Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: AMQ 7.7.0.CR2
Affects Version/s: AMQ 7.4.1.GA, AMQ 7.6.0.GA
Component/s: broker-core, security
Labels:
None

GSS Priority:
QE Test Coverage:
+
Release Note Text:
Previously, if you used Jolokia to dynamically set security settings for an address, the broker did not detect the update. Instead, you needed to restart the broker for the changes to take effect. This issue is now resolved.
Release Note Status:
Documented as Resolved Issue
Target Release:

AMQ 7.7.0.GA
Upstream Jira:
https://issues.apache.org/jira/browse/ARTEMIS-2708
Verified:
Verified in a release
Workaround Description:

Hide

restart broker

Show
restart broker
Steps to Reproduce:
Hide

Example for creating a user, where role/permissions are not picked up until after restarting broker:

# test before adding user $ bin/artemis producer --user myuser --password mypassword --url tcp://localhost:61616 --message-count 1 --message-size 1024 --destination queue://FOO Connection failed::AMQ229031: Unable to validate user from /127.0.0.1:40966. Username: myuser; SSL certificate subject DN: unavailable # create anycast address FOO curl -k --user admin:admin -H "Origin: http://localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/createAddress(java.lang.String,java.lang.String)/FOO/ANYCAST" # create security settings for address FOO curl -k --user admin:admin -H "Origin: http://localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/addSecuritySettings(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String)/FOO/myrole/myrole/myrole/myrole/myrole/myrole/myrole" # create user 'myuser' with password 'mypassword' curl -k --user admin:admin -H "Origin: http://localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/addUser(java.lang.String,java.lang.String,java.lang.String,boolean)/myuser/mypassword//false" # add role 'myrole' to 'myuser' curl -k --user admin:admin --user admin:admin -H "Origin: http://localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/resetUser(java.lang.String,java.lang.String,java.lang.String)/myuser/mypassword/myrole" # check roles curl -k --user admin:admin --user admin:admin -H "Origin: http://localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/getRoles(java.lang.String)/FOO" # re-test $ bin/artemis producer --user myuser --password mypassword --url tcp://localhost:61616 --message-count 1 --message-size 1024 --destination queue://FOO //User: myuser does not have permission='CREATE_DURABLE_QUEUE' for queue FOO on address FOO] # restart broker # re-test $ bin/artemis producer --user myuser --password mypassword --url tcp://localhost:61616 --message-count 1 --message-size 1024 --destination queue://FOO //Works!
Show
Example for creating a user, where role/permissions are not picked up until after restarting broker: # test before adding user $ bin/artemis producer --user myuser --password mypassword --url tcp: //localhost:61616 --message-count 1 --message-size 1024 --destination queue://FOO Connection failed::AMQ229031: Unable to validate user from /127.0.0.1:40966. Username: myuser; SSL certificate subject DN: unavailable # create anycast address FOO curl -k --user admin:admin -H "Origin: http: //localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/createAddress(java.lang. String ,java.lang. String )/FOO/ANYCAST" # create security settings for address FOO curl -k --user admin:admin -H "Origin: http: //localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/addSecuritySettings(java.lang. String ,java.lang. String ,java.lang. String ,java.lang. String ,java.lang. String ,java.lang. String ,java.lang. String ,java.lang. String )/FOO/myrole/myrole/myrole/myrole/myrole/myrole/myrole" # create user 'myuser' with password 'mypassword' curl -k --user admin:admin -H "Origin: http: //localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/addUser(java.lang. String ,java.lang. String ,java.lang. String , boolean )/myuser/mypassword// false " # add role 'myrole' to 'myuser' curl -k --user admin:admin --user admin:admin -H "Origin: http: //localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/resetUser(java.lang. String ,java.lang. String ,java.lang. String )/myuser/mypassword/myrole" # check roles curl -k --user admin:admin --user admin:admin -H "Origin: http: //localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/getRoles(java.lang. String )/FOO" # re-test $ bin/artemis producer --user myuser --password mypassword --url tcp: //localhost:61616 --message-count 1 --message-size 1024 --destination queue://FOO //User: myuser does not have permission= 'CREATE_DURABLE_QUEUE' for queue FOO on address FOO] # restart broker # re-test $ bin/artemis producer --user myuser --password mypassword --url tcp: //localhost:61616 --message-count 1 --message-size 1024 --destination queue://FOO //Works!

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

While users can dynamically set security settings for an address via jolokia, the security settings do not appear to be used until after broker restart.

is cloned by

ENTMQBR-3489 [LTS] JMX/Jolokia addSecuritySettings - permissions are not processed until broker restart

Closed

Assignee:: Justin Bertram

Reporter:: Stephen Higgs

Tester:: Tiago Bueno

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2020/03/27 5:02 PM

Updated:: 2023/09/07 11:49 PM

Resolved:: 2020/06/15 2:17 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates