Opened 8 years ago
Last modified 7 years ago
#913 new enhancement
IZ620: A hmacc user role has to be created
| Reported by: | easymf | Owned by: | |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | hedeby | Version: | 1.0u2 |
| Severity: | Keywords: | Sun bootstrap | |
| Cc: |
Description
[Imported from gridengine issuezilla http://gridengine.sunsource.net/issues/show_bug.cgi?id=620]
Issue #: 620 Platform: Sun Reporter: easymf (easymf)
Component: hedeby OS: All
Subcomponent: bootstrap Version: 1.0u2 CC: None defined
Status: NEW Priority: P2
Resolution: Issue type: ENHANCEMENT
Target milestone: 1.0u5next
Assigned to: adoerr (adoerr)
QA Contact: adoerr
URL:
* Summary: A hmacc user role has to be created
Status whiteboard:
Attachments:
Issue 620 blocks:
Votes for issue 620: Vote for this issue
Opened: Mon Feb 9 03:27:00 -0700 2009
------------------------
Description
To retrieve certain data from SDM system, it is needed to grant certain
permissions to an user. An initial version of HMACC will hold a monitoring only
features - the set of permissions needed by user of HMACC is smaller than set of
permissions needed by SDM admin user, thus it'd be ideal to deliver a more fine
grained roles that would fit an HMACC too.
In addition, additional permissions needed for a remote JVM monitoring has to be
granted to HMACC users (roles).
Evaluation
A high-priority enhancement because it's preferred to have a special user (role)
for an HMACC user in 1.0u3 (first release with HMACC).
Suggested Fix/Work Around
As a workaround, it is sufficient to grant additional permissions to
"administrator" role, as this role already governs most of the permissions
needed by hmacc.
The only additional permissions needed to grant are:
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanPermission "*", "runtime";
Analysis
Creating a new user role governing the "monitoring" permissions is just a part
of the problem. To have a full support for new user role, it is needed to
introduce a command for adding/removing a user with "monitoring" ("observer")
role. Following set of permissions is needed for this role:
permission javax.management.MBeanPermission "*", "getDomains";
permission javax.management.MBeanPermission "*", "getObjectInstance";
permission javax.management.MBeanPermission "*", "queryMBeans";
permission javax.management.MBeanPermission "*", "queryNames";
permission javax.management.MBeanPermission "*", "getAttribute";
permission javax.management.MBeanPermission "*", "getMBeanInfo";
permission javax.management.MBeanPermission "*", "addNotificationListener";
permission javax.management.MBeanPermission "*", "removeNotificationListener";
permission javax.management.MBeanPermission "*", "isInstanceOf";
permission javax.management.MBeanPermission "*", "getObjectInstance";
permission javax.management.MBeanPermission "*", "invoke";
permission javax.management.MBeanPermission "*", "runtime";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanPermission "*", "runtime";
An "invoke" permission has to be investigated - ideally, not all ("*") MBeans
should be granted to invoke operations on, but only those really needed.
The new role should have meaningful name "observer" or something similar.
To be able to add user with that role to the system, two possible approaches exist:
1. To create an "AddObserverUser" command, that would copy the functionality of
the "AddAdminUser" command except the fact, that an "observer" role would be
used isntead of "administrator" role.
2. To modify the "AddAdminUser" command to make it more general - to allow to
add an user with any role. It would mean, that a "role" switch would need to be
introduced and command would need to be renamed to "AddUserWithRole" (or
something similar).
How to test
A testsuite test for set of commands.
A manual test for hmacc.
ETC - 2 PD
------- Additional comments from rhierlmeier Wed Nov 25 07:21:10 -0700 2009 -------
Milestone changed
Note: See
TracTickets for help on using
tickets.
