################################################################################ # # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ # # Generic JMX ACL # # This file defines the roles required for MBean operations for MBeans that # do not have this defined explicitly. # # The definition of ACLs for JMX operations works as follows: # # The required roles for JMX operations are defined in configuration files # read via OSGi ConfigAdmin. # # JMX RBAC-related configuration is prefixed with jmx.acl and based on the # JMX ObjectName that it applies to. For example specific configuration for # an MBean with the following objectName: foo.bar:type=Test can be placed in # a configuration file called jmx.acl.foo.bar.Test.cfg. More generic # configuration can be placed in the domain (e.g. jmx.acl.foo.bar.cfg) or # at the top level (jmx.acl.cfg). A simple configuration file looks like # this: # test : admin # getVal : manager, viewer # # The system looks for required roles using the following process: # The most specific configuration file/pid is tried first. E.g. in the # above example the jmx.acl.foo.bar.Test.cfg is looked at first. In this # configuration, the system looks for a: # 1. Specific match for the current invocation, e.g. test(int)["17"] : role1 # 2. Reg exp match for the current invocation, e.g. test(int)[/[0-9]/] : role2 # In both cases the passed argument is converted to a String for the # comparison. # If any of the above match all the roles with matching definitions # are collected and allowed. If no matches are found the following is tried: # 3. Signature match for the invocation, e.g. test(int) : role3. If # matched the associated roles are used. # 4. Method name match for the invocation, e.g. test : role4. If matched # the associated roles are used. # 5. A method name wildcard match, e.g. te* : role5. For all the # wildcard matches found in the current configuration file, the roles # associated with the longest match are used. So if you have te* and * and # the method invoked is 'test', then the roles defined with te* are used, # not the ones defined with *. # If no matching definition is found in the current configuration file, a # more general configuration file is looked for. So jmx.acl.foo.bar.cfg is # tried next, this matches the domain of the MBean. If there is no match # found in the domain the most generic configuration file is consulted # (jmx.acl.cfg). # If a matching definition is found, this is used and the process will not # look for any other matching definitions. So the most specific definition # always takes precedence. # list* = viewer get* = viewer is* = viewer set* = admin * = admin