Fine-Grained Role Configuration for Console Access (hawtio) #222
Conversation
|
Our Red Hat Case number: 04120046 |
guidograzioli
added
the
major_changes
|
Thanks a lot for your contribution. I'd really prefer to handle the management xml using xpath/xsd, but let me go thru the molecule test (kudos) and see how it behaves. Happy to co-author, btw? |
|
you're welcome ;-) @guidograzioli . |
|
Cool; since this is a major change, I'll release the current patch version, then bump and this PR will be the headline of version 2.3 :) |
|
@4nt01ne can you please resolve the lint issues as well? |
|
sure @RanabirChakraborty. I am trying to figure out what is still wrong in the task name |
Just prepend the task names with "Set ...." or "Make ... " (or anything here, it's a picky linter rule, but it helps maintaining the quality level of task names) |
|
@RanabirChakraborty, linting is fixed but "Download activemq archive" is failing in a workflow |
|
That's alright, there's been multiple CI jobs and all the concurrent downloads makes apache.org throttle us down. I'll re-run the jobs in a bit and start the review in the meantime |
|
IMHO this solution can only be the first part of a fine-grained role configuration because in this stage (if I understand it correctly), it only allows to define fine-grained access to different domains but always for all roles in activemq_hawtio_role. But I think usually there will be the need to define different permissions for different roles, e.g. have an admin role, have a read-only role, etc. |
|
The goal for the collection is to support any configuration allowed in activemq; mind that this is still WIP and will only be part of the next major release. I am more than happy to consider an alternate/parallel implementation PR or to welcome more co-authors in this PR. |
|
I'm not sure if I fully understand your remark, @cmasopust. The changes introduced in this PR allow the following:
ExampleGiven the following configuration: activemq_hawtio_role: ['admin', 'operator']
activemq_management_access_default:
- methods: ['list*', 'get*', 'is*', 'browse*', 'count*']
roles: ['read-only']
- methods: ['set*', '*']
roles: []
activemq_management_access_domains:
- accesses:
- methods: ['list*', 'get*', 'is*', 'set*', 'browse*', 'count*', '*']
roles: []
- key: 'address=queue.*'
accesses:
- methods: ['list*', 'get*', 'is*', 'browse*', 'count*']
roles: ['specific']
- methods: ['set*', '*']
roles: []
- name: 'com.myapp'
key: 'address=intern.*'
accesses:
- methods: ['list*', 'get*', 'is*', 'browse*', 'count*']
roles: ['business']
- methods: ['set*', '*']
roles: []This configuration generates the following <management-context xmlns="http://activemq.apache.org/schema">
<authorisation>
<allowlist>
<entry domain="hawtio"/>
</allowlist>
<default-access>
<access method="list*" roles="read-only,admin,operator"/>
<access method="get*" roles="read-only,admin,operator"/>
<access method="is*" roles="read-only,admin,operator"/>
<access method="browse*" roles="read-only,admin,operator"/>
<access method="count*" roles="read-only,admin,operator"/>
<access method="set*" roles="admin,operator"/>
</default-access>
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="admin,operator"/>
<access method="get*" roles="admin,operator"/>
<access method="is*" roles="admin,operator"/>
<access method="browse*" roles="admin,operator"/>
<access method="count*" roles="admin,operator"/>
<access method="set*" roles="admin,operator"/>
</match>
<match domain="org.apache.activemq.artemis" key="address=queue.*">
<access method="list*" roles="specific,admin,operator"/>
<access method="get*" roles="specific,admin,operator"/>
<access method="is*" roles="specific,admin,operator"/>
<access method="browse*" roles="specific,admin,operator"/>
<access method="count*" roles="specific,admin,operator"/>
<access method="set*" roles="admin,operator"/>
</match>
<match domain="com.myapp" key="address=intern.*">
<access method="list*" roles="business,admin,operator"/>
<access method="get*" roles="business,admin,operator"/>
<access method="is*" roles="business,admin,operator"/>
<access method="browse*" roles="business,admin,operator"/>
<access method="count*" roles="business,admin,operator"/>
<access method="set*" roles="admin,operator"/>
</match>
</role-access>
</authorisation>
</management-context>If you are suggesting extending this further to allow different fine-grained permissions per role beyond what is already achievable, please clarify. |
Thanks a lot, exactly such example I was missing :) looks like I was looking at a wrong branch because in the role_access.management.xml.j2 which I looked at, the "roles" are always set to the whole content of activemq_hawtio_role. So, sorry for the confusion and thanks a lot for that PR !!! |
|
you're welcome @cmasopust .
