Gary Tully created ARTEMIS-5958:
-----------------------------------
Summary: ArtemisRbacInvocationHandler removeIfNoPermssion is costly
Key: ARTEMIS-5958
URL: https://issues.apache.org/jira/browse/ARTEMIS-5958
Project: Artemis
Issue Type: Improvement
Components: JMX
Affects Versions: 2.53.0
Reporter: Gary Tully
The ArtemisRbacInvocationHandler limits querys based on the view permissions of
the returned mbean object names.
[https://github.com/apache/artemis/blob/main/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ArtemisRbacInvocationHandler.java#L99]
This filter uses the security store check method. This check is typically
expected to succeed so is coded to error with a an audit log and exception when
it fails. This is not ideal for the remove check, both noisy and costly.
in the filter case, we want to remove entries to avoid future calls that will
fail with this check when actually invoked.
I think the security store needs a new api, bool hasPermission(...) that will
return a true or false, the actual check that throws can be implemented over
that to keep a single code path.
There are two existing use cases that will benefit. The jolokia integration
that provides the permission bit on the mbean info descriptions and the jmx
mbean server guard interceptor that does rbac.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
