[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=906991&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-906991
 ]

ASF GitHub Bot logged work on ARTEMIS-4582:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 26/Feb/24 16:31
            Start Date: 26/Feb/24 16:31
    Worklog Time Spent: 10m 
      Work Description: gtully commented on PR #4820:
URL: 
https://github.com/apache/activemq-artemis/pull/4820#issuecomment-1964585246

   one challenge is keeping things simple, but also this needs to be 
independent. The VIEW and UPDATE permissions are applicable to both management 
messages on the activemq.management address and on MBean access from JMX and 
the console, where operations on particular MBeans should be locked down.
   
   This means that I cannot  reuse security settings for addresses and queues 
and need to isolate the two entry points.
   
   a postfix on the activemq.management address for management messages, such 
that a match of activemq.management.control.# will give full access.
   
   and a prefix of jmx for mbean access, eg:
    jmx.broker.# // for all broker control operations
    jmx.addresses.activemq.management.pause // for the pause operation on a 
particular address




Issue Time Tracking
-------------------

    Worklog Id:     (was: 906991)
    Time Spent: 50m  (was: 40m)

> add view and update permissions to augment the manage rbac for control 
> resources
> --------------------------------------------------------------------------------
>
>                 Key: ARTEMIS-4582
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: Broker, Configuration, JMX, Web Console
>    Affects Versions: 2.31.0
>            Reporter: Gary Tully
>            Assignee: Gary Tully
>            Priority: Major
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address, 
> to access any control resource. We don't however distinguish what a user can 
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access 
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac 
> model (that supports config reload) and more granularity on control resource 
> access from the management address.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)