gtully commented on code in PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519811815
########## docs/user-manual/management.adoc: ########## @@ -362,6 +366,63 @@ The `*` access is the catch all for everything other method that isn't specifica The `default-access` element is basically the catch all for every method call that isn't handled via the `role-access` configuration. This has the same semantics as a `match` element. + +==== JMX authorisation in broker.xml +The existing xref:security.adoc#role-based-security-for-addresses[security-settings] can be used for JMX RBAC. + +Using the `view` and `update` permissions on matches in security-settings provides an alternative to the authorization section in management.xml. +Using a single security model based on addresses, with reloadable configuration, simplifies operation. + +An xref:management.adoc#artemis_rbac_mbean_server_guard[MBeanServer interceptor] that delegates to the broker security manager must be configured with a JVM system property that allows it to be added to all MBeanServers in the JVM. + +This is configured via a system property as follows: + +[,sh] +---- + java -Djavax.management.builder.initial=org.apache.activemq.artemis.core.server.management.ArtemisRbacMBeanServerBuilder +---- +NOTE: When this property is provided, the authorization section of management.xml should be omitted as that depends on an alternative MBeanServer interceptor. Review Comment: going with IMPORTANT, will see if there is some good place in the code to try and detect but I think in general, auto detection of invalid config is a rabbit hole. Maybe there is a use case for different MBean servers configured with different guards. That is possible but improbable. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
