Details
-
New Feature
-
Status: Closed
-
Minor
-
Resolution: Abandoned
-
5.4.0
-
None
-
For all environments
Description
The web console doesn't support fine-grained authorization at the moment.
Scenario with a guest and admin user: I'd like guest to have read privs (see messages on queues, etc.), and admin to have read/write privs (see messages on queues, delete messages, delete queues, etc.). In our scenario guest is producing a message and just wants to verify the message has been created successfully on the queue. Admin owns the queue and the broker as they are on a separate development team than user guest. They do not want guest to be able to delete messages/queues etc. Right now we have no way to let guest see for themselves that the message is on the queue unless we give them the admin user/password for the basic authentication prompt when using the web console. If we give that out, we give out read/write privs to guest which we don't want to do.
I think for this to be possible two separate connections would need to be maintained to the broker, one for guest and one for admin so as the simpleAuthenticationPlugin and authorizationPlugin can be used based on the user/password used to log on. Ideally the user/password entered during a basic authentication prompt could be mapped to the same user/password used to connect to the broker. Maybe this isn't possible if the web console only maintains one connection to the broker. Maybe the web console would need to be enhanced with a user/group security section to control what privs in the web console the logged on user has. An admin could then control whether a user has the right to delete a message, a queue, etc. and the web console has the smarts to display the delete link or not based on the privs of the logged on user.
