[jira] [Commented] (ARTEMIS-4582) add view and edit permissions to extend security-settings rbac for management operations

[Jira]

    [ 
https://issues.apache.org/jira/browse/ARTEMIS-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17842364#comment-17842364
 ] 

Luís Alves commented on ARTEMIS-4582:
-------------------------------------

Thanks for the confirmation. I've already changed it to:

{code:java}
public class OpenIdConnectUserPrincipal extends UserPrincipal {
{code}

and it works as before. 

Meanwhile, I've seen that you worked on the 
[KubernetesLoginModule|https://github.com/apache/activemq-artemis/blob/b50f01b02b4c829e7330980837629951eeafb304/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/KubernetesLoginModule.java].
 How does the client sends the bearer token to the server?

I've created a custom factory by extending:

{code:java}
public class OAuth2ActiveMQConnectionFactory extends ActiveMQConnectionFactory
{code}

as I use OIDC tokens from Keycloak using client_credentials flow. The custom 
factory takes care of the token refresh when it gets expired as at least before 
the user authentication was always verified. Maybe you already have something 
that works natively.



> add view and edit permissions to extend security-settings rbac for management 
> operations
> ----------------------------------------------------------------------------------------
>
>                 Key: ARTEMIS-4582
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: Broker, Configuration, JMX, Web Console
>    Affects Versions: 2.31.0
>            Reporter: Gary Tully
>            Assignee: Gary Tully
>            Priority: Major
>             Fix For: 2.33.0
>
>          Time Spent: 4h 40m
>  Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address, 
> to access any control resource. We don't however distinguish what a user can 
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> edit for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access 
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac 
> model (that supports config reload) and more granularity on control resource 
> access from the management address.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)