Details
-
Feature Request
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
Description
Host scoped roles and server group scoped roles work via a constraint that checks the address being manipulated against a calculated group of allowed addresses. That calculation is complex in the server group and host cases to account for the complex semantics of those kinds of scoping while requiring very little config from the user, but we could also have a similar kind of scoping that requires more config from the user but is also more flexible. The user configures one or more regex strings, and any address (or canonical mbean object name) that matches meets the constraint.
Example, a "log-maintainer" role that gets Maintainer privileges for the logging subsystem but is Monitor for everything else:
<pattern-scoped-role name="log-maintainer" base-role="Maintainer> <patterns> <pattern value="(/profile=[^/]+)?/subsystem=logging(/.*)?"/> </patterns> </pattern-scoped-role>
I use logging as an example as it's a use case I can imagine easily enough – a server is largely locked down but tweaks to logging are allowed to allow diagnostic data to be gathered.