gtully commented on code in PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1522138601
########## docs/user-manual/management.adoc: ########## @@ -362,6 +366,63 @@ The `*` access is the catch all for everything other method that isn't specifica The `default-access` element is basically the catch all for every method call that isn't handled via the `role-access` configuration. This has the same semantics as a `match` element. + +==== JMX authorisation in broker.xml +The existing xref:security.adoc#role-based-security-for-addresses[security-settings] can be used for JMX RBAC. + +Using the `view` and `update` permissions on matches in security-settings provides an alternative to the authorization section in management.xml. +Using a single security model based on addresses, with reloadable configuration, simplifies operation. + +An xref:management.adoc#artemis_rbac_mbean_server_guard[MBeanServer interceptor] that delegates to the broker security manager must be configured with a JVM system property that allows it to be added to all MBeanServers in the JVM. + +This is configured via a system property as follows: + +[,sh] +---- + java -Djavax.management.builder.initial=org.apache.activemq.artemis.core.server.management.ArtemisRbacMBeanServerBuilder +---- +NOTE: When this property is provided, the authorization section of management.xml should be omitted as that depends on an alternative MBeanServer interceptor. + +The addresses used for JMX RBAC use the `jmx.` prefix. This allows independent RBAC between messaging operations and JMX operations. + +The MBeanServer guard maps JMX MBean ObjectNames to a hierarchical address of the general form: + + jmx.<.jmx domain><.type><.component><.name>[.operation] + +NOTE: for the broker domain, the domain is omitted. + + +For example, to give the `admin` role `view` and `update` permissions on all MBeans, use the following security-setting: + +[,xml] +---- +<security-setting match="jmx.#"> + <permission type="view" roles="admin"/> + <permission type="update" roles="admin"/> +</security-setting> +---- + +To grant the `managerRole` role `view` permission to just the `activemq.management` address, target the `address` component with name `activemq.management` and with `.*` to include all operations. + +[,xml] +---- +<security-setting match="jmx.address.activemq.management.*"> + <permission type="view" roles="managerRole"/> +</security-setting> +---- + + +To ensure no user has permission to xref:management.adoc#force_failover[force a failover] using the broker (server control) MBean, use the following that defines the empty roles set for a particular mutating operation on the `broker` component: +[,xml] +---- +<security-setting match="jmx.broker.forceFailover"> + <permission type="update" roles=""/> +</security-setting> +---- + +NOTE: all attribute access `get|is[attribute]` maps to a method named getAttribute for RBAC purposes. All other operations require a literal match. Review Comment: I have made it use a literal match for attributes and operations. so it is now consistent across both. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
