Major When running a broker with the default property file-base login module with the default karaf jaas realm, adding a new user and corresponding authorizationEntry sometimes results in failed authorization that persists untile the broker is restarted. For example, adding the authorization for
<authorizationEntry topic="test.input.>" read="testadm" write="testadm" admin="admin"/> <authorizationEntry topic="test.>" read="test1" write="test1" admin="admin"/>
to the existing plugin configuration:
<plugins>
<runtimeConfigurationPlugin checkPeriod="60000" />
<jaasAuthenticationPlugin configuration="karaf" />
<authorizationPlugin>
<map>
<authorizationMap groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal">
<!-- manager,viewer,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser,admin,User -->
<authorizationEntries>
<authorizationEntry queue=">" read="manager,viewer,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser,admin" write="manager,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser,admin" admin="manager,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser,admin"/>
<authorizationEntry topic="test.input.>" read="testadm" write="testadm" admin="admin"/>
<authorizationEntry topic="test.>" read="test1" write="test1" admin="admin"/>
<authorizationEntry topic=">" read="manager,viewer,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser,admin" write="manager,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser,admin" admin="manager,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser,admin"/>
<authorizationEntry topic="ActiveMQ.Advisory.>" read="manager,viewer,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser,admin,User" write="manager,viewer,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser,admin,User" admin="manager,viewer,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser,admin,User" />
</authorizationEntries>
<tempDestinationAuthorizationEntry>
<tempDestinationAuthorizationEntry read="manager,viewer,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser,admin" write="manager,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser,admin" admin="manager,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser,admin"/>
</tempDestinationAuthorizationEntry>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
while adding the user:
testadm=testadm,testadm,admin
Sometimes results in failures like:
Error executing command: User testadm is not authorized to create: topic://ActiveMQ.Advisory.Connection
Restarting the broker with no other changes resolves the errors and the producer is able to publish. Without restarting, the error seems to persist, even after waiting several minutes and producing fails.
