1. enable JMX policy editor
Login to console - security realms - myrealm -configuration - general - enable :Use Authorization Providers to Protect JMX Access - save - activate changes - restart
2. create user with monitor role
Login to console - security realm - myrealm - users&groups - users-new - create new user -save - click on that user again - groups - select monitor on the left table and move it to right - save -
3. create policy
Login to console - security realm - myrealm - roles & policies - Realm Policies - JMX Policy Editor - global scope - next - weblogic.management.runtime - JMSDestinationRuntimeMBean - next - Operations: Permission to Invoke - create policy -add conditions - Predicate List: user - next -
type your user and add - finish - save
4. now login to console as user (with monitor role) and try reading a message
WLST:
For granular approach of specific permission of get messages only:
cmo.createPolicy('type=<jmx>, operation=invoke, application=, mbeanType=weblogic.management.runtime.JMSDestinationRuntimeMBean, target=getMessages','{Rol(Monitor)}')
For a broader permissions remove the targets:
cmo.createPolicy('type=<jmx>, operation=invoke, application=, mbeanType=weblogic.management.runtime.JMSDestinationRuntimeMBean','{Rol(Monitor)}')
I was able to get the resource details by enabling audit logging
http://docs.oracle.com/cd/E12840_01/wls/docs103/secwlre/xacmlusing.html#wp1268689
Login to console - security realms - myrealm -configuration - general - enable :Use Authorization Providers to Protect JMX Access - save - activate changes - restart
2. create user with monitor role
Login to console - security realm - myrealm - users&groups - users-new - create new user -save - click on that user again - groups - select monitor on the left table and move it to right - save -
3. create policy
Login to console - security realm - myrealm - roles & policies - Realm Policies - JMX Policy Editor - global scope - next - weblogic.management.runtime - JMSDestinationRuntimeMBean - next - Operations: Permission to Invoke - create policy -add conditions - Predicate List: user - next -
type your user and add - finish - save
4. now login to console as user (with monitor role) and try reading a message
WLST:
For granular approach of specific permission of get messages only:
cmo.createPolicy('type=<jmx>, operation=invoke, application=, mbeanType=weblogic.management.runtime.JMSDestinationRuntimeMBean, target=getMessages','{Rol(Monitor)}')
For a broader permissions remove the targets:
cmo.createPolicy('type=<jmx>, operation=invoke, application=, mbeanType=weblogic.management.runtime.JMSDestinationRuntimeMBean','{Rol(Monitor)}')
I was able to get the resource details by enabling audit logging
http://docs.oracle.com/cd/E12840_01/wls/docs103/secwlre/xacmlusing.html#wp1268689
No comments:
Post a Comment