[ https://issues.apache.org/jira/browse/ARTEMIS-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17810455#comment-17810455 ]
Gary Tully commented on ARTEMIS-4582: ------------------------------------- existing permissions: [https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses] something like: {{<?xml version="1.0"?> <security-settings xmlns="urn:activemq:core"> <security-setting match="#"> <permission roles="amq" type="createNonDurableQueue"/> .... <permission roles="admin" type="manage"/> </security-setting> <security-setting match="forJoe"> <permission roles="joe" type="view"/> <permission roles="joe" type="update"/> </security-setting> </security-settings>}} > add view and edit permissions to augment the manage rbac for control resources > ------------------------------------------------------------------------------ > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console > Affects Versions: 2.31.0 > Reporter: Gary Tully > Priority: Major > > we have the manage permission that allows sending to the management address, > to access any control resource. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > edit for set (Update) > manage for aggregate operations list* and Create, Delete) also implying both > view & edit > > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)