src/jdk.management.agent/share/conf/jmxremote.access
author smarks
Wed, 23 Jan 2019 14:45:54 -0800
changeset 55702 339e544d59e3
parent 47216 71c04702a3d5
permissions -rw-r--r--
8213432: Better copies of CopiesList Reviewed-by: rriggs, skoivu, ahgross, robm, rhalade, jeff
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     1
######################################################################
90ce3da70b43 Initial load
duke
parents:
diff changeset
     2
#     Default Access Control File for Remote JMX(TM) Monitoring
90ce3da70b43 Initial load
duke
parents:
diff changeset
     3
######################################################################
90ce3da70b43 Initial load
duke
parents:
diff changeset
     4
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
     5
# Access control file for Remote JMX API access to monitoring.
90ce3da70b43 Initial load
duke
parents:
diff changeset
     6
# This file defines the allowed access for different roles.  The
90ce3da70b43 Initial load
duke
parents:
diff changeset
     7
# password file (jmxremote.password by default) defines the roles and their
90ce3da70b43 Initial load
duke
parents:
diff changeset
     8
# passwords.  To be functional, a role must have an entry in
90ce3da70b43 Initial load
duke
parents:
diff changeset
     9
# both the password and the access files.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    10
#
27565
729f9700483a 8049367: Modular Run-Time Images
chegar
parents: 25859
diff changeset
    11
# The default location of this file is $JRE/conf/management/jmxremote.access
729f9700483a 8049367: Modular Run-Time Images
chegar
parents: 25859
diff changeset
    12
# You can specify an alternate location by specifying a property in
729f9700483a 8049367: Modular Run-Time Images
chegar
parents: 25859
diff changeset
    13
# the management config file $JRE/conf/management/management.properties
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    14
# (See that file for details)
90ce3da70b43 Initial load
duke
parents:
diff changeset
    15
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    16
# The file format for password and access files is syntactically the same
90ce3da70b43 Initial load
duke
parents:
diff changeset
    17
# as the Properties file format.  The syntax is described in the Javadoc
90ce3da70b43 Initial load
duke
parents:
diff changeset
    18
# for java.util.Properties.load.
2621
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    19
# A typical access file has multiple lines, where each line is blank,
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    20
# a comment (like this one), or an access control entry.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    21
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    22
# An access control entry consists of a role name, and an
90ce3da70b43 Initial load
duke
parents:
diff changeset
    23
# associated access level.  The role name is any string that does not
90ce3da70b43 Initial load
duke
parents:
diff changeset
    24
# itself contain spaces or tabs.  It corresponds to an entry in the
90ce3da70b43 Initial load
duke
parents:
diff changeset
    25
# password file (jmxremote.password).  The access level is one of the
90ce3da70b43 Initial load
duke
parents:
diff changeset
    26
# following:
90ce3da70b43 Initial load
duke
parents:
diff changeset
    27
#       "readonly" grants access to read attributes of MBeans.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    28
#                   For monitoring, this means that a remote client in this
90ce3da70b43 Initial load
duke
parents:
diff changeset
    29
#                   role can read measurements but cannot perform any action
90ce3da70b43 Initial load
duke
parents:
diff changeset
    30
#                   that changes the environment of the running program.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    31
#       "readwrite" grants access to read and write attributes of MBeans,
2621
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    32
#                   to invoke operations on them, and optionally
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    33
#                   to create or remove them. This access should be granted
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    34
#                   only to trusted clients, since they can potentially
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    35
#                   interfere with the smooth operation of a running program.
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    36
#
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    37
# The "readwrite" access level can optionally be followed by the "create" and/or
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    38
# "unregister" keywords.  The "unregister" keyword grants access to unregister
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    39
# (delete) MBeans.  The "create" keyword grants access to create MBeans of a
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    40
# particular class or of any class matching a particular pattern.  Access
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    41
# should only be granted to create MBeans of known and trusted classes.
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    42
#
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    43
# For example, the following entry would grant readwrite access
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    44
# to "controlRole", as well as access to create MBeans of the class
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    45
# javax.management.monitor.CounterMonitor and to unregister any MBean:
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    46
#  controlRole readwrite \
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    47
#              create javax.management.monitor.CounterMonitorMBean \
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    48
#              unregister
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    49
# or equivalently:
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    50
#  controlRole readwrite unregister create javax.management.monitor.CounterMBean
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    51
#
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    52
# The following entry would grant readwrite access as well as access to create
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    53
# MBeans of any class in the packages javax.management.monitor and
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    54
# javax.management.timer:
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    55
#  controlRole readwrite \
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    56
#              create javax.management.monitor.*,javax.management.timer.* \
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    57
#              unregister
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    58
#
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    59
# The \ character is defined in the Properties file syntax to allow continuation
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    60
# lines as shown here.  A * in a class pattern matches a sequence of characters
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    61
# other than dot (.), so javax.management.monitor.* matches
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    62
# javax.management.monitor.CounterMonitor but not
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    63
# javax.management.monitor.foo.Bar.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    64
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    65
# A given role should have at most one entry in this file.  If a role
90ce3da70b43 Initial load
duke
parents:
diff changeset
    66
# has no entry, it has no access.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    67
# If multiple entries are found for the same role name, then the last
90ce3da70b43 Initial load
duke
parents:
diff changeset
    68
# access entry is used.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    69
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    70
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    71
# Default access control entries:
27565
729f9700483a 8049367: Modular Run-Time Images
chegar
parents: 25859
diff changeset
    72
# o The "monitorRole" role has readonly access.
2621
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    73
# o The "controlRole" role has readwrite access and can create the standard
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    74
#   Timer and Monitor MBeans defined by the JMX API.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    75
90ce3da70b43 Initial load
duke
parents:
diff changeset
    76
monitorRole   readonly
2621
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    77
controlRole   readwrite \
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    78
              create javax.management.monitor.*,javax.management.timer.* \
78567495e352 6721651: Security problem with out-of-the-box management
dfuchs
parents: 2
diff changeset
    79
              unregister