| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 |
- ################################################################################
- #
- # Licensed to the Apache Software Foundation (ASF) under one or more
- # contributor license agreements. See the NOTICE file distributed with
- # this work for additional information regarding copyright ownership.
- # The ASF licenses this file to You under the Apache License, Version 2.0
- # (the "License"); you may not use this file except in compliance with
- # the License. You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
- #
- ################################################################################
- #
- # Generic JMX ACL
- #
- # This file defines the roles required for MBean operations for MBeans that
- # do not have this defined explicitly.
- #
- # The definition of ACLs for JMX operations works as follows:
- #
- # The required roles for JMX operations are defined in configuration files
- # read via OSGi ConfigAdmin.
- #
- # JMX RBAC-related configuration is prefixed with jmx.acl and based on the
- # JMX ObjectName that it applies to. For example specific configuration for
- # an MBean with the following objectName: foo.bar:type=Test can be placed in
- # a configuration file called jmx.acl.foo.bar.Test.cfg. More generic
- # configuration can be placed in the domain (e.g. jmx.acl.foo.bar.cfg) or
- # at the top level (jmx.acl.cfg). A simple configuration file looks like
- # this:
- # test : admin
- # getVal : manager, viewer
- #
- # The system looks for required roles using the following process:
- # The most specific configuration file/pid is tried first. E.g. in the
- # above example the jmx.acl.foo.bar.Test.cfg is looked at first. In this
- # configuration, the system looks for a:
- # 1. Specific match for the current invocation, e.g. test(int)["17"] : role1
- # 2. Reg exp match for the current invocation, e.g. test(int)[/[0-9]/] : role2
- # In both cases the passed argument is converted to a String for the
- # comparison.
- # If any of the above match all the roles with matching definitions
- # are collected and allowed. If no matches are found the following is tried:
- # 3. Signature match for the invocation, e.g. test(int) : role3. If
- # matched the associated roles are used.
- # 4. Method name match for the invocation, e.g. test : role4. If matched
- # the associated roles are used.
- # 5. A method name wildcard match, e.g. te* : role5. For all the
- # wildcard matches found in the current configuration file, the roles
- # associated with the longest match are used. So if you have te* and * and
- # the method invoked is 'test', then the roles defined with te* are used,
- # not the ones defined with *.
- # If no matching definition is found in the current configuration file, a
- # more general configuration file is looked for. So jmx.acl.foo.bar.cfg is
- # tried next, this matches the domain of the MBean. If there is no match
- # found in the domain the most generic configuration file is consulted
- # (jmx.acl.cfg).
- # If a matching definition is found, this is used and the process will not
- # look for any other matching definitions. So the most specific definition
- # always takes precedence.
- #
- list* = viewer
- get* = viewer
- is* = viewer
- set* = admin
- * = admin
|