|
Looking forward now for the release that contains this PR! thanks again! |
|
ok gentleman, since you agreed on the scope of the change, and in the meanwhile i was able to recover from the CI build outage, I'll rebase the PR, force push, and then add a couple change on top of it:
please let me know if you have any comments on that |
|
That is very good @guidograzioli. |
Co-authored-by: Antoine Wils <antoine@wils.life> Co-authored-by: Guido Grazioli <ggraziol@redhat.com>
Co-authored-by: Antoine Wils <antoine@wils.life> Co-authored-by: Guido Grazioli <ggraziol@redhat.com>
guidograzioli
force-pushed
the
fine_grained_hawtio_roles
branch
from
013c618 to
4e2558c
Compare
|
Please review my changes |
Co-authored-by: Antoine Wils <antoine@wils.life> Co-authored-by: Guido Grazioli <ggraziol@redhat.com>
guidograzioli
force-pushed
the
fine_grained_hawtio_roles
branch
from
4e2558c to
212bfd0
Compare
4nt01ne
force-pushed
the
fine_grained_hawtio_roles
branch
3 times, most recently
from
cdcf4e3 to
8d6f2bc
Compare
Co-authored-by: Antoine Wils <antoine@wils.life> Co-authored-by: Guido Grazioli <ggraziol@redhat.com>
4nt01ne
force-pushed
the
fine_grained_hawtio_roles
branch
from
8d6f2bc to
fa63854
Compare
|
LGTM thx! |
|
Cool; I'll merge after CI completes (after the merge, your PRs won't need maintainer approval to execute CI). |
|
It was really interesting to contribute, learned quite a bit about both Contributing and Ansible along the way! What are the next steps after the merge in terms of the release timeline @guidograzioli ? |
|
The downstream redhat.amq_broker collection should hit automation hub early next week, there is more intergration testing to be performed |
Hi all,
This draft PR is intended to kick off a discussion on the best approach to enhance console access configuration.
Current state:
The proposed changes introduce breaking updates to the following variables:
activemq_hawtio_roleactivemq_management_access_defaultactivemq_management_access_domains...as well as the related templates.
However, the new default values preserve the existing behavior, so setups that don’t override these variables won’t be impacted.
Background:
We’re using the Red Hat downstream
amq_brokercollection and plan to raise a support request referencing this PR.Our challenge:
We need more granular control over which roles can access the Jolokia console. Specifically:
We’ve already implemented this logic in our own Ansible code, but it conflicts with the current
activemqrole causing unwanted broker restarts on every run.To support our production rollout, we’d like to upstream this capability.
Highlights of this PR:
activemq_hawtio_roleis now an array. Each role is applied to all entries inactivemq_management_access_domains. If methods are defined with an empty roles array, it falls back to this default.activemq_management_access_defaultandactivemq_management_access_domainsallow assigning specific permissions to roles per MBean method.activemq_management_access_domainsenables fine-grained access control at the domain and/or key level.console_access, verifies the new behavior—all existing tests pass with the updated defaults.Note on backward compatibility:
To avoid breaking changes, we could add logic in the templates to detect and apply the new structure only if explicitly used.
Looking forward to your feedback and suggestions!