This sounds like a good idea to me. There may be times that an application team wants to be able to monitor their app, but the support engineers don't want to give them normal JMX access to a production system. The Read-Only role would be good for those types.
Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Monday, June 13, 2022 11:32 AM > To: Tomcat Developers List <dev@tomcat.apache.org> > Subject: Any interest in a read-only JMX role? > > All, > > I've been thinking about the possibility of making a read-only JMX role > available for the existing manager-jmx capability. > > The idea would be that this role would only be able to make "get" > requests (that is, a JMX-get operation, not HTTP-GET). No "set" or "invoke" > operations would be allowed. > > The manager-jmx role has quite a bit of power, and is typically used only for > monitoring where being able to modify the server is not necessary. If > manager-jmx is being used "only" for monitoring, then opening-up the > system for potential reconfiguration by the monitoring user is a potential > attack vector. > > I don't think the level-of-effort would be significant: simply require > "manager-jmx" for set/invoke operations and require either manager-jmx or > manager-jmx-read-only (or something similar) for get operations. > > Does anyone think this is a good idea? > > I for one use jmxproxy at $work for both monitoring /and/ administrative > tasks such as restarting applications, listing users, and initiating garbage > collection (in very rare cases). For these full-write purposes, I could > continue > to use the (full) jmxproxy role, but for the monitoring-only ones, it would be > nice to lock things down to the absolute minimum. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional > commands, e-mail: dev-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
