[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=335005&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-335005 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 28/Oct/19 16:24 Start Date: 28/Oct/19 16:24 Worklog Time Spent: 10m Work Description: jbertram commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r339662189 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: @brusdev, that makes sense. I think something needs to be added to the docs explaining this otherwise the behavior might catch users by surprise. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 335005) Time Spent: 4h 10m (was: 4h) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 4h 10m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=334391&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-334391 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 25/Oct/19 22:08 Start Date: 25/Oct/19 22:08 Worklog Time Spent: 10m Work Description: brusdev commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r339255585 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: @jbertram with the last commit I tried to prioritize exact matches over wildcard matches and longer wildcard matches on shorter wildcard matches. I added the test testBasicRoleWithWildcardInKey that shows what I mean. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 334391) Time Spent: 4h (was: 3h 50m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 4h > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=334255&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-334255 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 25/Oct/19 17:53 Start Date: 25/Oct/19 17:53 Worklog Time Spent: 10m Work Description: jbertram commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r339170085 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: It looks like there's a bit more going on here than just prefixing support. Looks like you implemented real regular expression matching and there's a bit in there with the TreeMaps that I don't quite understand. Certain matches are prioritized over others? Can you clarify? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 334255) Time Spent: 3h 50m (was: 3h 40m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 3h 50m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=332825&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-332825 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 23/Oct/19 19:28 Start Date: 23/Oct/19 19:28 Worklog Time Spent: 10m Work Description: asfgit commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 332825) Time Spent: 3h 40m (was: 3.5h) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 3h 40m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=329692&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-329692 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 17/Oct/19 08:25 Start Date: 17/Oct/19 08:25 Worklog Time Spent: 10m Work Description: brusdev commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r335870325 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: I pushed a commit to simplify the improvement. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 329692) Time Spent: 3.5h (was: 3h 20m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 3.5h > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=329457&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-329457 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 16/Oct/19 22:22 Start Date: 16/Oct/19 22:22 Worklog Time Spent: 10m Work Description: jbertram commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r334624011 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: These use-cases seem pretty different to me. The wildcard configuration in broker.xml is for address matching which is hierarchical in nature and therefore requires separating "words", matching individual and groups of words, etc. The "match" performed for keys defined in management.xml is basically just a **prefix**. It's not hierarchical and doesn't even use regular expressions. It's *very* simple and IMO it should stay that way. > If i need to secure a wildcard of address or queues on broker then no doubt i need to secure the same pattern from admin pov to. I'm not sure there is "no doubt" about that. Use cases for the security of actual messaging clients and management users can vary quite a bit. In any case, the same kind of matching isn't possible in management.xml as it is in broker.xml either before or after this PR. The use-case for this PR is just allowing a simple prefixing for the match "key" just like is available for the access "method" field. The syntax is the same. It's just allowing it in a new field. I don't see any issue with that. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 329457) Time Spent: 3h 20m (was: 3h 10m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 3h 20m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=328066&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-328066 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 14/Oct/19 19:13 Start Date: 14/Oct/19 19:13 Worklog Time Spent: 10m Work Description: clebertsuconic commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r334625086 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: @michaelandrepearce what do you suggest? merge management and broker.xml? That's certainly desirable. but I don't think we can do it before a 3.0. management is on a different domain from queues and addresses. it's about object names.. not queue names.. hence something simpler would certainly apply here. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 328066) Time Spent: 3h 10m (was: 3h) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 3h 10m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=328064&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-328064 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 14/Oct/19 19:10 Start Date: 14/Oct/19 19:10 Worklog Time Spent: 10m Work Description: jbertram commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r334624011 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: These use-cases seem pretty different to me. The wildcard configuration in broker.xml is for address matching which is hierarchical in nature and therefore requires separating "words", matching individual and groups of words, etc. The "match" performed for keys defined in management.xml is basically just a **prefix**. It's not hierarchical and doesn't even use regular expressions. It's *very* simple and IMO it should stay that way. > If i need to secure a wildcard of address or queues on broker then no doubt i need to secure the same pattern from admin pov to. I'm not sure is "no doubt" about that. Use cases for the security of actual messaging clients and management users can vary quite a bit. In any case, the same kind of matching isn't possible in management.xml as it is in broker.xml either before or after this PR. The use-case for this PR is just allowing a simple prefixing for the match "key" just like is available for the access "method" field. The syntax is the same. It's just allowing it in a new field. I don't see any issue with that. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 328064) Time Spent: 3h (was: 2h 50m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 3h > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=328015&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-328015 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 14/Oct/19 17:48 Start Date: 14/Oct/19 17:48 Worklog Time Spent: 10m Work Description: michaelandrepearce commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r334593077 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: So my concern is trying to automate and unify the config the fact already slightly snowflaked gives me a massive headache as is. Really don't need further differing config. If we want to enchance the wildcards in management i feel strongly we need to align it. E.g. either leave as is, or any new more enhanced stuff needs to be aligned. I see no reason to have a differing approaches. If i need to secure a wildcard of address or queues on broker then no doubt i need to secure the same pattern from admin pov to. Keeping it all aligned just makes it better and simpler to operate This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 328015) Time Spent: 2h 50m (was: 2h 40m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 2h 50m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=328012&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-328012 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 14/Oct/19 17:47 Start Date: 14/Oct/19 17:47 Worklog Time Spent: 10m Work Description: michaelandrepearce commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r334593077 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: So my concern is trying to automate and unify the config the fact already slightly snowflaked gives me a massive headache as is. Really don't need further differing config. If we want to enchance the wildcards in management i feel strongly we need to align it. E.g. either leave as is, or any new more enhanced stuff needs to be aligned. I see no reason to have a differing approaches. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 328012) Time Spent: 2h 40m (was: 2.5h) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 2h 40m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=328009&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-328009 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 14/Oct/19 17:46 Start Date: 14/Oct/19 17:46 Worklog Time Spent: 10m Work Description: michaelandrepearce commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r334593077 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: So my concern is trying to automate and unify the config the fact already slightly snowflaked gives me a massive headache as is. Really don't need further differing config. If we want to enchance the wildcards in management i feel strongly we need to align it This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 328009) Time Spent: 2.5h (was: 2h 20m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 2.5h > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=327923&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-327923 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 14/Oct/19 15:50 Start Date: 14/Oct/19 15:50 Worklog Time Spent: 10m Work Description: clebertsuconic commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r334548567 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: I'm concerned about users abusing the configuration on management, things not working later.. and having to answer to user forum's / customer issues... etc... This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 327923) Time Spent: 2h 20m (was: 2h 10m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 2h 20m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=327920&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-327920 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 14/Oct/19 15:48 Start Date: 14/Oct/19 15:48 Worklog Time Spent: 10m Work Description: clebertsuconic commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r334547881 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: @michaelandrepearce my personal opinion here: can't we keep this simple.. meaning. no configuration of wildcard for management? I see this can be useful on queues.. etc.. but on management, if we could keep it simple?? I mean... management and broker should be kept independent.. I wouldn't load something from broker.xml to change semantics on management... And if you require the wildcard configuration, then you need testing..and more moving parts bound to fail and document... I would prefer to keep it simpler? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 327920) Time Spent: 2h 10m (was: 2h) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 2h 10m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=325755&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-325755 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 09/Oct/19 15:22 Start Date: 09/Oct/19 15:22 Worklog Time Spent: 10m Work Description: brusdev commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r333078297 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: @michaelandrepearce WDYT about the last changes? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 325755) Time Spent: 2h (was: 1h 50m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 2h > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=319471&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-319471 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 27/Sep/19 10:19 Start Date: 27/Sep/19 10:19 Worklog Time Spent: 10m Work Description: brusdev commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r329007446 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: I pushed a commit to use the same flexible wildcard support used for the addresses but I added a new node to customize the wildcard syntax for the authorisation key attributes because: - the addresses and the keys wildcard support could have different requirements - to avoid to introduce a dependence between management.xml and broker.xml This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 319471) Time Spent: 1h 50m (was: 1h 40m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 1h 50m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=318922&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-318922 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 26/Sep/19 11:35 Start Date: 26/Sep/19 11:35 Worklog Time Spent: 10m Work Description: michaelandrepearce commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r328571326 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: As the deviation was in management.xml probably there. Others may have other opinions. Im not heavily opinionated on where. