[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909875&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909875
 ]

ASF GitHub Bot logged work on ARTEMIS-4582:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 14/Mar/24 12:27
            Start Date: 14/Mar/24 12:27
    Worklog Time Spent: 10m 
      Work Description: gtully commented on PR #4820:
URL: 
https://github.com/apache/activemq-artemis/pull/4820#issuecomment-1997338325

   new thought, the two prefixes for the security settings match, jmx and 
mgmt_msg will get in the way of doing filtering of aggregate operations like 
list* on a server control. Ideally your broker.listQueues query would only 
return what you can view. At the level of the control, we don't know if the 
call is from jmx or management messages. So a single prefix would be better.
   Say management_ops, or `mops` as a default, and have a boolean to enable 
more fine grained access control for management messages, when true, it will 
look for the `mops` prefix.




Issue Time Tracking
-------------------

    Worklog Id:     (was: 909875)
    Time Spent: 4h 10m  (was: 4h)

> add view and update permissions to augment the manage rbac for control 
> resources
> --------------------------------------------------------------------------------
>
>                 Key: ARTEMIS-4582
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: Broker, Configuration, JMX, Web Console
>    Affects Versions: 2.31.0
>            Reporter: Gary Tully
>            Assignee: Gary Tully
>            Priority: Major
>          Time Spent: 4h 10m
>  Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address, 
> to access any control resource. We don't however distinguish what a user can 
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access 
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac 
> model (that supports config reload) and more granularity on control resource 
> access from the management address.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)