gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1522138601


##########
docs/user-manual/management.adoc:
##########
@@ -362,6 +366,63 @@ The `*` access is the catch all for everything other 
method that isn't specifica
 The `default-access` element is basically the catch all for every method call 
that isn't handled via the `role-access` configuration.
 This has the same semantics as a `match` element.
 
+
+==== JMX authorisation in broker.xml
+The existing 
xref:security.adoc#role-based-security-for-addresses[security-settings] can be 
used for JMX RBAC.
+
+Using the `view` and `update` permissions on matches in security-settings 
provides an alternative to the authorization section in management.xml.
+Using a single security model based on addresses, with reloadable 
configuration, simplifies operation.
+
+An xref:management.adoc#artemis_rbac_mbean_server_guard[MBeanServer 
interceptor] that delegates to the broker security manager must be configured 
with a JVM system property that allows it to be added to all MBeanServers in 
the JVM.
+
+This is configured via a system property as follows:
+
+[,sh]
+----
+ java 
-Djavax.management.builder.initial=org.apache.activemq.artemis.core.server.management.ArtemisRbacMBeanServerBuilder
+----
+NOTE: When this property is provided, the authorization section of 
management.xml should be omitted as that depends on an alternative MBeanServer 
interceptor.
+
+The addresses used for JMX RBAC use the `jmx.` prefix. This allows independent 
RBAC between messaging operations and JMX operations.
+
+The MBeanServer guard maps JMX MBean ObjectNames to a hierarchical address of 
the general form:
+
+     jmx.<.jmx domain><.type><.component><.name>[.operation]
+
+NOTE: for the broker domain, the domain is omitted.
+
+
+For example, to give the `admin` role `view` and `update` permissions on all 
MBeans, use the following security-setting:
+
+[,xml]
+----
+<security-setting match="jmx.#">
+   <permission type="view" roles="admin"/>
+   <permission type="update" roles="admin"/>
+</security-setting>
+----
+
+To grant the `managerRole` role `view` permission to just the 
`activemq.management` address, target the `address` component with name 
`activemq.management` and with `.*` to include all operations.
+
+[,xml]
+----
+<security-setting match="jmx.address.activemq.management.*">
+   <permission type="view" roles="managerRole"/>
+</security-setting>
+----
+
+
+To ensure no user has permission to xref:management.adoc#force_failover[force 
a failover] using the broker (server control) MBean, use the following that 
defines the empty roles set for a particular mutating operation on the `broker` 
component:
+[,xml]
+----
+<security-setting match="jmx.broker.forceFailover">
+   <permission type="update" roles=""/>
+</security-setting>
+----
+
+NOTE: all attribute access `get|is[attribute]` maps to a method named 
getAttribute for RBAC purposes. All other operations require a literal match.

Review Comment:
   I have made it use a literal match for attributes and operations. so it is 
now consistent across both.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to