[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909226&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909226
]
ASF GitHub Bot logged work on ARTEMIS-4582:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 11/Mar/24 15:04
Start Date: 11/Mar/24 15:04
Worklog Time Spent: 10m
Work Description: gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519877310
##########
docs/user-manual/security.adoc:
##########
@@ -68,6 +68,14 @@ This permission allows the user to browse a queue bound to
the matching address.
manage::
This permission allows the user to invoke management operations by sending
management messages to the management address.
+The following two permissions pertain to operations on the management apis of
the broker. They split management operations into two sets, read only for
`view`, and `update` for mutating operations. The split is controlled by a
regular expression. Methods that match will require the `view` permission, all
others require `update`. The regular expression can be modified through the
configuration attribute `view-permission-method-match-pattern`. These
permissions are applicable using a suffix on the management address, and with a
`jmx.` prefix for MBean access.
+
+view::
+This permission allows access to a read-only subset of management operations.
+
+update::
+This permission allows access to the mutating management operations, any
operation not in the `view` set.
+
Review Comment:
thanks, linking in to other two sections.
Issue Time Tracking
-------------------
Worklog Id: (was: 909226)
Time Spent: 3.5h (was: 3h 20m)
> add view and update permissions to augment the manage rbac for control
> resources
> --------------------------------------------------------------------------------
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
> Affects Versions: 2.31.0
> Reporter: Gary Tully
> Assignee: Gary Tully
> Priority: Major
> Time Spent: 3.5h
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
