[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909170&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909170
]
ASF GitHub Bot logged work on ARTEMIS-4582:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 11/Mar/24 11:36
Start Date: 11/Mar/24 11:36
Worklog Time Spent: 10m
Work Description: gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519575016
##########
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/security/Role.java:
##########
@@ -109,6 +115,22 @@ public Role(final String name,
final boolean browse,
final boolean createAddress,
final boolean deleteAddress) {
+ this(name, send, consume, createDurableQueue, deleteDurableQueue,
createNonDurableQueue, deleteNonDurableQueue, manage, browse, createAddress,
deleteAddress, false, false);
+ }
+
+ public Role(final String name,
+ final boolean send,
+ final boolean consume,
+ final boolean createDurableQueue,
+ final boolean deleteDurableQueue,
+ final boolean createNonDurableQueue,
+ final boolean deleteNonDurableQueue,
+ final boolean manage,
+ final boolean browse,
+ final boolean createAddress,
+ final boolean deleteAddress,
+ final boolean view,
+ final boolean update) {
Review Comment:
The view and update permissions are not checked by default, so the manage
permission is sufficient as it is today. manage is very specific, it controls
whether a message consumed from the management address is applied to the
registered control objects or rejected.
Only if the broker is configured to check for the presence of view or update
for more fine grained rbac on the management address messages, then the user
will need to configure those permissions.
Issue Time Tracking
-------------------
Worklog Id: (was: 909170)
Time Spent: 2h 10m (was: 2h)
> add view and update permissions to augment the manage rbac for control
> resources
> --------------------------------------------------------------------------------
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
> Affects Versions: 2.31.0
> Reporter: Gary Tully
> Assignee: Gary Tully
> Priority: Major
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
