[jira] [Comment Edited] (ARTEMIS-4582) add read and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17810460#comment-17810460 ] Gary Tully edited comment on ARTEMIS-4582 at 1/31/24 11:10 AM: --- The control resources are registered using prefixes, such that they are available for dynamic invocation, something like sever control is registered under "broker" using the management address as the root, permissions on activemq.management.control.broker would be used to configure permissions on the servercontrol etc. Where operations are on queuecontrol the actual queue name would be part of the key. was (Author: gtully): The control resources are registered using prefixes, such that they are available for dynamic invocation, something like sever control is registered under "broker" using the management address as the root, permissions on management.broker would be used to configure permissions on the servercontroll etc. Where operations are on queuecontroll the actual queue would be used. > add read and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Priority: Major > > we have the manage permission that allows sending to the management address, > to access any control resource. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > edit for set (Update) > manage for aggregate operations list* and Create, Delete) also implying both > view & edit > > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (ARTEMIS-4582) add read and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17810455#comment-17810455 ] Gary Tully edited comment on ARTEMIS-4582 at 1/31/24 11:08 AM: --- existing permissions: [https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses] something like: {{ }} was (Author: gtully): existing permissions: [https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses] something like: {{ }} > add read and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Priority: Major > > we have the manage permission that allows sending to the management address, > to access any control resource. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > edit for set (Update) > manage for aggregate operations list* and Create, Delete) also implying both > view & edit > > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (ARTEMIS-4582) add read and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17810455#comment-17810455 ] Gary Tully edited comment on ARTEMIS-4582 at 1/25/24 2:38 PM: -- existing permissions: [https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses] something like: {{ }} was (Author: gtully): existing permissions: [https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses] something like: {{ }} > add read and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Priority: Major > > we have the manage permission that allows sending to the management address, > to access any control resource. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > edit for set (Update) > manage for aggregate operations list* and Create, Delete) also implying both > view & edit > > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (ARTEMIS-4582) add read and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17810455#comment-17810455 ] Gary Tully edited comment on ARTEMIS-4582 at 1/24/24 3:25 PM: -- existing permissions: [https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses] something like: {{ }} was (Author: gtully): existing permissions: [https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses] something like: {{ }} > add read and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Priority: Major > > we have the manage permission that allows sending to the management address, > to access any control resource. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > edit for set (Update) > manage for aggregate operations list* and Create, Delete) also implying both > view & edit > > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)