[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909603&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909603 ]
ASF GitHub Bot logged work on ARTEMIS-4582: ------------------------------------------- Author: ASF GitHub Bot Created on: 13/Mar/24 09:55 Start Date: 13/Mar/24 09:55 Worklog Time Spent: 10m Work Description: gtully commented on code in PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1522897353 ########## docs/user-manual/management.adoc: ########## @@ -585,7 +656,32 @@ This is also configured in broker.xml: </security-setting> ---- -=== Example +==== Fine grained RBAC on management messages +There is optional RBAC on the content of the management messages sent to the management address. + +RBAC is enabled by providing a value for the attribute xref:configuration-index.adoc#management_rbac_suffix[management-rbac-suffix]. +With a `management-rbac-suffix` of `.control.` more fine-grained permissions on the management address can be configured using that suffix appended to the management address. Review Comment: cleared that up. using different prefixes (and prefixes for both) for match address for messages and for jmx helps clarify. they are independent. the jmx. matches handled by the mbean guard, the management messages handled by the session that receives them. the manage permission is still required and is unchanged. Issue Time Tracking ------------------- Worklog Id: (was: 909603) Time Spent: 4h (was: 3h 50m) > add view and update permissions to augment the manage rbac for control > resources > -------------------------------------------------------------------------------- > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console > Affects Versions: 2.31.0 > Reporter: Gary Tully > Assignee: Gary Tully > Priority: Major > Time Spent: 4h > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)