JMX Policy Editor to modify Deployer role

The below post describes how we can modify the default policy settings for the Deployer role users.

By default the user with Deployer role cannot start / stop the JDBC Data Source. There could be situations where you would like to provide the permissions to do so.

While trying to start/ stop a JDBC Data Source we might encounter the below errors.

Access not allowed for subject: principals=[deployer, Deployers], on Resource Operation: invoke , Target: isOperationAllowed

We can modify the default behavior by using the JMX Policy Editor to change the default JMX Policies.

Pre-requisites :

  1. An User with Deployer role privileges.

Steps to modify the default JMX Policy Editor.

1.  Enable the feature to modify the JMX Policy Editor.

a . Log into the Administration, navigate to the current security realm.  MyRealm –> Configuration Tab.

b. Enable the “Use Authorization Providers to Protect JMX Access” option.

NOTE: Re-start the Admin Server so that the changes can be consumed.

2. Select the MBean operations whose permissions need to be modified.

a.  Login into the admin console, navigate to the Security Realms –> myrealm –>  Roles and Policies Tab.

b. Click on the Realm Policies sub tab, click on the JMX Policy Editor.

c. Global Scope is enabled by default , click Next.

d. From the list of Mbeans, expand type Mbeans.

e. Select the ‘JDBCDataSourceRuntimeMbean’  –>  Click Next.

f.  Select the “Operations: Permission to Invoke” which define which operations permissions can be modified.

Alternatively you can provide a more granular level control on the individual operations that needs to be controlled.

3. Edit the JMX security policies.

a.  Click on  CreatePolicy  –> Add conditions.

b.  From the predicate list, you can select an User or  Groups or Roles.

c. Click Save to complete the JMX Security Policy.

4. Testing the setup.

a. Login into the Admin Console with the deployer user and navigate to the DataSource.

b. Go to the Control subtab and now you can start/ stop the datasource.

NOTE: Similarly you can modify the access permissions of different Mbeans.



Wonders Team. 🙂