You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Dima Chebotarskyi (Jira)" <ji...@apache.org> on 2021/09/23 22:08:00 UTC

[jira] [Updated] (AMQ-8392) Add possibility to disable some JMX operations but not the whole MBean

     [ https://issues.apache.org/jira/browse/AMQ-8392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dima Chebotarskyi updated AMQ-8392:
-----------------------------------
    Description: 
h1. Background

JMX API is widely used by ActiveMQ users. There is a number of MBeans available for ActiveMQ that contains multiple attributes and operations. Unconscious use of some operations can lead to malfunction and ActiveMQ process interruption. Example:
 *  TerminateJVM [http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/jmx/BrokerViewMBean.html#terminateJVM-int-]

JMX API supports two roles: ReadOnly, ReadWrite. In some use cases, users may want to restrict some operations to not allow JMX users with ReadWrite access to perform operations. 

There is a possibility of [Selective MBean registration|https://activemq.apache.org/jmx], but it is not possible to disable selected operations for particular MBean.

The Jolokia HTTP management API already supports JMX operations restriction via configuration.

This Feature should provide the possibility to disable some of the operations without disabling the whole MBean for JMX API. 
h1. Proposed solution

One possible way to achieve it is to extend the configuration of ActiveMQ to make it possible to define list of restricted JMX operations. Possible configuration syntax:
{code:java}
<managementContext createConnector="false"> 
   <restrict> 
      <command>terminateJVM</command>
      <command>stop</command>
   </restrict>
</managementContext>
{code}
h1. Related requests from community
 * [https://users.activemq.apache.narkive.com/thW9jlt0/remove-terminatejvm-from-jmx]

  was:
h1. Background

JMX API is widely used by ActiveMQ users. There is a number of MBeans available for ActiveMQ that contains multiple attributes and operations. Unconscious use of some operations can lead to malfunction and ActiveMQ process interruption. Example:
 *  TerminateJVM [http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/jmx/BrokerViewMBean.html#terminateJVM-int-]

JMX API supports two roles: ReadOnly, ReadWrite. In some use cases, users may want to restrict some operations to not allow JMX users with ReadWrite access to perform operations. 

There is a possibility of [Selective MBean registration|https://activemq.apache.org/jmx], but it is not possible to disable selected operations for particular MBean.

The Jolokia HTTP management API already supports JMX operations restriction via configuration.

This Feature should provide the possibility to disable some of the operations without disabling the whole MBean for JMX API. 
h1. Propose solution

One possible way to achieve it is to extend the configuration of ActiveMQ to make it possible to define list of restricted JMX operations. Possible configuration syntax:
{code:java}
<managementContext createConnector="false"> 
   <restrict> 
      <command>terminateJVM</command>
      <command>stop</command>
   </restrict>
</managementContext>
{code}
h1. Related requests from community
 * [https://users.activemq.apache.narkive.com/thW9jlt0/remove-terminatejvm-from-jmx]


> Add possibility to disable some JMX operations but not the whole MBean
> ----------------------------------------------------------------------
>
>                 Key: AMQ-8392
>                 URL: https://issues.apache.org/jira/browse/AMQ-8392
>             Project: ActiveMQ
>          Issue Type: New Feature
>          Components: JMX
>            Reporter: Dima Chebotarskyi
>            Priority: Major
>
> h1. Background
> JMX API is widely used by ActiveMQ users. There is a number of MBeans available for ActiveMQ that contains multiple attributes and operations. Unconscious use of some operations can lead to malfunction and ActiveMQ process interruption. Example:
>  *  TerminateJVM [http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/jmx/BrokerViewMBean.html#terminateJVM-int-]
> JMX API supports two roles: ReadOnly, ReadWrite. In some use cases, users may want to restrict some operations to not allow JMX users with ReadWrite access to perform operations. 
> There is a possibility of [Selective MBean registration|https://activemq.apache.org/jmx], but it is not possible to disable selected operations for particular MBean.
> The Jolokia HTTP management API already supports JMX operations restriction via configuration.
> This Feature should provide the possibility to disable some of the operations without disabling the whole MBean for JMX API. 
> h1. Proposed solution
> One possible way to achieve it is to extend the configuration of ActiveMQ to make it possible to define list of restricted JMX operations. Possible configuration syntax:
> {code:java}
> <managementContext createConnector="false"> 
>    <restrict> 
>       <command>terminateJVM</command>
>       <command>stop</command>
>    </restrict>
> </managementContext>
> {code}
> h1. Related requests from community
>  * [https://users.activemq.apache.narkive.com/thW9jlt0/remove-terminatejvm-from-jmx]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)