Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-2463

Unable to send/receive messages with security permissions using FQQN for AMQP,Core or Openwire

    XMLWordPrintable

Details

    • AMQ Broker 2619, AMQ Broker 2919

    Description

      Unable to send a message to security enhanced addresses for given users/roles.

      ...
<addresses>
      <address name="testAddress">
        <anycast>
          <queue name="aQueue"/>
          <queue name="bQueue"/>
        </anycast>
      </address>
    </addresses>
...
       <security-settings>
         <security-setting match="testAddress">
            <permission roles="aUsers, bUsers" type="send"/>
         </security-setting>
         <security-setting match="testAddress::aQueue">
            <permission roles="aUsers" type="send"/>
            <permission roles="aUsers" type="consume"/>
         </security-setting>
         <security-setting match="testAddress::bQueue">
            <permission roles="bUsers" type="send"/>
            <permission roles="bUsers" type="consume"/>
         </security-setting>
      </security-settings>

       cat /opt/jboss-amq-7-i0/etc/artemis-roles.properties
amq=tckuser,superuser,administrator,admin
bUsers=bUser
aUsers=aUser
[root@dhcp-145-217 opt]# cat /opt/jboss-amq-7-i0/etc/artemis-users.properties
tckuser=tckuser
superuser=superuser
administrator=administrator
bUser=bUser
admin=admin
nobody=nobody
aUser=aUser

      Sending message as authorized "aUser" to testAddress via AMQP (wants to create new queue)

      java  -jar /var/dtests/node_data/clients/aac1.jar sender  --log-msgs dict --broker <broker>:5672 --conn-auth-mechanisms PLAIN --conn-username aUser --conn-password aUser --address "testAddress" --count 20 # ecode:1 (exp. 0), dur.:1.87 err_cnt:1
[14:27:32] [INFO] dtestlib.Test :: stderr:
  14:27:23,249 ERROR Error while sending a message!
  javax.jms.InvalidDestinationException: AMQ119002: target address does not exist [condition = amqp:not-found]
  	at org.apache.qpid.jms.provider.amqp.AmqpSupport.convertToException(AmqpSupport.java:153)
  	at org.apache.qpid.jms.provider.amqp.AmqpSupport.convertToException(AmqpSupport.java:118)
  	at org.apache.qpid.jms.provider.amqp.builders.AmqpResourceBuilder.handleClosed(AmqpResourceBuilder.java:185)
  	at org.apache.qpid.jms.provider.amqp.builders.AmqpResourceBuilder.processRemoteClose(AmqpResourceBuilder.java:129)
  	at org.apache.qpid.jms.provider.amqp.AmqpProvider.processUpdates(AmqpProvider.java:938)
  	at org.apache.qpid.jms.provider.amqp.AmqpProvider.onData(AmqpProvider.java:824)
  	at org.apache.qpid.jms.transports.netty.NettyTcpTransport$NettyTcpTransportHandler.channelRead0(NettyTcpTransport.java:539)
  	at org.apache.qpid.jms.transports.netty.NettyTcpTransport$NettyTcpTransportHandler.channelRead0(NettyTcpTransport.java:532)
  	at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
  	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
  	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
  	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
  	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:799)
  	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:433)
  	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:330)
  	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
  	at java.lang.Thread.run(Thread.java:748)

      Receive via AMQP 

      java  -jar /var/dtests/node_data/clients/aac1.jar receiver  --timeout 3 --log-msgs dict --broker <broker>:5672 --conn-auth-mechanisms PLAIN --conn-username aUser --conn-password aUser --address "testAddress::aQueue" --count 40 # ecode:1 (exp. 0), dur.:1.81 err_cnt:1
[14:27:53] [INFO] dtestlib.Test :: stderr:
  14:27:45,040 ERROR Exception while consuming message!
  javax.jms.JMSSecurityException: AMQ119015: not authorized to create consumer, AMQ229213: User: aUser does not have permission='CONSUME' for queue aQueue on address testAddress.aQueue [condition = amqp:unauthorized-access]
  	at org.apache.qpid.jms.provider.amqp.AmqpSupport.convertToException(AmqpSupport.java:144)
  	at org.apache.qpid.jms.provider.amqp.AmqpSupport.convertToException(AmqpSupport.java:118)
  	at org.apache.qpid.jms.provider.amqp.builders.AmqpResourceBuilder.handleClosed(AmqpResourceBuilder.java:185)
  	at org.apache.qpid.jms.provider.amqp.builders.AmqpResourceBuilder.processRemoteClose(AmqpResourceBuilder.java:129)
  	at org.apache.qpid.jms.provider.amqp.AmqpProvider.processUpdates(AmqpProvider.java:938)
  	at org.apache.qpid.jms.provider.amqp.AmqpProvider.onData(AmqpProvider.java:824)
  	at org.apache.qpid.jms.transports.netty.NettyTcpTransport$NettyTcpTransportHandler.channelRead0(NettyTcpTransport.java:539)
  	at org.apache.qpid.jms.transports.netty.NettyTcpTransport$NettyTcpTransportHandler.channelRead0(NettyTcpTransport.java:532)
  	at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
  	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
  	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
  	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
  	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:799)
  	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:433)
  	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:330)
  	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
  	at java.lang.Thread.run(Thread.java:748)

