activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Gellings (JIRA)" <j...@apache.org>
Subject [jira] Created: (AMQ-2471) Add fine-grained authorization to the web console
Date Fri, 30 Oct 2009 15:24:52 GMT
Add fine-grained authorization to the web console
-------------------------------------------------

                 Key: AMQ-2471
                 URL: https://issues.apache.org/activemq/browse/AMQ-2471
             Project: ActiveMQ
          Issue Type: New Feature
          Components: Broker
    Affects Versions: 5.4.0
         Environment: For all environments
            Reporter: Mark Gellings
            Priority: Minor
             Fix For: 5.4.0


The web console doesn't support fine-grained authorization at the moment.

http://old.nabble.com/Dynamically-setting-activemq-username-password-when-logging-into-web-console-to26118677.html#a26126782


Scenario with a guest and admin user:  I'd like guest to have read privs (see messages on
queues, etc.), and admin to have read/write privs (see messages on queues, delete messages,
delete queues, etc.).  In our scenario guest is producing a message and just wants to verify
the message has been created successfully on the queue.  Admin owns the queue and the broker
as they are on a separate development team than user guest.  They do not want guest to be
able to delete messages/queues etc.  Right now we have no way to let guest see for themselves
that the message is on the queue unless we give them the admin user/password for the basic
authentication prompt when using the web console.  If we give that out, we give out read/write
privs to guest which we don't want to do.

I think for this to be possible two separate connections would need to be maintained to the
broker, one for guest and one for admin so as the simpleAuthenticationPlugin and authorizationPlugin
can be used based on the user/password used to log on.  Ideally the user/password entered
during a basic authentication prompt could be mapped to the same user/password used to connect
to the broker.  Maybe this isn't possible if the web console only maintains one connection
to the broker.  Maybe the web console would need to be enhanced with a user/group security
section to control what privs in the web console the logged on user has.  An admin could then
control whether a user has the right to delete a message, a queue, etc. and the web console
has the smarts to display the delete link or not based on the privs of the logged on user.





-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message