[jira] [Commented] (ARTEMIS-4582) add view and edit permissions to extend security-settings rbac for management operations

Tue, 30 Apr 2024 08:15:49 -0700 


    [ 
https://issues.apache.org/jira/browse/ARTEMIS-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17842421#comment-17842421
 ] 

Gary Tully commented on ARTEMIS-4582:
-------------------------------------

probably better to chat on the dev list, the token is passed as a password 
string in normal plain credentials over tls mode. the user is ignored. in 
kubernettes will manage refresh. The other use case is the console when it can 
present its bearer token.

having a wrapper factory do the refresh can make sense, if it can use mtls or 
something else that avoids plain credentials when taking to token provider. 

In terms of OIDC, there was a recent addition in hawtio that may be worth 
peeking at, it may do what you need, I think we need to pull that into artemis 
at some stage:

https://github.com/hawtio/hawtio/blob/4.x/hawtio-system/src/main/java/io/hawt/web/auth/oidc/OidcLoginModule.java


> add view and edit permissions to extend security-settings rbac for management 
> operations
> ----------------------------------------------------------------------------------------
>
>                 Key: ARTEMIS-4582
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: Broker, Configuration, JMX, Web Console
>    Affects Versions: 2.31.0
>            Reporter: Gary Tully
>            Assignee: Gary Tully
>            Priority: Major
>             Fix For: 2.33.0
>
>          Time Spent: 4h 40m
>  Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address, 
> to access any control resource. We don't however distinguish what a user can 
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> edit for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access 
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac 
> model (that supports config reload) and more granularity on control resource 
> access from the management address.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to