[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909876=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909876 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 14/Mar/24 12:30 Start Date: 14/Mar/24 12:30 Worklog Time Spent: 10m Work Description: gtully commented on PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#issuecomment-1997343935 And on update, there is a case for suggesting a publisher would need the update permission on an address to send a message, or a consumer could be updating by acking. It is not clear that the update permission is about management. Something like `edit` is less ambiguous, considering all the other perms are about messaging. I think i am replacing update with edit. Issue Time Tracking --- Worklog Id: (was: 909876) Time Spent: 4h 20m (was: 4h 10m) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 4h 20m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909875=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909875 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 14/Mar/24 12:27 Start Date: 14/Mar/24 12:27 Worklog Time Spent: 10m Work Description: gtully commented on PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#issuecomment-1997338325 new thought, the two prefixes for the security settings match, jmx and mgmt_msg will get in the way of doing filtering of aggregate operations like list* on a server control. Ideally your broker.listQueues query would only return what you can view. At the level of the control, we don't know if the call is from jmx or management messages. So a single prefix would be better. Say management_ops, or `mops` as a default, and have a boolean to enable more fine grained access control for management messages, when true, it will look for the `mops` prefix. Issue Time Tracking --- Worklog Id: (was: 909875) Time Spent: 4h 10m (was: 4h) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 4h 10m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909603=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909603 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 13/Mar/24 09:55 Start Date: 13/Mar/24 09:55 Worklog Time Spent: 10m Work Description: gtully commented on code in PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1522897353 ## docs/user-manual/management.adoc: ## @@ -585,7 +656,32 @@ This is also configured in broker.xml: -=== Example + Fine grained RBAC on management messages +There is optional RBAC on the content of the management messages sent to the management address. + +RBAC is enabled by providing a value for the attribute xref:configuration-index.adoc#management_rbac_suffix[management-rbac-suffix]. +With a `management-rbac-suffix` of `.control.` more fine-grained permissions on the management address can be configured using that suffix appended to the management address. Review Comment: cleared that up. using different prefixes (and prefixes for both) for match address for messages and for jmx helps clarify. they are independent. the jmx. matches handled by the mbean guard, the management messages handled by the session that receives them. the manage permission is still required and is unchanged. Issue Time Tracking --- Worklog Id: (was: 909603) Time Spent: 4h (was: 3h 50m) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 4h > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909508=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909508 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 12/Mar/24 21:29 Start Date: 12/Mar/24 21:29 Worklog Time Spent: 10m Work Description: gtully commented on code in PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1522138601 ## docs/user-manual/management.adoc: ## @@ -362,6 +366,63 @@ The `*` access is the catch all for everything other method that isn't specifica The `default-access` element is basically the catch all for every method call that isn't handled via the `role-access` configuration. This has the same semantics as a `match` element. + + JMX authorisation in broker.xml +The existing xref:security.adoc#role-based-security-for-addresses[security-settings] can be used for JMX RBAC. + +Using the `view` and `update` permissions on matches in security-settings provides an alternative to the authorization section in management.xml. +Using a single security model based on addresses, with reloadable configuration, simplifies operation. + +An xref:management.adoc#artemis_rbac_mbean_server_guard[MBeanServer interceptor] that delegates to the broker security manager must be configured with a JVM system property that allows it to be added to all MBeanServers in the JVM. + +This is configured via a system property as follows: + +[,sh] + + java -Djavax.management.builder.initial=org.apache.activemq.artemis.core.server.management.ArtemisRbacMBeanServerBuilder + +NOTE: When this property is provided, the authorization section of management.xml should be omitted as that depends on an alternative MBeanServer interceptor. + +The addresses used for JMX RBAC use the `jmx.` prefix. This allows independent RBAC between messaging operations and JMX operations. + +The MBeanServer guard maps JMX MBean ObjectNames to a hierarchical address of the general form: + + jmx.<.jmx domain><.type><.component><.name>[.operation] + +NOTE: for the broker domain, the domain is omitted. + + +For example, to give the `admin` role `view` and `update` permissions on all MBeans, use the following security-setting: + +[,xml] + + + + + + + +To grant the `managerRole` role `view` permission to just the `activemq.management` address, target the `address` component with name `activemq.management` and with `.*` to include all operations. + +[,xml] + + + + + + + +To ensure no user has permission to xref:management.adoc#force_failover[force a failover] using the broker (server control) MBean, use the following that defines the empty roles set for a particular mutating operation on the `broker` component: +[,xml] + + + + + + +NOTE: all attribute access `get|is[attribute]` maps to a method named getAttribute for RBAC purposes. All other operations require a literal match. Review Comment: I have made it use a literal match for attributes and operations. so it is now consistent across both. Issue Time Tracking --- Worklog Id: (was: 909508) Time Spent: 3h 50m (was: 3h 40m) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 3h 50m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909227=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909227 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 11/Mar/24 15:05 Start Date: 11/Mar/24 15:05 Worklog Time Spent: 10m Work Description: gtully commented on code in PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519879627 ## docs/user-manual/security.adoc: ## @@ -153,9 +161,22 @@ You can do this using the fully qualified queue name (i.e. FQQN) in the `match` -NOTE: Wildcard matching doesn't work in conjuction with FQQN. +NOTE: Wildcard matching doesn't work in conjunction with FQQN. The explicit goal of using FQQN here is to be _exact_. +=== Applying view and update permissions Review Comment: thanks! Issue Time Tracking --- Worklog Id: (was: 909227) Time Spent: 3h 40m (was: 3.5h) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 3h 40m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909226=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909226 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 11/Mar/24 15:04 Start Date: 11/Mar/24 15:04 Worklog Time Spent: 10m Work Description: gtully commented on code in PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519877310 ## docs/user-manual/security.adoc: ## @@ -68,6 +68,14 @@ This permission allows the user to browse a queue bound to the matching address. manage:: This permission allows the user to invoke management operations by sending management messages to the management address. +The following two permissions pertain to operations on the management apis of the broker. They split management operations into two sets, read only for `view`, and `update` for mutating operations. The split is controlled by a regular expression. Methods that match will require the `view` permission, all others require `update`. The regular expression can be modified through the configuration attribute `view-permission-method-match-pattern`. These permissions are applicable using a suffix on the management address, and with a `jmx.` prefix for MBean access. + +view:: +This permission allows access to a read-only subset of management operations. + +update:: +This permission allows access to the mutating management operations, any operation not in the `view` set. + Review Comment: thanks, linking in to other two sections. Issue Time Tracking --- Worklog Id: (was: 909226) Time Spent: 3.5h (was: 3h 20m) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 3.5h > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909218=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909218 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 11/Mar/24 14:25 Start Date: 11/Mar/24 14:25 Worklog Time Spent: 10m Work Description: gtully commented on code in PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519811815 ## docs/user-manual/management.adoc: ## @@ -362,6 +366,63 @@ The `*` access is the catch all for everything other method that isn't specifica The `default-access` element is basically the catch all for every method call that isn't handled via the `role-access` configuration. This has the same semantics as a `match` element. + + JMX authorisation in broker.xml +The existing xref:security.adoc#role-based-security-for-addresses[security-settings] can be used for JMX RBAC. + +Using the `view` and `update` permissions on matches in security-settings provides an alternative to the authorization section in management.xml. +Using a single security model based on addresses, with reloadable configuration, simplifies operation. + +An xref:management.adoc#artemis_rbac_mbean_server_guard[MBeanServer interceptor] that delegates to the broker security manager must be configured with a JVM system property that allows it to be added to all MBeanServers in the JVM. + +This is configured via a system property as follows: + +[,sh] + + java -Djavax.management.builder.initial=org.apache.activemq.artemis.core.server.management.ArtemisRbacMBeanServerBuilder + +NOTE: When this property is provided, the authorization section of management.xml should be omitted as that depends on an alternative MBeanServer interceptor. Review Comment: going with IMPORTANT, will see if there is some good place in the code to try and detect but I think in general, auto detection of invalid config is a rabbit hole. Maybe there is a use case for different MBean servers configured with different guards. That is possible but improbable. Issue Time Tracking --- Worklog Id: (was: 909218) Time Spent: 3h 20m (was: 3h 10m) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 3h 20m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909214=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909214 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 11/Mar/24 14:17 Start Date: 11/Mar/24 14:17 Worklog Time Spent: 10m Work Description: gtully commented on code in PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519799536 ## docs/user-manual/management.adoc: ## @@ -250,8 +251,11 @@ It can be disabled by setting `jmx-management-enabled` to `false` in `broker.xml Role Based Authorisation for JMX -Although by default Artemis uses the Java Virtual Machine's `Platform MBeanServer` this is guarded using role based authorisation that leverages the broker's JAAS plugin support. -This is configured via the `authorisation` element in the `management.xml` configuration file and can be used to restrict access to attributes and methods on MBeans. +Artemis uses the Java Virtual Machine's `Platform MBeanServer` by default. This is guarded using role based authorisation that leverages the broker's JAAS plugin support. + +The RBAC used to restrict access to Mbeans and their operations can be configured in two ways, via security-settings in broker.xml, described in xref:management.adoc#jmx-authorisation-in-broker-xml[JMX authorisation in broker.xml], or via the `authorisation` element in the `management.xml` that is described below. + Review Comment: going with "one of two", thanks. Issue Time Tracking --- Worklog Id: (was: 909214) Time Spent: 3h 10m (was: 3h) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 3h 10m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909204=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909204
]
ASF GitHub Bot logged work on ARTEMIS-4582:
---
Author: ASF GitHub Bot
Created on: 11/Mar/24 13:23
Start Date: 11/Mar/24 13:23
Worklog Time Spent: 10m
Work Description: gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519711041
##
artemis-server/src/test/java/org/apache/activemq/artemis/core/security/RoleTest.java:
##
@@ -91,12 +91,12 @@ public void testManageRole() throws Exception {
@Test
public void testEqualsAndHashcode() throws Exception {
- Role role = new Role("testEquals", true, true, true, false, false,
false, false, false, false, false);
- Role sameRole = new Role("testEquals", true, true, true, false, false,
false, false, false, false, false);
- Role roleWithDifferentName = new Role("notEquals", true, true, true,
false, false, false, false, false, false, false);
- Role roleWithDifferentRead = new Role("testEquals", false, true, true,
false, false, false, false, false, false, false);
- Role roleWithDifferentWrite = new Role("testEquals", true, false, true,
false, false, false, false, false, false, false);
- Role roleWithDifferentCreate = new Role("testEquals", true, true, false,
false, false, false, false, false, false, false);
+ Role role = new Role("testEquals", true, true, true, false, false,
false, false, false, false, false, false, false);
+ Role sameRole = new Role("testEquals", true, true, true, false, false,
false, false, false, false, false, false, false);
+ Role roleWithDifferentName = new Role("notEquals", true, true, true,
false, false, false, false, false, false, false, false, false);
+ Role roleWithDifferentRead = new Role("testEquals", false, true, true,
false, false, false, false, false, false, false, false, false);
+ Role roleWithDifferentWrite = new Role("testEquals", true, false, true,
false, false, false, false, false, false, false, false, false);
+ Role roleWithDifferentCreate = new Role("testEquals", true, true, false,
false, false, false, false, false, false, false, false, false);
Review Comment:
good catch, thanks :-)
Issue Time Tracking
---
Worklog Id: (was: 909204)
Time Spent: 3h (was: 2h 50m)
> add view and update permissions to augment the manage rbac for control
> resources
>
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
>Affects Versions: 2.31.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>Priority: Major
> Time Spent: 3h
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909202=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909202 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 11/Mar/24 13:19 Start Date: 11/Mar/24 13:19 Worklog Time Spent: 10m Work Description: gtully commented on code in PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519703742 ## artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java: ## @@ -463,7 +463,9 @@ private void processSearchResult(Map> securityRoles, mapAdminToManage ? admin : false, // manage - map to admin based on configuration read, // browse admin, // createAddress - admin);// deleteAddress + admin, // deleteAddress + read, // view + write);// edit Review Comment: thanks! Issue Time Tracking --- Worklog Id: (was: 909202) Time Spent: 2h 50m (was: 2h 40m) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 2h 50m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909200=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909200
]
ASF GitHub Bot logged work on ARTEMIS-4582:
---
Author: ASF GitHub Bot
Created on: 11/Mar/24 13:17
Start Date: 11/Mar/24 13:17
Worklog Time Spent: 10m
Work Description: gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519702003
##
artemis-server/src/main/java/org/apache/activemq/artemis/core/persistence/config/PersistedSecuritySetting.java:
##
@@ -77,7 +83,7 @@ public PersistedSecuritySetting(final String addressMatch,
final String manageRoles,
final String browseRoles,
final String createAddressRoles,
- final String deleteAddressRoles) {
+ final String deleteAddressRoles, String
viewRoles, String updateRoles) {
Review Comment:
sure.
Issue Time Tracking
---
Worklog Id: (was: 909200)
Time Spent: 2h 40m (was: 2.5h)
> add view and update permissions to augment the manage rbac for control
> resources
>
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
>Affects Versions: 2.31.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>Priority: Major
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909197=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909197
]
ASF GitHub Bot logged work on ARTEMIS-4582:
---
Author: ASF GitHub Bot
Created on: 11/Mar/24 13:14
Start Date: 11/Mar/24 13:14
Worklog Time Spent: 10m
Work Description: gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519696500
##
artemis-server/src/main/java/org/apache/activemq/artemis/core/management/impl/AddressControlImpl.java:
##
@@ -485,7 +473,6 @@ public String sendMessage(final Map headers,
try {
return sendMessage(addressInfo.getName(), server, headers, type,
body, durable, user, password, createMessageId);
} catch (Exception e) {
-e.printStackTrace();
Review Comment:
i am assuming adding the e to the thrown exception was considered a leak,
will use the logger. thanks
Issue Time Tracking
---
Worklog Id: (was: 909197)
Time Spent: 2.5h (was: 2h 20m)
> add view and update permissions to augment the manage rbac for control
> resources
>
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
>Affects Versions: 2.31.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>Priority: Major
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909192=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909192
]
ASF GitHub Bot logged work on ARTEMIS-4582:
---
Author: ASF GitHub Bot
Created on: 11/Mar/24 13:01
Start Date: 11/Mar/24 13:01
Worklog Time Spent: 10m
Work Description: gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519679391
##
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/security/Role.java:
##
@@ -247,6 +271,12 @@ public String toString() {
if (browse) {
stringReturn.append(" browse ");
}
+ if (update) {
+ stringReturn.append(" update ");
+ }
+ if (view) {
+ stringReturn.append(" view ");
+ }
Review Comment:
agree, will fix. thanks!
Issue Time Tracking
---
Worklog Id: (was: 909192)
Time Spent: 2h 20m (was: 2h 10m)
> add view and update permissions to augment the manage rbac for control
> resources
>
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
>Affects Versions: 2.31.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>Priority: Major
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909170=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909170
]
ASF GitHub Bot logged work on ARTEMIS-4582:
---
Author: ASF GitHub Bot
Created on: 11/Mar/24 11:36
Start Date: 11/Mar/24 11:36
Worklog Time Spent: 10m
Work Description: gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519575016
##
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/security/Role.java:
##
@@ -109,6 +115,22 @@ public Role(final String name,
final boolean browse,
final boolean createAddress,
final boolean deleteAddress) {
+ this(name, send, consume, createDurableQueue, deleteDurableQueue,
createNonDurableQueue, deleteNonDurableQueue, manage, browse, createAddress,
deleteAddress, false, false);
+ }
+
+ public Role(final String name,
+ final boolean send,
+ final boolean consume,
+ final boolean createDurableQueue,
+ final boolean deleteDurableQueue,
+ final boolean createNonDurableQueue,
+ final boolean deleteNonDurableQueue,
+ final boolean manage,
+ final boolean browse,
+ final boolean createAddress,
+ final boolean deleteAddress,
+ final boolean view,
+ final boolean update) {
Review Comment:
The view and update permissions are not checked by default, so the manage
permission is sufficient as it is today. manage is very specific, it controls
whether a message consumed from the management address is applied to the
registered control objects or rejected.
Only if the broker is configured to check for the presence of view or update
for more fine grained rbac on the management address messages, then the user
will need to configure those permissions.
Issue Time Tracking
---
Worklog Id: (was: 909170)
Time Spent: 2h 10m (was: 2h)
> add view and update permissions to augment the manage rbac for control
> resources
>
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
>Affects Versions: 2.31.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>Priority: Major
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909168=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909168
]
ASF GitHub Bot logged work on ARTEMIS-4582:
---
Author: ASF GitHub Bot
Created on: 11/Mar/24 11:29
Start Date: 11/Mar/24 11:29
Worklog Time Spent: 10m
Work Description: gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519567956
##
artemis-core-client/src/main/java/org/apache/activemq/artemis/api/core/management/ObjectNameBuilder.java:
##
@@ -161,7 +161,7 @@ private String getActiveMQServerName() {
return String.format("%s:broker=%s", domain, (jmxUseBrokerName &&
brokerName != null) ? ObjectName.quote(brokerName) : "artemis");
}
- public ObjectName getManagementContextObjectName() throws Exception {
- return
ObjectName.getInstance(String.format("hawtio:type=security,area=jmx,name=ArtemisJMXSecurity"));
+ public ObjectName getSecurityObjectName() throws Exception {
Review Comment:
probably, good catch, explains why it was not changed before now. I will add
back the deprecated api
Issue Time Tracking
---
Worklog Id: (was: 909168)
Time Spent: 2h (was: 1h 50m)
> add view and update permissions to augment the manage rbac for control
> resources
>
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
>Affects Versions: 2.31.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>Priority: Major
> Time Spent: 2h
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909166=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909166
]
ASF GitHub Bot logged work on ARTEMIS-4582:
---
Author: ASF GitHub Bot
Created on: 11/Mar/24 11:24
Start Date: 11/Mar/24 11:24
Worklog Time Spent: 10m
Work Description: gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519562554
##
artemis-cli/src/test/java/org/apache/activemq/cli/test/ArtemisTest.java:
##
@@ -786,7 +786,7 @@ private void
testProperReloadWhenAddingUserViaManagement(boolean basic) throws E
try {
activeMQServerControl.createAddress("myAddress",
RoutingType.ANYCAST.toString());
- activeMQServerControl.addSecuritySettings("myAddress", "myRole",
"myRole", "myRole", "myRole", "myRole", "myRole", "myRole", "myRole", "myRole",
"myRole");
+ activeMQServerControl.addSecuritySettings("myAddress", "myRole",
"myRole", "myRole", "myRole", "myRole", "myRole", "myRole", "myRole", "myRole",
"myRole", "", "");
Review Comment:
fair, will revert that change. thanks
Issue Time Tracking
---
Worklog Id: (was: 909166)
Time Spent: 1h 50m (was: 1h 40m)
> add view and update permissions to augment the manage rbac for control
> resources
>
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
>Affects Versions: 2.31.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>Priority: Major
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=909163=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909163
]
ASF GitHub Bot logged work on ARTEMIS-4582:
---
Author: ASF GitHub Bot
Created on: 11/Mar/24 11:19
Start Date: 11/Mar/24 11:19
Worklog Time Spent: 10m
Work Description: gtully commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1519556299
##
artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/tools/xml/XmlDataImporter.java:
##
@@ -337,17 +337,27 @@ private void sendMessage(List queues, Message
message) throws Exception
logger.debug("Requesting ID for: {}", queue);
}
ClientMessage reply = requestor.request(managementMessage);
- Number idObject = (Number) ManagementHelper.getResult(reply);
- queueID = idObject.longValue();
+ if (ManagementHelper.hasOperationSucceeded(reply)) {
+ Number idObject = (Number) ManagementHelper.getResult(reply);
+ queueID = idObject.longValue();
+ } else {
+ if (debugLog) {
+ logger.debug("Failed to get ID for {} is: {}", queue,
ManagementHelper.getResult(reply, String.class));
+ }
Review Comment:
good catch, thanks. will fix.
Issue Time Tracking
---
Worklog Id: (was: 909163)
Time Spent: 1h 40m (was: 1.5h)
> add view and update permissions to augment the manage rbac for control
> resources
>
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
>Affects Versions: 2.31.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>Priority: Major
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=908716=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908716 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 07/Mar/24 11:03 Start Date: 07/Mar/24 11:03 Worklog Time Spent: 10m Work Description: gemmellr commented on code in PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1515899178 ## docs/user-manual/management.adoc: ## @@ -362,6 +366,63 @@ The `*` access is the catch all for everything other method that isn't specifica The `default-access` element is basically the catch all for every method call that isn't handled via the `role-access` configuration. This has the same semantics as a `match` element. + + JMX authorisation in broker.xml +The existing xref:security.adoc#role-based-security-for-addresses[security-settings] can be used for JMX RBAC. + +Using the `view` and `update` permissions on matches in security-settings provides an alternative to the authorization section in management.xml. +Using a single security model based on addresses, with reloadable configuration, simplifies operation. + +An xref:management.adoc#artemis_rbac_mbean_server_guard[MBeanServer interceptor] that delegates to the broker security manager must be configured with a JVM system property that allows it to be added to all MBeanServers in the JVM. + +This is configured via a system property as follows: + +[,sh] + + java -Djavax.management.builder.initial=org.apache.activemq.artemis.core.server.management.ArtemisRbacMBeanServerBuilder + +NOTE: When this property is provided, the authorization section of management.xml should be omitted as that depends on an alternative MBeanServer interceptor. Review Comment: I wonder if this should go with WARNING or IMPORTANT to make it more prominent, given its essential to using this rather than just nice to know info. I also wonder if the broker code should try detecting and enforcing that a mixture wont work..cant say I recall seeing anything around that? ## docs/user-manual/security.adoc: ## @@ -68,6 +68,14 @@ This permission allows the user to browse a queue bound to the matching address. manage:: This permission allows the user to invoke management operations by sending management messages to the management address. +The following two permissions pertain to operations on the management apis of the broker. They split management operations into two sets, read only for `view`, and `update` for mutating operations. The split is controlled by a regular expression. Methods that match will require the `view` permission, all others require `update`. The regular expression can be modified through the configuration attribute `view-permission-method-match-pattern`. These permissions are applicable using a suffix on the management address, and with a `jmx.` prefix for MBean access. + +view:: +This permission allows access to a read-only subset of management operations. + +update:: +This permission allows access to the mutating management operations, any operation not in the `view` set. + Review Comment: This isnt clear that these only apply when using the optional alternative broker.xml management security + alternative mbean guard that most wont actually be using yet when reading this, given management.xml security is the default. Add sentence with mention + link to it? ## docs/user-manual/management.adoc: ## @@ -585,7 +656,32 @@ This is also configured in broker.xml: -=== Example + Fine grained RBAC on management messages +There is optional RBAC on the content of the management messages sent to the management address. + +RBAC is enabled by providing a value for the attribute xref:configuration-index.adoc#management_rbac_suffix[management-rbac-suffix]. +With a `management-rbac-suffix` of `.control.` more fine-grained permissions on the management address can be configured using that suffix appended to the management address. Review Comment: It isnt made clear this only applies if using the broker.xml based management security and alternative mbean guard, which if not doing that (the default) seems like it would limit its effectiveness? What will this do otherwise, anything? (Back to earlier comment about detection/enforcement for such config mismatch) Also isnt clear if the "manage" role is still needed on "activemq.management" per the earlier config, i.e if the examples below are additional or instead of the earlier covered config. A note either way could resolve that (or adding it to the example if its still needed). ## docs/user-manual/management.adoc: ## @@ -250,8 +251,11 @@ It can be disabled by setting `jmx-management-enabled` to `false` in `broker.xml
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[
https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=908057=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908057
]
ASF GitHub Bot logged work on ARTEMIS-4582:
---
Author: ASF GitHub Bot
Created on: 04/Mar/24 12:33
Start Date: 04/Mar/24 12:33
Worklog Time Spent: 10m
Work Description: gemmellr commented on code in PR #4820:
URL: https://github.com/apache/activemq-artemis/pull/4820#discussion_r1510989284
##
artemis-cli/src/test/java/org/apache/activemq/cli/test/ArtemisTest.java:
##
@@ -786,7 +786,7 @@ private void
testProperReloadWhenAddingUserViaManagement(boolean basic) throws E
try {
activeMQServerControl.createAddress("myAddress",
RoutingType.ANYCAST.toString());
- activeMQServerControl.addSecuritySettings("myAddress", "myRole",
"myRole", "myRole", "myRole", "myRole", "myRole", "myRole", "myRole", "myRole",
"myRole");
+ activeMQServerControl.addSecuritySettings("myAddress", "myRole",
"myRole", "myRole", "myRole", "myRole", "myRole", "myRole", "myRole", "myRole",
"myRole", "", "");
Review Comment:
Or use the constructor that doesnt have them, if they arent actually being
used?
(Or not add yet another constructor).
##
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/security/Role.java:
##
@@ -247,6 +271,12 @@ public String toString() {
if (browse) {
stringReturn.append(" browse ");
}
+ if (update) {
+ stringReturn.append(" update ");
+ }
+ if (view) {
+ stringReturn.append(" view ");
+ }
Review Comment:
Feels weird that 'view' is always the first of the new bits in
args/docs...but then is randomly second in additions here/below in the class.
Would be nicer if things were consistently ordered.
##
artemis-server/src/main/java/org/apache/activemq/artemis/core/persistence/config/PersistedSecuritySetting.java:
##
@@ -77,7 +83,7 @@ public PersistedSecuritySetting(final String addressMatch,
final String manageRoles,
final String browseRoles,
final String createAddressRoles,
- final String deleteAddressRoles) {
+ final String deleteAddressRoles, String
viewRoles, String updateRoles) {
Review Comment:
The others are all on their own lines, and finalbe consistent.
##
artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java:
##
@@ -463,7 +463,9 @@ private void processSearchResult(Map>
securityRoles,
mapAdminToManage ? admin : false, //
manage - map to admin based on configuration
read, //
browse
admin, //
createAddress
- admin);//
deleteAddress
+ admin, //
deleteAddress
+ read, //
view
+ write);//
edit
Review Comment:
edit -> update?
##
artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/tools/xml/XmlDataImporter.java:
##
@@ -337,17 +337,27 @@ private void sendMessage(List queues, Message
message) throws Exception
logger.debug("Requesting ID for: {}", queue);
}
ClientMessage reply = requestor.request(managementMessage);
- Number idObject = (Number) ManagementHelper.getResult(reply);
- queueID = idObject.longValue();
+ if (ManagementHelper.hasOperationSucceeded(reply)) {
+ Number idObject = (Number) ManagementHelper.getResult(reply);
+ queueID = idObject.longValue();
+ } else {
+ if (debugLog) {
+ logger.debug("Failed to get ID for {} is: {}", queue,
ManagementHelper.getResult(reply, String.class));
+ }
Review Comment:
Message doesnt really make sense.
Seems weird that it outputs this...then continues down and immediately logs
the ID it just 'failed to get'.
##
artemis-core-client/src/main/java/org/apache/activemq/artemis/api/core/management/ObjectNameBuilder.java:
##
@@ -161,7 +161,7 @@ private String getActiveMQServerName() {
return String.format("%s:broker=%s", domain, (jmxUseBrokerName &&
brokerName != null) ? ObjectName.quote(brokerName) : "artemis");
}
- public ObjectName getManagementContextObjectName() throws
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=907660=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-907660 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 29/Feb/24 17:53 Start Date: 29/Feb/24 17:53 Worklog Time Spent: 10m Work Description: gtully commented on PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#issuecomment-1971659697 I think this is good for comments and more eyes. The MBean rbac uses `jmx.` prefixed settings. the Management messages use a suffix on activemq.management to provide the root of the hierarchy. The suffix enabled the feature. I wonder if using a different prefix would be more consistent, rather than hanging off of the activemq.management address. It would maybe be more consistent but activemq.management is the target of those messages. Thoughts welcome. Issue Time Tracking --- Worklog Id: (was: 907660) Time Spent: 1h 10m (was: 1h) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 1h 10m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=906994=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-906994 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 26/Feb/24 16:51 Start Date: 26/Feb/24 16:51 Worklog Time Spent: 10m Work Description: gtully commented on PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#issuecomment-1964633266 a question. the object name for an queue, Q1::Q1: org.apache.activemq.artemis:broker="localhost",component=addresses,address="Q1",subcomponent=queues,routing-type="anycast",queue="Q1", maps nicely to: jmx.queues.Q1::Q1 But should it be `jmx.queue.` the management messages use the resource name queue rather than queues. The MbeanObject name use attribute subcomponent=queues, queue=x. I guess it should be queue. No point polluting the settings with plurals when not necessary. Issue Time Tracking --- Worklog Id: (was: 906994) Time Spent: 1h (was: 50m) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=906991=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-906991 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 26/Feb/24 16:31 Start Date: 26/Feb/24 16:31 Worklog Time Spent: 10m Work Description: gtully commented on PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#issuecomment-1964585246 one challenge is keeping things simple, but also this needs to be independent. The VIEW and UPDATE permissions are applicable to both management messages on the activemq.management address and on MBean access from JMX and the console, where operations on particular MBeans should be locked down. This means that I cannot reuse security settings for addresses and queues and need to isolate the two entry points. a postfix on the activemq.management address for management messages, such that a match of activemq.management.control.# will give full access. and a prefix of jmx for mbean access, eg: jmx.broker.# // for all broker control operations jmx.addresses.activemq.management.pause // for the pause operation on a particular address Issue Time Tracking --- Worklog Id: (was: 906991) Time Spent: 50m (was: 40m) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 50m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=906434=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-906434 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 22/Feb/24 13:13 Start Date: 22/Feb/24 13:13 Worklog Time Spent: 10m Work Description: gtully commented on PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#issuecomment-1959432353 need to work on propagating the new permission into the security control apis, will revert draft when that is complete. Issue Time Tracking --- Worklog Id: (was: 906434) Time Spent: 40m (was: 0.5h) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=905958=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-905958 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 20/Feb/24 14:52 Start Date: 20/Feb/24 14:52 Worklog Time Spent: 10m Work Description: gtully commented on PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#issuecomment-1954384492 > Couple of question... > > 1. One of the things that `management.xml` let you do was configure remote JMX connectivity. How do I do that with this? management.xml will remain, this will just replace the authorization section. > 2. One nice thing about `management.xml` is that you didn't have to muck around with system properties. Any chance this could be configured via `broker.xml` instead of `javax.management.builder.initial`? Perhaps a new `` block would be useful here. the system property is important because I want to guard the platform mbean server, and this is created on startup. Typically our logging causes it is be instantiated. When the platform mbean server is guarded and jolokia exposes it, the need for a jmx connector diminishes. With the management wrapper of the broker, we were late setting the guard in the past. > 3. There is a fair bit of documentation about `management.xml` in `management.adoc`. Could you provide something analogous (or even more comprehensive) for this? A few simple use-cases with corresponding configuration would go a long way in helping users & developers understand how it works. sure. it is considerably simpler, with a mapping from objectName to address, and methods split into update or view permissions. > 4. The existing default `management.xml` has recommended settings (e.g. read-only access to non-Artemis MBeans). I think we should have something similar for this as well. Is that possible? that is a good idea, one thing that may get in the way is the default # security-settings-match. that will be applicable to jmx too but won't typically have the view role. but a security-settings-match jmx.# view role would do it. Issue Time Tracking --- Worklog Id: (was: 905958) Time Spent: 0.5h (was: 20m) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=905774=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-905774 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 19/Feb/24 22:25 Start Date: 19/Feb/24 22:25 Worklog Time Spent: 10m Work Description: jbertram commented on PR #4820: URL: https://github.com/apache/activemq-artemis/pull/4820#issuecomment-1953228386 Couple of question... 1. One of the things that `management.xml` let you do was configure remote JMX connectivity. How do I do that with this? 2. One nice thing about `management.xml` is that you didn't have to muck around with system properties. Any chance this could be configured via `broker.xml` instead of `javax.management.builder.initial`? Perhaps a new `` block would be useful here. 3. There is a fair bit of documentation about `management.xml` in `management.adoc`. Could you provide something analogous (or even more comprehensive) for this? A few simple use-cases with corresponding configuration would go a long way in helping users & developers understand how it works. 4. The existing default `management.xml` has recommended settings (e.g. read-only access to non-Artemis MBeans). I think we should have something similar for this as well. Is that possible? Issue Time Tracking --- Worklog Id: (was: 905774) Time Spent: 20m (was: 10m) > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources
[ https://issues.apache.org/jira/browse/ARTEMIS-4582?focusedWorklogId=904899=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-904899 ] ASF GitHub Bot logged work on ARTEMIS-4582: --- Author: ASF GitHub Bot Created on: 14/Feb/24 14:09 Start Date: 14/Feb/24 14:09 Worklog Time Spent: 10m Work Description: gtully opened a new pull request, #4820: URL: https://github.com/apache/activemq-artemis/pull/4820 …agement. security-settings Issue Time Tracking --- Worklog Id: (was: 904899) Remaining Estimate: 0h Time Spent: 10m > add view and update permissions to augment the manage rbac for control > resources > > > Key: ARTEMIS-4582 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4582 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker, Configuration, JMX, Web Console >Affects Versions: 2.31.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > we have the manage permission that allows sending to the management address, > to access any control resource. We don't however distinguish what a user can > do. > We should segment control operations into categories: CRUD provides a basis > view for get/is (Read) > update for set or operations that mutate or modify. > We allow this sort of configuration via management.xml for jmx mbean access > but using a different model based on object name. > All of the mbeans delegate to the control resources. > If we add these two additional permissions then we can have a single rbac > model (that supports config reload) and more granularity on control resource > access from the management address. -- This message was sent by Atlassian Jira (v8.20.10#820010)
