[818] | 1 | ######################################################################
|
---|
| 2 | # Default Access Control File for Remote JMX(TM) Monitoring
|
---|
| 3 | ######################################################################
|
---|
| 4 | #
|
---|
| 5 | # Access control file for Remote JMX API access to monitoring.
|
---|
| 6 | # This file defines the allowed access for different roles. The
|
---|
| 7 | # password file (jmxremote.password by default) defines the roles and their
|
---|
| 8 | # passwords. To be functional, a role must have an entry in
|
---|
| 9 | # both the password and the access files.
|
---|
| 10 | #
|
---|
| 11 | # The default location of this file is $JRE/lib/management/jmxremote.access
|
---|
| 12 | # You can specify an alternate location by specifying a property in
|
---|
| 13 | # the management config file $JRE/lib/management/management.properties
|
---|
| 14 | # (See that file for details)
|
---|
| 15 | #
|
---|
| 16 | # The file format for password and access files is syntactically the same
|
---|
| 17 | # as the Properties file format. The syntax is described in the Javadoc
|
---|
| 18 | # for java.util.Properties.load.
|
---|
| 19 | # A typical access file has multiple lines, where each line is blank,
|
---|
| 20 | # a comment (like this one), or an access control entry.
|
---|
| 21 | #
|
---|
| 22 | # An access control entry consists of a role name, and an
|
---|
| 23 | # associated access level. The role name is any string that does not
|
---|
| 24 | # itself contain spaces or tabs. It corresponds to an entry in the
|
---|
| 25 | # password file (jmxremote.password). The access level is one of the
|
---|
| 26 | # following:
|
---|
| 27 | # "readonly" grants access to read attributes of MBeans.
|
---|
| 28 | # For monitoring, this means that a remote client in this
|
---|
| 29 | # role can read measurements but cannot perform any action
|
---|
| 30 | # that changes the environment of the running program.
|
---|
| 31 | # "readwrite" grants access to read and write attributes of MBeans,
|
---|
| 32 | # to invoke operations on them, and optionally
|
---|
| 33 | # to create or remove them. This access should be granted
|
---|
| 34 | # only to trusted clients, since they can potentially
|
---|
| 35 | # interfere with the smooth operation of a running program.
|
---|
| 36 | #
|
---|
| 37 | # The "readwrite" access level can optionally be followed by the "create" and/or
|
---|
| 38 | # "unregister" keywords. The "unregister" keyword grants access to unregister
|
---|
| 39 | # (delete) MBeans. The "create" keyword grants access to create MBeans of a
|
---|
| 40 | # particular class or of any class matching a particular pattern. Access
|
---|
| 41 | # should only be granted to create MBeans of known and trusted classes.
|
---|
| 42 | #
|
---|
| 43 | # For example, the following entry would grant readwrite access
|
---|
| 44 | # to "controlRole", as well as access to create MBeans of the class
|
---|
| 45 | # javax.management.monitor.CounterMonitor and to unregister any MBean:
|
---|
| 46 | # controlRole readwrite \
|
---|
| 47 | # create javax.management.monitor.CounterMonitorMBean \
|
---|
| 48 | # unregister
|
---|
| 49 | # or equivalently:
|
---|
| 50 | # controlRole readwrite unregister create javax.management.monitor.CounterMBean
|
---|
| 51 | #
|
---|
| 52 | # The following entry would grant readwrite access as well as access to create
|
---|
| 53 | # MBeans of any class in the packages javax.management.monitor and
|
---|
| 54 | # javax.management.timer:
|
---|
| 55 | # controlRole readwrite \
|
---|
| 56 | # create javax.management.monitor.*,javax.management.timer.* \
|
---|
| 57 | # unregister
|
---|
| 58 | #
|
---|
| 59 | # The \ character is defined in the Properties file syntax to allow continuation
|
---|
| 60 | # lines as shown here. A * in a class pattern matches a sequence of characters
|
---|
| 61 | # other than dot (.), so javax.management.monitor.* matches
|
---|
| 62 | # javax.management.monitor.CounterMonitor but not
|
---|
| 63 | # javax.management.monitor.foo.Bar.
|
---|
| 64 | #
|
---|
| 65 | # A given role should have at most one entry in this file. If a role
|
---|
| 66 | # has no entry, it has no access.
|
---|
| 67 | # If multiple entries are found for the same role name, then the last
|
---|
| 68 | # access entry is used.
|
---|
| 69 | #
|
---|
| 70 | #
|
---|
| 71 | # Default access control entries:
|
---|
| 72 | # o The "monitorRole" role has readonly access.
|
---|
| 73 | # o The "controlRole" role has readwrite access and can create the standard
|
---|
| 74 | # Timer and Monitor MBeans defined by the JMX API.
|
---|
| 75 |
|
---|
| 76 | monitorRole readonly
|
---|
| 77 | controlRole readwrite \
|
---|
| 78 | create javax.management.monitor.*,javax.management.timer.* \
|
---|
| 79 | unregister
|
---|