Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-2463

Unable to send/receive messages with security permissions using FQQN for AMQP,Core or Openwire

XMLWordPrintable

    • AMQ Broker 2619, AMQ Broker 2919

      Unable to send a message to security enhanced addresses for given users/roles.

      ...
<addresses>
      <address name="testAddress">
        <anycast>
          <queue name="aQueue"/>
          <queue name="bQueue"/>
        </anycast>
      </address>
    </addresses>
...
       <security-settings>
         <security-setting match="testAddress">
            <permission roles="aUsers, bUsers" type="send"/>
         </security-setting>
         <security-setting match="testAddress::aQueue">
            <permission roles="aUsers" type="send"/>
            <permission roles="aUsers" type="consume"/>
         </security-setting>
         <security-setting match="testAddress::bQueue">
            <permission roles="bUsers" type="send"/>
            <permission roles="bUsers" type="consume"/>
         </security-setting>
      </security-settings>

       cat /opt/jboss-amq-7-i0/etc/artemis-roles.properties
amq=tckuser,superuser,administrator,admin
bUsers=bUser
aUsers=aUser
[root@dhcp-145-217 opt]# cat /opt/jboss-amq-7-i0/etc/artemis-users.properties
tckuser=tckuser
superuser=superuser
administrator=administrator
bUser=bUser
admin=admin
nobody=nobody
aUser=aUser

      Sending message as authorized "aUser" to testAddress via AMQP (wants to create new queue)

      java  -jar /var/dtests/node_data/clients/aac1.jar sender  --log-msgs dict --broker <broker>:5672 --conn-auth-mechanisms PLAIN --conn-username aUser --conn-password aUser --address "testAddress" --count 20 # ecode:1 (exp. 0), dur.:1.87 err_cnt:1
[14:27:32] [INFO] dtestlib.Test :: stderr:
  14:27:23,249 ERROR Error while sending a message!
  javax.jms.InvalidDestinationException: AMQ119002: target address does not exist [condition = amqp:not-found]
  	at org.apache.qpid.jms.provider.amqp.AmqpSupport.convertToException(AmqpSupport.java:153)
  	at org.apache.qpid.jms.provider.amqp.AmqpSupport.convertToException(AmqpSupport.java:118)
  	at org.apache.qpid.jms.provider.amqp.builders.AmqpResourceBuilder.handleClosed(AmqpResourceBuilder.java:185)
  	at org.apache.qpid.jms.provider.amqp.builders.AmqpResourceBuilder.processRemoteClose(AmqpResourceBuilder.java:129)
  	at org.apache.qpid.jms.provider.amqp.AmqpProvider.processUpdates(AmqpProvider.java:938)
  	at org.apache.qpid.jms.provider.amqp.AmqpProvider.onData(AmqpProvider.java:824)
  	at org.apache.qpid.jms.transports.netty.NettyTcpTransport$NettyTcpTransportHandler.channelRead0(NettyTcpTransport.java:539)
  	at org.apache.qpid.jms.transports.netty.NettyTcpTransport$NettyTcpTransportHandler.channelRead0(NettyTcpTransport.java:532)
  	at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
  	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
  	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
  	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
  	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:799)
  	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:433)
  	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:330)
  	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
  	at java.lang.Thread.run(Thread.java:748)

      Receive via AMQP 

      java  -jar /var/dtests/node_data/clients/aac1.jar receiver  --timeout 3 --log-msgs dict --broker <broker>:5672 --conn-auth-mechanisms PLAIN --conn-username aUser --conn-password aUser --address "testAddress::aQueue" --count 40 # ecode:1 (exp. 0), dur.:1.81 err_cnt:1
[14:27:53] [INFO] dtestlib.Test :: stderr:
  14:27:45,040 ERROR Exception while consuming message!
  javax.jms.JMSSecurityException: AMQ119015: not authorized to create consumer, AMQ229213: User: aUser does not have permission='CONSUME' for queue aQueue on address testAddress.aQueue [condition = amqp:unauthorized-access]
  	at org.apache.qpid.jms.provider.amqp.AmqpSupport.convertToException(AmqpSupport.java:144)
  	at org.apache.qpid.jms.provider.amqp.AmqpSupport.convertToException(AmqpSupport.java:118)
  	at org.apache.qpid.jms.provider.amqp.builders.AmqpResourceBuilder.handleClosed(AmqpResourceBuilder.java:185)
  	at org.apache.qpid.jms.provider.amqp.builders.AmqpResourceBuilder.processRemoteClose(AmqpResourceBuilder.java:129)
  	at org.apache.qpid.jms.provider.amqp.AmqpProvider.processUpdates(AmqpProvider.java:938)
  	at org.apache.qpid.jms.provider.amqp.AmqpProvider.onData(AmqpProvider.java:824)
  	at org.apache.qpid.jms.transports.netty.NettyTcpTransport$NettyTcpTransportHandler.channelRead0(NettyTcpTransport.java:539)
  	at org.apache.qpid.jms.transports.netty.NettyTcpTransport$NettyTcpTransportHandler.channelRead0(NettyTcpTransport.java:532)
  	at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
  	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
  	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
  	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
  	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:799)
  	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:433)
  	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:330)
  	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
  	at java.lang.Thread.run(Thread.java:748)

      Core sender

      java  -jar /var/dtests/node_data/clients/acce.jar sender  --log-msgs dict --broker tcp://<broker>:61616 --conn-username aUser --conn-password aUser --address "testAddress" --count 20 # ecode:1 (exp. 0), dur.:1.79 err_cnt:1
[14:37:11] [INFO] dtestlib.Test :: stderr:
  14:37:02,831 ERROR ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229213: User: aUser does not have permission='CREATE_DURABLE_QUEUE' for queue testAddress on address testAddress]
  14:37:02,833 ERROR Error while sending a message!
  javax.jms.JMSSecurityException: AMQ229213: User: aUser does not have permission='CREATE_DURABLE_QUEUE' for queue testAddress on address testAddress
  	at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:423)
  	at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:319)
  	at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.createQueue(ActiveMQSessionContext.java:682)
  	at org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.internalCreateQueue(ClientSessionImpl.java:1927)
  	at org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.createQueue(ClientSessionImpl.java:409)
  	at org.apache.activemq.artemis.jms.client.ActiveMQMessageProducer.createQueue(ActiveMQMessageProducer.java:544)
  	at org.apache.activemq.artemis.jms.client.ActiveMQMessageProducer.doSendx(ActiveMQMessageProducer.java:430)
  	at org.apache.activemq.artemis.jms.client.ActiveMQMessageProducer.send(ActiveMQMessageProducer.java:192)
  	at com.redhat.mqe.acc.AccSenderClient.startClient(AccSenderClient.java:99)
  	at com.redhat.mqe.lib.Main.main(Main.java:46)
  	at com.redhat.mqe.acc.Main.main(Main.java:85)
  	at com.redhat.mqe.acc.Main.main(Main.java:89)
  Caused by: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229213: User: aUser does not have permission='CREATE_DURABLE_QUEUE' for queue testAddress on address testAddress]
  	... 12 more

      Core receiver

      java  -jar /var/dtests/node_data/clients/acce.jar receiver  --timeout 3 --log-msgs dict --broker tcp://<broker>:61616 --conn-username aUser --conn-password aUser --address 'testAddress::aQueue' --count 40 # ecode:1 (exp. 0), dur.:1.75 err_cnt:1
[14:37:32] [INFO] dtestlib.Test :: stderr:
  14:37:23,781 ERROR Exception while consuming message!
  javax.jms.InvalidDestinationException: Destination testAddress::aQueue does not exist
  	at org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:738)
  	at org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:390)
  	at com.redhat.mqe.lib.ReceiverClient.consumeMessage(ReceiverClient.java:180)
  	at com.redhat.mqe.lib.ReceiverClient.startClient(ReceiverClient.java:149)
  	at com.redhat.mqe.lib.Main.main(Main.java:46)
  	at com.redhat.mqe.acc.Main.main(Main.java:85)
  	at com.redhat.mqe.acc.Main.main(Main.java:89)

      Sending message as authorized "aUser" to testAddress via Openwire (works w/o problems) 10 messages are in aQueue, and bQueue

      java  -jar /var/dtests/node_data/clients/aoc7.jar sender  --log-msgs dict --broker <broker>:61616 --conn-auth-mechanisms PLAIN --conn-username aUser --conn-password aUser --address "testAddress" --count 20
ignored option: conn-auth-mechanisms
{'address': 'testAddress', 'group-id': None, 'subject': None, 'user-id': None, 'correlation-id': None, 'content-encoding': None, 'priority': 4, 'type': None, 'ttl': 0, 'absolute-expiry-time': 0, 'content': None, 'redelivered': False, 'reply-to-group-id': None, 'durable': True, 'group-sequence': 0, 'creation-time': 1555589501071, 'content-type': None, 'id': 'host-10-0-150-57-44517-1555589500823-1:1:1:1:1', 'reply-to': None, 'properties': {}}
....
{'address': 'testAddress', 'group-id': None, 'subject': None, 'user-id': None, 'correlation-id': None, 'content-encoding': None, 'priority': 4, 'type': None, 'ttl': 0, 'absolute-expiry-time': 0, 'content': None, 'redelivered': False, 'reply-to-group-id': None, 'durable': True, 'group-sequence': 0, 'creation-time': 1555589501179, 'content-type': None, 'id': 'host-10-0-150-57-44517-1555589500823-1:1:1:1:20', 'reply-to': None, 'properties': {}}

      Receiving does not work properly

      java  -jar /var/dtests/node_data/clients/aoc7.jar receiver  --timeout 3 --log-msgs dict --broker tcp://<broker>:61616 --conn-username aUser --conn-password aUser --address 'testAddress::aQueue' --count 40 # ecode:1 (exp. 0), dur.:1.76 err_cnt:1
[14:32:52] [INFO] dtestlib.Test :: stderr:
  14:32:43,618 ERROR Exception while consuming message!
  javax.jms.JMSSecurityException: AMQ229213: User: aUser does not have permission='CONSUME' for queue testAddress::aQueue on address testAddress.testAddress::aQueue
  	at org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection.convertException(OpenWireConnection.java:383)
  	at org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection.bufferReceived(OpenWireConnection.java:295)
  	at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:643)
  	at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:345)
  	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:337)
  	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:323)
  	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:297)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:345)
  	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:337)
  	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:345)
  	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
  	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
  	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:427)
  	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:328)
  	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:905)
  	at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)

              rh-ee-ataylor Andy Taylor
              mtoth@redhat.com Michal Toth
              Michal Toth Michal Toth
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: