The New Manager Roles in Tomcat 7 are Wonderful
I just found the changes that the Apache Tomcat team have made to admin and manager roles to be a very pleasant surprise. This is almost like delegated administration—a very neat addition to the tomcat 7 feature set.
Prior to tomcat 7, if you needed or wanted to be able to unlock the status pages within your tomcat container in order to view things like number of threads, max threads, which ip addresses were connected, etc., you needed to unlock the Tomcat Manager. Unlocking the tomcat manager was a simple matter of creating a "manager" role and assigning accounts to that role. The problem that this created for us was that doing this resulted in the tomcat manager, the status pages, and the jmxproxy were all available to anyone with access to the server and assigned that "manager" role.
With Tomcat 7, there are now 4 built-in roles that allow administrators to delegate access to specific accounts so that they can only do certain things, like view stats and not deploy apps. The four roles are named: manager-gui, manager-script, manager-jmx, and manager-status.
manager-gui provides access to the status pages and the tomcat manager web console. Accounts with this level of access can do anything through the traditional tomcat manager web console. This includes deploying/undeploying apps, viewing stats, generating leak detection diagnostics, expiring sessions, etc.
manager-script, provides all the functionality that manager-gui provides but using the text interface instead of the html gui. A savvy scripter using curl or some perl/groovy/java/ruby/powershell/python/etc., scripts can do anything that a user with a web browser can do with the tomcat manager HTML console. If you are an app server administrator who loves the command-line, the manager-script role is for you. One item to note is that the context path for the text interface has changed in Tomcat 7 so existing scripts may need to be reworked.
manager-jmx provides access to the jmxproxy, which is something monitoring tools & scripts, administrators, and developers may find useful. In addition, this role also has access to the status pages. Existing scripts should work as-is because, unlike the text interface, the context path for the jmxproxy has not changed.
manager-status provides the users assigned to that role with access to the statistics that tomcat provides like current threads, max threads, etc. Users belonging to this role will be able to access the Status link on the main tomcat index page but will receive a 403 - Access Denied when attempting to access the Tomcat Manager.
All four roles provide access to the status pages.
The "admin" role has been broken down further which allows for access control to the Host-Manager application. There are two roles, "admin-gui" and "admin-script". Like the manager-* roles, both admin roles provide access to the status pages. The "admin-gui" role in Tomcat 7 now provides access to the host-manager HTML console while the "admin-script" role provides access to the host-manager text interface.
The addition of these new roles in the long run is going to make our lives easier as administrators with the only real downside being the reworking of any scripts that made use of the text interface and some time to re-do user access. I'm very pleased that roles have been expanded in Tomcat 7.
I would love to know what your impressions are, what your experiences have been in the past with the previous "manager" and "admin" roles, and whether you agree with me that this is a nice new addition to the Tomcat 7 feature set.