[ https://issues.apache.org/jira/browse/ARTEMIS-4582 ]
Gary Tully deleted comment on ARTEMIS-4582:
-------------------------------------
was (Author: gtully):
The control resources are registered using prefixes, such that they are
available for dynamic invocation, something like sever control is registered
under "broker"
using the management address as the root, permissions on
activemq.management.control.broker would be used to configure permissions on
the servercontrol etc. Where operations are on queuecontrol the actual queue
name would be part of the key.
> add view and edit permissions to extend security-settings rbac for management
> operations
> ----------------------------------------------------------------------------------------
>
> Key: ARTEMIS-4582
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4582
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker, Configuration, JMX, Web Console
> Affects Versions: 2.31.0
> Reporter: Gary Tully
> Assignee: Gary Tully
> Priority: Major
> Time Spent: 4h 20m
> Remaining Estimate: 0h
>
> we have the manage permission that allows sending to the management address,
> to access any control resource. We don't however distinguish what a user can
> do.
> We should segment control operations into categories: CRUD provides a basis
> view for get/is (Read)
> edit for set or operations that mutate or modify.
> We allow this sort of configuration via management.xml for jmx mbean access
> but using a different model based on object name.
> All of the mbeans delegate to the control resources.
> If we add these two additional permissions then we can have a single rbac
> model (that supports config reload) and more granularity on control resource
> access from the management address.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
