[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909508&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909508
]
ASF GitHub Bot logged work on ARTEMIS-4582:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 12/Mar/24 21:29
Start Date: 12/Mar/24 21:29
Worklog Time Spent: 10m
Work Description: gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1522138601
##########
docs/user-manual/management.adoc:
##########
@@ -362,6 +366,63 @@ The `*` access is the catch all for everything other
method that isn't specifica
The `default-access` element is basically the catch all for every method call
that isn't handled via the `role-access` configuration.
This has the same semantics as a `match` element.
+
+==== JMX authorisation in broker.xml
+The existing
xref:security.adoc#role-based-security-for-addresses[security-settings] can be
used for JMX RBAC.
+
+Using the `view` and `update` permissions on matches in security-settings
provides an alternative to the authorization section in management.xml.
+Using a single security model based on addresses, with reloadable
configuration, simplifies operation.
+
+An xref:management.adoc#artemis_rbac_mbean_server_guard[MBeanServer
interceptor] that delegates to the broker security manager must be configured
with a JVM system property that allows it to be added to all MBeanServers in
the JVM.
+
+This is configured via a system property as follows:
+
+[,sh]
+----
+ java
-Djavax.management.builder.initial=org.apache.activemq.artemis.core.server.management.ArtemisRbacMBeanServerBuilder
+----
+NOTE: When this property is provided, the authorization section of
management.xml should be omitted as that depends on an alternative MBeanServer
interceptor.
+
+The addresses used for JMX RBAC use the `jmx.` prefix. This allows independent
RBAC between messaging operations and JMX operations.
+
+The MBeanServer guard maps JMX MBean ObjectNames to a hierarchical address of
the general form:
+
+ jmx.<.jmx domain><.type><.component><.name>[.operation]
+
+NOTE: for the broker domain, the domain is omitted.
+
+
+For example, to give the `admin` role `view` and `update` permissions on all
MBeans, use the following security-setting:
+
+[,xml]
+----
+<security-setting match="jmx.#">
+ <permission type="view" roles="admin"/>
+ <permission type="update" roles="admin"/>
+</security-setting>
+----
+
+To grant the `managerRole` role `view` permission to just the
`activemq.management` address, target the `address` component with name
`activemq.management` and with `.*` to include all operations.
+
+[,xml]
+----
+<security-setting match="jmx.address.activemq.management.*">
+ <permission type="view" roles="managerRole"/>
+</security-setting>
+----
+
+
+To ensure no user has permission to xref:management.adoc#force_failover[force
a failover] using the broker (server control) MBean, use the following that
defines the empty roles set for a particular mutating operation on the `broker`
component:
+[,xml]
+----
+<security-setting match="jmx.broker.forceFailover">
+ <permission type="update" roles=""/>
+</security-setting>
+----
+
+NOTE: all attribute access `get|is[attribute]` maps to a method named
getAttribute for RBAC purposes. All other operations require a literal match.
Review Comment:
I have made it use a literal match for attributes and operations. so it is
now consistent across both.
Issue Time Tracking
-------------------
Worklog Id: (was: 909508)
Time Spent: 3h 50m (was: 3h 40m)
> add view and update permissions to augment the manage rbac for control
> resources
> --------------------------------------------------------------------------------
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
> Affects Versions: 2.31.0
> Reporter: Gary Tully
> Assignee: Gary Tully
> Priority: Major
> Time Spent: 3h 50m
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
