This is a request to extend the existing role-based access control mechanism to allow defined roles to be able to control and monitor specific destinations. So, for example, role A would be allowed to control and/or monitor destinations B, C, and D; role E would be allowed to control and/or monitor F and G; and so on.
The existing access-control scheme assumes that role permissions can be mapped to MBean method names, across the whole MBean space. So a user who with 'monitor' rights can execute methods getXXX(), listXXX() on all MBeans. Since the access-control scheme does allow permissions to be set on individual, named MBeans, per-destination control appears to be theoretically possible. However, the JMX implementation is largely undocumented, and the method naming convention is not particularly favourable for implementing this level of control.
It may be that customers would be satisfied with working, supportable samples, if these can be created. However, my feeling is that changes would be needed, at least to the way that MBean methods are named, to make it practical to implement the required functionality in a practicable, administrator-controlled way. However, if access control rules could be created using a tool of some sort, then that might make it possible to implement something without changing the core security model.
- is related to
-
ENTMQBR-2188 [AMQ7, jmx rbac] allow use of wildcards in the key attribute of <match>
- Closed
-
ENTMQBR-3212 [Documentation: [AMQ7, jmx rbac] allow use of wildcards in the key attribute of <match>
- Closed