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 318922) Time Spent: 1h 40m (was: 1.5h) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 1h 40m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=318921&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-318921 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 26/Sep/19 11:34 Start Date: 26/Sep/19 11:34 Worklog Time Spent: 10m Work Description: michaelandrepearce commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r328571326 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: As the deviation was in management.xml probably there This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 318921) Time Spent: 1.5h (was: 1h 20m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 1.5h > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=318912&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-318912 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 26/Sep/19 10:36 Start Date: 26/Sep/19 10:36 Worklog Time Spent: 10m Work Description: brusdev commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r328550740 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: I like your solution where would you put the flag, broker.xml or management.xml? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 318912) Time Spent: 1h 20m (was: 1h 10m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 1h 20m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=318829&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-318829 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 26/Sep/19 06:45 Start Date: 26/Sep/19 06:45 Worklog Time Spent: 10m Work Description: michaelandrepearce commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r328457234 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: Point here is you could put a flag so that it uses old non flexible or use the broker.xml one. Lets not further diverge. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 318829) Time Spent: 1h (was: 50m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=318830&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-318830 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 26/Sep/19 06:46 Start Date: 26/Sep/19 06:46 Worklog Time Spent: 10m Work Description: michaelandrepearce commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r328457234 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: Point here is you could put a flag so that it uses old non flexible or use the broker.xml one. Lets not further diverge, wildcards. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 318830) Time Spent: 1h 10m (was: 1h) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 1h 10m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=318779&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-318779 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 26/Sep/19 04:36 Start Date: 26/Sep/19 04:36 Worklog Time Spent: 10m Work Description: brusdev commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r328431483 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: The previous implementation of the wildcard for the key attribute (documented here https://github.com/apache/activemq-artemis/blob/master/docs/user-manual/en/management.md) isn't compatible with broker custom wildcard config defined in broker.xml. If wildcard configuration uses the same as broker.xml it could break the compatibility with the previous implementation. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 318779) Time Spent: 50m (was: 40m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 50m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=318730&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-318730 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 26/Sep/19 02:08 Start Date: 26/Sep/19 02:08 Worklog Time Spent: 10m Work Description: michaelandrepearce commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r328408327 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: Wildcard configuration should use the same as broker.xml e.g. if on broker custom wildcard config, then the same customisation should be supported here. E.g someone may use different separators in broker.xml for example. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 318730) Time Spent: 40m (was: 0.5h) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=318728&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-318728 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 26/Sep/19 02:05 Start Date: 26/Sep/19 02:05 Worklog Time Spent: 10m Work Description: michaelandrepearce commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r328408327 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: Wildcard configuration should use the same as broker.xml e.g. if on broker custom wildcard config, then the same customisation should be supported here This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 318728) Time Spent: 0.5h (was: 20m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=318726&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-318726 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 26/Sep/19 02:04 Start Date: 26/Sep/19 02:04 Worklog Time Spent: 10m Work Description: michaelandrepearce commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851#discussion_r328408327 ## File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java ## @@ -25,12 +25,22 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.settings.HierarchicalRepository; +import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; + public class JMXAccessControlList { private Access defaultAccess = new Access("*"); - private Map domainAccess = new HashMap<>(); + private HierarchicalRepository domainAccess; private ConcurrentHashMap> whitelist = new ConcurrentHashMap<>(); + public JMXAccessControlList() { + WildcardConfiguration domainAccessWildcardConfiguration = new WildcardConfiguration(); Review comment: Wildcard configuration should use the same as broker.xml This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 318726) Time Spent: 20m (was: 10m) > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work logged] (ARTEMIS-2503) Improve wildcards for the roles access match
[ https://issues.apache.org/jira/browse/ARTEMIS-2503?focusedWorklogId=317785&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-317785 ] ASF GitHub Bot logged work on ARTEMIS-2503: --- Author: ASF GitHub Bot Created on: 24/Sep/19 19:41 Start Date: 24/Sep/19 19:41 Worklog Time Spent: 10m Work Description: brusdev commented on pull request #2851: ARTEMIS-2503 Improve wildcards for the roles access match URL: https://github.com/apache/activemq-artemis/pull/2851 Improve wildcard support for the key attribute in the roles access match element, allowing prefix match for the mBean properties ie . This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 317785) Remaining Estimate: 0h Time Spent: 10m > Improve wildcards for the roles access match > > > Key: ARTEMIS-2503 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2503 > Project: ActiveMQ Artemis > Issue Type: Improvement >Reporter: Domenico Bruscino >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > Please improve wildcard support for the key element in the roles access > element. > ATM you can NOT apply a restriction across a set of queue instances starting > with the same prefix (like below): > {code:java} > > > >... > {code} > If queues are created dynamically and only a queue name "prefix" is known in > advance; JMX RBAC cannot be used to restrict access in this case. -- This message was sent by Atlassian Jira (v8.3.4#803005)