You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by da...@apache.org on 2013/11/21 15:15:38 UTC
svn commit: r1544193 - in
/karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc:
jmx.acl.cfg jmx.acl.java.lang.Memory.cfg
jmx.acl.org.apache.karaf.bundle.cfg jmx.acl.org.apache.karaf.config.cfg
jmx.acl.osgi.compendium.cm.cfg
Author: davidb
Date: Thu Nov 21 14:15:37 2013
New Revision: 1544193
URL: http://svn.apache.org/r1544193
Log:
Improved comments and docs in the JMX RBAC ACL files.
Modified:
karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.cfg
karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.java.lang.Memory.cfg
karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.bundle.cfg
karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.config.cfg
karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.osgi.compendium.cm.cfg
Modified: karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.cfg
URL: http://svn.apache.org/viewvc/karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.cfg?rev=1544193&r1=1544192&r2=1544193&view=diff
==============================================================================
--- karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.cfg (original)
+++ karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.cfg Thu Nov 21 14:15:37 2013
@@ -1,13 +1,51 @@
#
# Generic JMX ACL
-# It defines the roles allowed to performed some MBean operations.
#
-# The format is the following:
+# This file defines the roles required for MBean operations for MBeans that
+# do not have this defined explicitly.
#
-# operation = roles
-# where:
-# - operation is a regex to the operation name
-# - roles is a list of role, separated by comma (',')
+# The definition of ACLs for JMX operations works as follows:
+#
+# The required roles for JMX operations are defined in configuration files
+# read via OSGi ConfigAdmin.
+#
+# JMX RBAC-related configuration is prefixed with jmx.acl and based on the
+# JMX ObjectName that it applies to. For example specific configuration for
+# an MBean with the following objectName: foo.bar:type=Test can be placed in
+# a configuration file called jmx.acl.foo.bar.Test.cfg. More generic
+# configuration can be placed in the domain (e.g. jmx.acl.foo.bar.cfg) or
+# at the top level (jmx.acl.cfg). A simple configuration file looks like
+# this:
+# test : admin
+# getVal : manager, viewer
+#
+# The system looks for required roles using the following process:
+# The most specific configuration file/pid is tried first. E.g. in the
+# above example the jmx.acl.foo.bar.Test.cfg is looked at first. In this
+# configuration, the system looks for a:
+# 1. Specific match for the current invocation, e.g. test(int)["17"] : role1
+# 2. Reg exp match for the current invocation, e.g. test(int)[/[0-9]/] : role2
+# In both cases the passed argument is converted to a String for the
+# comparison.
+# If any of the above match all the roles with matching definitions
+# are collected and allowed. If no matches are found the following is tried:
+# 3. Signature match for the invocation, e.g. test(int) : role3. If
+# matched the associated roles are used.
+# 4. Method name match for the invocation, e.g. test : role4. If matched
+# the associated roles are used.
+# 5. A method name wildcard match, e.g. te* : role5. For all the
+# wildcard matches found in the current configuration file, the roles
+# associated with the longest match are used. So if you have te* and * and
+# the method invoked is 'test', then the roles defined with te* are used,
+# not the ones defined with *.
+# If no matching definition is found in the current configuration file, a
+# more general configuration file is looked for. So jmx.acl.foo.bar.cfg is
+# tried next, this matches the domain of the MBean. If there is no match
+# found in the domain the most generic configuration file is consulted
+# (jmx.acl.cfg).
+# If a matching definition is found, this is used and the process will not
+# look for any other matching definitions. So the most specific definition
+# always takes precedence.
#
list* = viewer
get* = viewer
Modified: karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.java.lang.Memory.cfg
URL: http://svn.apache.org/viewvc/karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.java.lang.Memory.cfg?rev=1544193&r1=1544192&r2=1544193&view=diff
==============================================================================
--- karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.java.lang.Memory.cfg (original)
+++ karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.java.lang.Memory.cfg Thu Nov 21 14:15:37 2013
@@ -1,4 +1,6 @@
#
# JMX ACL specific to the java.lang.Memory MBean
#
+# For a description of the format of this file, see jmx.acl.cfg
+#
gc = manager
Modified: karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.bundle.cfg
URL: http://svn.apache.org/viewvc/karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.bundle.cfg?rev=1544193&r1=1544192&r2=1544193&view=diff
==============================================================================
--- karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.bundle.cfg (original)
+++ karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.bundle.cfg Thu Nov 21 14:15:37 2013
@@ -1,8 +1,10 @@
#
-# JMX ACL specific to the org.apache.karaf:type=bundle,name=* MBean
+# JMX ACL specific to the org.apache.karaf:type=bundle,name=* MBean which maps to the Karaf MBean
+# to control OSGi bundles.
+#
+# For a description of the format of this file, see jmx.acl.cfg
#
install = manager
-get* = viewer
refresh = manager
resolve = manager
restart = manager
Modified: karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.config.cfg
URL: http://svn.apache.org/viewvc/karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.config.cfg?rev=1544193&r1=1544192&r2=1544193&view=diff
==============================================================================
--- karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.config.cfg (original)
+++ karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.config.cfg Thu Nov 21 14:15:37 2013
@@ -1,7 +1,10 @@
#
-# JMX ACL specific to the org.apache.karaf:type=config,name=* MBean
+# JMX ACL specific to the org.apache.karaf:type=config,name=* MBean which maps to the Karaf MBean to interact with the
+# OSGi Config Admin service.
+#
+# For a description of the format of this file, see jmx.acl.cfg
#
-# By default, only an admin can make changes to the JMX ACL rules, but managers can make
+# By default, only an admin can make changes to the JMX ACL and shell command rules, but managers can make
# changes to other PIDs.
#
appendProperty(java.lang.String,java.lang.String,java.lang.String)[/jmx[.]acl.*/,/.*/,/.*/] = admin
Modified: karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.osgi.compendium.cm.cfg
URL: http://svn.apache.org/viewvc/karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.osgi.compendium.cm.cfg?rev=1544193&r1=1544192&r2=1544193&view=diff
==============================================================================
--- karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.osgi.compendium.cm.cfg (original)
+++ karaf/trunk/assemblies/features/framework/src/main/resources/resources/etc/jmx.acl.osgi.compendium.cm.cfg Thu Nov 21 14:15:37 2013
@@ -1,6 +1,8 @@
#
# JMX ACL specific to osgi.compendium.cm MBean
#
+# For a description of the format of this file, see jmx.acl.cfg
+#
# This configuration file configures the management of ConfigAdmin via the standard ConfigAdmin MBean
# Such that only an admin can make changes to the JMX ACL rules, but managers can make
# changes to other PIDs.