildcardConfiguration();
 
 Review comment:
   These use-cases seem pretty different to me. The wildcard configuration in 
broker.xml is for address matching which is hierarchical in nature and 
therefore requires separating "words", matching individual and groups of words, 
etc. The "match" performed for keys defined in management.xml is basically just 
a **prefix**. It's not hierarchical and doesn't even use regular expressions. 
It's *very* simple and IMO it should stay that way. 
   
   > If i need to secure a wildcard of address or queues on broker then no 
doubt i need to secure the same pattern from admin pov to.
   
   I'm not sure is "no doubt" about that. Use cases for the security of actual 
messaging clients and management users can vary quite a bit. In any case, the 
same kind of matching isn't possible in management.xml as it is in broker.xml 
either before or after this PR. The use-case for this PR is just allowing a 
simple prefixing for the match "key" just like is available for the access 
"method" field. The syntax is the same. It's just allowing it in a new field. I 
don't see any issue with that.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to