gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519811815


##########
docs/user-manual/management.adoc:
##########
@@ -362,6 +366,63 @@ The `*` access is the catch all for everything other 
method that isn't specifica
 The `default-access` element is basically the catch all for every method call 
that isn't handled via the `role-access` configuration.
 This has the same semantics as a `match` element.
 
+
+==== JMX authorisation in broker.xml
+The existing 
xref:security.adoc#role-based-security-for-addresses[security-settings] can be 
used for JMX RBAC.
+
+Using the `view` and `update` permissions on matches in security-settings 
provides an alternative to the authorization section in management.xml.
+Using a single security model based on addresses, with reloadable 
configuration, simplifies operation.
+
+An xref:management.adoc#artemis_rbac_mbean_server_guard[MBeanServer 
interceptor] that delegates to the broker security manager must be configured 
with a JVM system property that allows it to be added to all MBeanServers in 
the JVM.
+
+This is configured via a system property as follows:
+
+[,sh]
+----
+ java 
-Djavax.management.builder.initial=org.apache.activemq.artemis.core.server.management.ArtemisRbacMBeanServerBuilder
+----
+NOTE: When this property is provided, the authorization section of 
management.xml should be omitted as that depends on an alternative MBeanServer 
interceptor.

Review Comment:
   going with IMPORTANT, will see if there is some good place in the code to 
try and detect but I think in general, auto detection of invalid config is a 
rabbit hole. Maybe there is a use case for different MBean servers configured 
with different guards. That is possible but improbable.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to