Uploaded image for project: 'A-MQ Broker'
  1. A-MQ Broker
  2. ENTMQBR-2472

Support or document per-role control and monitoring of individual destinations in the console


    • Type: Enhancement
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: AMQ 7.2.2.GA
    • Fix Version/s: None
    • Component/s: console, security
    • Labels:


      This is a request to extend the existing role-based access control mechanism to allow defined roles to be able to control and monitor specific destinations. So, for example, role A would be allowed to control and/or monitor destinations B, C, and D; role E would be allowed to control and/or monitor F and G; and so on.

      The existing access-control scheme assumes that role permissions can be mapped to MBean method names, across the whole MBean space. So a user who with 'monitor' rights can execute methods getXXX(), listXXX() on all MBeans. Since the access-control scheme does allow permissions to be set on individual, named MBeans, per-destination control appears to be theoretically possible. However, the JMX implementation is largely undocumented, and the method naming convention is not particularly favourable for implementing this level of control.

      It may be that customers would be satisfied with working, supportable samples, if these can be created. However, my feeling is that changes would be needed, at least to the way that MBean methods are named, to make it practical to implement the required functionality in a practicable, administrator-controlled way. However, if access control rules could be created using a tool of some sort, then that might make it possible to implement something without changing the core security model.

        Gliffy Diagrams


            Issue Links



                • Assignee:
                  ataylor Andy Taylor
                  kboone Kevin Boone
                • Votes:
                  0 Vote for this issue
                  4 Start watching this issue


                  • Created: