[jira] [Comment Edited] (ARTEMIS-4582) add read and update permissions to augment the manage rbac for control resources

Wed, 31 Jan 2024 03:09:03 -0800 


    [ 
https://issues.apache.org/jira/browse/ARTEMIS-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17810455#comment-17810455
 ] 

Gary Tully edited comment on ARTEMIS-4582 at 1/31/24 11:08 AM:
---------------------------------------------------------------

existing permissions: 
[https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses]

 

something like:

{{<?xml version="1.0"?>
<security-settings xmlns="urn:activemq:core">
    <security-setting match="#">
        <permission roles="amq" type="createNonDurableQueue"/>

        ....
        <permission roles="admin" type="manage"/>
    </security-setting>
    <security-setting match="activemq.management.control.queue.forJoe">
         <permission roles="joe" type="read"/>
         <permission roles="joe" type="update"/>
   </security-setting>
</security-settings>}}


was (Author: gtully):
existing permissions: 
[https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses]

 

something like:

{{<?xml version="1.0"?>
<security-settings xmlns="urn:activemq:core">
    <security-setting match="#">
        <permission roles="amq" type="createNonDurableQueue"/>

        ....
        <permission roles="admin" type="manage"/>
    </security-setting>
    <security-setting match="manage.queue.forJoe">
         <permission roles="joe" type="read"/>
         <permission roles="joe" type="update"/>
   </security-setting>
</security-settings>}}

> add read and update permissions to augment the manage rbac for control 
> resources
> --------------------------------------------------------------------------------
>
>                 Key: ARTEMIS-4582
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: Broker, Configuration, JMX, Web Console
>    Affects Versions: 2.31.0
>            Reporter: Gary Tully
>            Priority: Major
>
> we have the manage permission that allows sending to the management address, 
> to access any control resource.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> edit for set (Update)
> manage for aggregate operations list*  and Create, Delete) also implying both 
> view & edit
>  
> We allow this sort of configuration via management.xml for jmx mbean access 
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
>  
> If we add these two additional permissions then we can have a single rbac 
> model (that supports config reload) and more granularity on control resource 
> access from the management address.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to