      Core sender

      java  -jar /var/dtests/node_data/clients/acce.jar sender  --log-msgs dict --broker tcp://<broker>:61616 --conn-username aUser --conn-password aUser --address "testAddress" --count 20 # ecode:1 (exp. 0), dur.:1.79 err_cnt:1
[14:37:11] [INFO] dtestlib.Test :: stderr:
  14:37:02,831 ERROR ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229213: User: aUser does not have permission='CREATE_DURABLE_QUEUE' for queue testAddress on address testAddress]
  14:37:02,833 ERROR Error while sending a message!
  javax.jms.JMSSecurityException: AMQ229213: User: aUser does not have permission='CREATE_DURABLE_QUEUE' for queue testAddress on address testAddress
  	at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:423)
  	at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:319)
  	at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.createQueue(ActiveMQSessionContext.java:682)
  	at org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.internalCreateQueue(ClientSessionImpl.java:1927)
  	at org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.createQueue(ClientSessionImpl.java:409)
  	at org.apache.activemq.artemis.jms.client.ActiveMQMessageProducer.createQueue(ActiveMQMessageProducer.java:544)
  	at org.apache.activemq.artemis.jms.client.ActiveMQMessageProducer.doSendx(ActiveMQMessageProducer.java:430)
  	at org.apache.activemq.artemis.jms.client.ActiveMQMessageProducer.send(ActiveMQMessageProducer.java:192)
  	at com.redhat.mqe.acc.AccSenderClient.startClient(AccSenderClient.java:99)
  	at com.redhat.mqe.lib.Main.main(Main.java:46)
  	at com.redhat.mqe.acc.Main.main(Main.java:85)
  	at com.redhat.mqe.acc.Main.main(Main.java:89)
  Caused by: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229213: User: aUser does not have permission='CREATE_DURABLE_QUEUE' for queue testAddress on address testAddress]
  	... 12 more

      Core receiver

      java  -jar /var/dtests/node_data/clients/acce.jar receiver  --timeout 3 --log-msgs dict --broker tcp://<broker>:61616 --conn-username aUser --conn-password aUser --address 'testAddress::aQueue' --count 40 # ecode:1 (exp. 0), dur.:1.75 err_cnt:1
[14:37:32] [INFO] dtestlib.Test :: stderr:
  14:37:23,781 ERROR Exception while consuming message!
  javax.jms.InvalidDestinationException: Destination testAddress::aQueue does not exist
  	at org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:738)
  	at org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:390)
  	at com.redhat.mqe.lib.ReceiverClient.consumeMessage(ReceiverClient.java:180)
  	at com.redhat.mqe.lib.ReceiverClient.startClient(ReceiverClient.java:149)
  	at com.redhat.mqe.lib.Main.main(Main.java:46)
  	at com.redhat.mqe.acc.Main.main(Main.java:85)
  	at com.redhat.mqe.acc.Main.main(Main.java:89)

      Sending message as authorized "aUser" to testAddress via Openwire (works w/o problems) 10 messages are in aQueue, and bQueue

      java  -jar /var/dtests/node_data/clients/aoc7.jar sender  --log-msgs dict --broker <broker>:61616 --conn-auth-mechanisms PLAIN --conn-username aUser --conn-password aUser --address "testAddress" --count 20
ignored option: conn-auth-mechanisms
{'address': 'testAddress', 'group-id': None, 'subject': None, 'user-id': None, 'correlation-id': None, 'content-encoding': None, 'priority': 4, 'type': None, 'ttl': 0, 'absolute-expiry-time': 0, 'content': None, 'redelivered': False, 'reply-to-group-id': None, 'durable': True, 'group-sequence': 0, 'creation-time': 1555589501071, 'content-type': None, 'id': 'host-10-0-150-57-44517-1555589500823-1:1:1:1:1', 'reply-to': None, 'properties': {}}
....
{'address': 'testAddress', 'group-id': None, 'subject': None, 'user-id': None, 'correlation-id': None, 'content-encoding': None, 'priority': 4, 'type': None, 'ttl': 0, 'absolute-expiry-time': 0, 'content': None, 'redelivered': False, 'reply-to-group-id': None, 'durable': True, 'group-sequence': 0, 'creation-time': 1555589501179, 'content-type': None, 'id': 'host-10-0-150-57-44517-1555589500823-1:1:1:1:20', 'reply-to': None, 'properties': {}}

      Receiving does not work properly

      java  -jar /var/dtests/node_data/clients/aoc7.jar receiver  --timeout 3 --log-msgs dict --broker tcp://<broker>:61616 --conn-username aUser --conn-password aUser --address 'testAddress::aQueue' --count 40 # ecode:1 (exp. 0), dur.:1.76 err_cnt:1
[14:32:52] [INFO] dtestlib.Test :: stderr:
  14:32:43,618 ERROR Exception while consuming message!
  javax.jms.JMSSecurityException: AMQ229213: User: aUser does not have permission='CONSUME' for queue testAddress::aQueue on address testAddress.testAddress::aQueue
  	at org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection.convertException(OpenWireConnection.java:383)
  	at org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection.bufferReceived(OpenWireConnection.java:295)
  	at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:643)
  	at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:345)
  	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:337)
  	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:323)
  	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:297)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:345)
  	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:337)
  	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:345)
  	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
  	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
  	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:427)
  	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:328)
  	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:905)
  	at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. ENTMQBR-2084 Security permissions are not applied properly

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rh-ee-ataylor Andy Taylor
              mtoth@redhat.com Michal Toth
              Michal Toth Michal Toth
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: