[jira] [Updated] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources

2024-02-14 Thread Gary Tully (Jira) 


 [ 
https://issues.apache.org/jira/browse/ARTEMIS-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gary Tully updated ARTEMIS-4582:

Description: 
we have the manage permission that allows sending to the management address, to 
access any control resource. We don't however distinguish what a user can do.

We should segment control operations into categories: CRUD provides a basis

view for get/is (Read)

update for set or operations that mutate or modify.

We allow this sort of configuration via management.xml for jmx mbean access but 
using a different model based on object name.

All of the mbeans delegate to the control resources.

If we add these two additional permissions then we can have a single rbac model 
(that supports config reload) and more granularity on control resource access 
from the management address.

  was:
we have the manage permission that allows sending to the management address, to 
access any control resource.

We should segment control operations into categories: CRUD provides a basis

view for get/is (Read)

edit for set (Update)

manage for aggregate operations list*  and Create, Delete) also implying both 
view & edit

 

We allow this sort of configuration via management.xml for jmx mbean access but 
using a different model based on object name.

All of the mbeans delegate to the control resources.

 

If we add these two additional permissions then we can have a single rbac model 
(that supports config reload) and more granularity on control resource access 
from the management address.


> add view and update permissions to augment the manage rbac for control 
> resources
> 
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
>  Issue Type: Improvement
>  Components: Broker, Configuration, JMX, Web Console
>Affects Versions: 2.31.0
>Reporter: Gary Tully
>Priority: Major
>
> we have the manage permission that allows sending to the management address, 
> to access any control resource. We don't however distinguish what a user can 
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> update for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access 
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac 
> model (that supports config reload) and more granularity on control resource 
> access from the management address.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (ARTEMIS-4582) add view and update permissions to augment the manage rbac for control resources

2024-02-02 Thread Gary Tully (Jira) 


 [ 
https://issues.apache.org/jira/browse/ARTEMIS-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gary Tully updated ARTEMIS-4582:

Summary: add view and update permissions to augment the manage rbac for 
control resources  (was: add read and update permissions to augment the manage 
rbac for control resources)

> add view and update permissions to augment the manage rbac for control 
> resources
> 
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
>  Issue Type: Improvement
>  Components: Broker, Configuration, JMX, Web Console
>Affects Versions: 2.31.0
>Reporter: Gary Tully
>Priority: Major
>
> we have the manage permission that allows sending to the management address, 
> to access any control resource.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> edit for set (Update)
> manage for aggregate operations list*  and Create, Delete) also implying both 
> view & edit
>  
> We allow this sort of configuration via management.xml for jmx mbean access 
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
>  
> If we add these two additional permissions then we can have a single rbac 
> model (that supports config reload) and more granularity on control resource 
> access from the management address.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)