Opened 12 years ago
Last modified 10 years ago
#913 new enhancement
IZ620: A hmacc user role has to be created
Reported by: | easymf | Owned by: | |
---|---|---|---|
Priority: | high | Milestone: | |
Component: | hedeby | Version: | 1.0u2 |
Severity: | Keywords: | Sun bootstrap | |
Cc: |
Description
[Imported from gridengine issuezilla http://gridengine.sunsource.net/issues/show_bug.cgi?id=620]
Issue #: 620 Platform: Sun Reporter: easymf (easymf) Component: hedeby OS: All Subcomponent: bootstrap Version: 1.0u2 CC: None defined Status: NEW Priority: P2 Resolution: Issue type: ENHANCEMENT Target milestone: 1.0u5next Assigned to: adoerr (adoerr) QA Contact: adoerr URL: * Summary: A hmacc user role has to be created Status whiteboard: Attachments: Issue 620 blocks: Votes for issue 620: Vote for this issue Opened: Mon Feb 9 03:27:00 -0700 2009 ------------------------ Description To retrieve certain data from SDM system, it is needed to grant certain permissions to an user. An initial version of HMACC will hold a monitoring only features - the set of permissions needed by user of HMACC is smaller than set of permissions needed by SDM admin user, thus it'd be ideal to deliver a more fine grained roles that would fit an HMACC too. In addition, additional permissions needed for a remote JVM monitoring has to be granted to HMACC users (roles). Evaluation A high-priority enhancement because it's preferred to have a special user (role) for an HMACC user in 1.0u3 (first release with HMACC). Suggested Fix/Work Around As a workaround, it is sufficient to grant additional permissions to "administrator" role, as this role already governs most of the permissions needed by hmacc. The only additional permissions needed to grant are: permission java.util.PropertyPermission "*", "read, write"; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanPermission "*", "runtime"; Analysis Creating a new user role governing the "monitoring" permissions is just a part of the problem. To have a full support for new user role, it is needed to introduce a command for adding/removing a user with "monitoring" ("observer") role. Following set of permissions is needed for this role: permission javax.management.MBeanPermission "*", "getDomains"; permission javax.management.MBeanPermission "*", "getObjectInstance"; permission javax.management.MBeanPermission "*", "queryMBeans"; permission javax.management.MBeanPermission "*", "queryNames"; permission javax.management.MBeanPermission "*", "getAttribute"; permission javax.management.MBeanPermission "*", "getMBeanInfo"; permission javax.management.MBeanPermission "*", "addNotificationListener"; permission javax.management.MBeanPermission "*", "removeNotificationListener"; permission javax.management.MBeanPermission "*", "isInstanceOf"; permission javax.management.MBeanPermission "*", "getObjectInstance"; permission javax.management.MBeanPermission "*", "invoke"; permission javax.management.MBeanPermission "*", "runtime"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanPermission "*", "runtime"; An "invoke" permission has to be investigated - ideally, not all ("*") MBeans should be granted to invoke operations on, but only those really needed. The new role should have meaningful name "observer" or something similar. To be able to add user with that role to the system, two possible approaches exist: 1. To create an "AddObserverUser" command, that would copy the functionality of the "AddAdminUser" command except the fact, that an "observer" role would be used isntead of "administrator" role. 2. To modify the "AddAdminUser" command to make it more general - to allow to add an user with any role. It would mean, that a "role" switch would need to be introduced and command would need to be renamed to "AddUserWithRole" (or something similar). How to test A testsuite test for set of commands. A manual test for hmacc. ETC - 2 PD ------- Additional comments from rhierlmeier Wed Nov 25 07:21:10 -0700 2009 ------- Milestone changed
Note: See
TracTickets for help on using
tickets.