The Qpid Java broker has a single source of users for the system. So a user can connect to the broker to send messages and via the JMX console to check the state of the broker.

The broker does have some minimal configuration available to limit which users can connect to the JMX console and what they can do when they are there. There are two steps required to add a new user with rights for the JMX console. Create a new user login, see HowTo: Grant the new user permission to the JMX Console

By default new users do not have access to the JMX console. The access to the console is controlled via the file jmxremote.access. This file contains a mapping from user to privilege. There are three privileges available: readonly - The user is able to log in and view queues but not make any changes. readwrite - Grants user ability to read and write queue attributes such as alerting values. admin - Grants the user full access including ability to edit Users and JMX Permissions in addition to readwrite access. This file is read at start up and can forcibly be reloaded by an admin user through the management console.

The file is a standard Java properties file and has the following format <username>=<privilege> If the username value is not a valid user (list in the specified PrincipalDatabase) then the broker will print a warning when it reads the file as that entry will have no meaning. Only when the the username exists in both the access file and the PrincipalDatabase password file will the user be able to login via the JMX Console.

The file will be timestamped by the management console if edited through the console. #Generated by JMX Console : Last edited by user:admin #Tue Jun 12 16:46:39 BST 2007 admin=admin guest=readonly user=readwrite