activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Tully (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMQ-2471) Add fine-grained authorization to the web console
Date Fri, 01 Apr 2011 11:22:17 GMT

     [ https://issues.apache.org/jira/browse/AMQ-2471?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Gary Tully updated AMQ-2471:
----------------------------

    Fix Version/s:     (was: 5.5.0)
                   5.6.0

> Add fine-grained authorization to the web console
> -------------------------------------------------
>
>                 Key: AMQ-2471
>                 URL: https://issues.apache.org/jira/browse/AMQ-2471
>             Project: ActiveMQ
>          Issue Type: New Feature
>          Components: Broker
>    Affects Versions: 5.4.0
>         Environment: For all environments
>            Reporter: Mark Gellings
>            Priority: Minor
>             Fix For: 5.6.0
>
>   Original Estimate: 240h
>  Remaining Estimate: 240h
>
> The web console doesn't support fine-grained authorization at the moment.
> http://old.nabble.com/Dynamically-setting-activemq-username-password-when-logging-into-web-console-to26118677.html#a26126782

> Scenario with a guest and admin user:  I'd like guest to have read privs (see messages
on queues, etc.), and admin to have read/write privs (see messages on queues, delete messages,
delete queues, etc.).  In our scenario guest is producing a message and just wants to verify
the message has been created successfully on the queue.  Admin owns the queue and the broker
as they are on a separate development team than user guest.  They do not want guest to be
able to delete messages/queues etc.  Right now we have no way to let guest see for themselves
that the message is on the queue unless we give them the admin user/password for the basic
authentication prompt when using the web console.  If we give that out, we give out read/write
privs to guest which we don't want to do.
> I think for this to be possible two separate connections would need to be maintained
to the broker, one for guest and one for admin so as the simpleAuthenticationPlugin and authorizationPlugin
can be used based on the user/password used to log on.  Ideally the user/password entered
during a basic authentication prompt could be mapped to the same user/password used to connect
to the broker.  Maybe this isn't possible if the web console only maintains one connection
to the broker.  Maybe the web console would need to be enhanced with a user/group security
section to control what privs in the web console the logged on user has.  An admin could then
control whether a user has the right to delete a message, a queue, etc. and the web console
has the smarts to display the delete link or not based on the privs of the logged on user.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message