Uploaded image for project: 'A-MQ Broker'
  1. A-MQ Broker
  2. ENTMQBR-3836

AMQ client unable to create a subscription with only ActiveMQ Read Permission



      In ActiveMQ 5.x, clients that have Read permission on a topic are allowed to create a subscription. However, in Red Hat AMQ 7, when mapping Artemis permissions to ActiveMQ 5.x permissions, clients aren’t permitted to create a queue with a ActiveMQ 5.x Read permission. In our migration from ActiveMQ 5.x to AMQ 7 we are constantly receiving errors like the following:

      User: x does not have permission='CREATE_NON_DURABLE_QUEUE' for queue 14ed9331-6560-42fa-a1e6-91ffb01ba34e on x.address]

      It happens on multicast queues where the ActiveMQ 5.x client only has Read permission on the queue.
      I know that queues are allowed to be created if the client has the ActiveMQ 5.x Send permission. Is it possible to do have a similar behavior for the ActiveMQ 5.x Read permission, but only for multicast queues? Maybe, something similar to the following:

      1) Possibly introduce a new setting on the LegacyLDAPSecuritySettingPlugin: allowQueueAdministrationOnRead
      2) In LegacyLDAPSecuritySettingPlugin.java, update the method private void processSearchResult(Map<String, Set<Role>> securityRoles, SearchResult searchResult) throws NamingException as follows:

      boolean allowQueueAdministration = allowQueueAdministrationOnRead && destinationType == “topic” && permissionType.equalsIgnoreCase(readPermissionValue) ;
      maybe this can be used to update Role.java
      Role role = new Role(roleName,
           permissionType.equalsIgnoreCase(writePermissionValue), // send
           permissionType.equalsIgnoreCase(readPermissionValue),  // consume
           permissionType.equalsIgnoreCase(adminPermissionValue) || allowQueueAdministration, // createDurableQueue
           permissionType.equalsIgnoreCase(adminPermissionValue) || allowQueueAdministration, // deleteDurableQueue
           permissionType.equalsIgnoreCase(adminPermissionValue) || allowQueueAdministration, // createNonDurableQueue
         permissionType.equalsIgnoreCase(adminPermissionValue) || allowQueueAdministration, // deleteNonDurableQueue

      Or maybe this can be a new argument on a constructor in the Role class.

      Anyway, are there any alternatives that can be used in conjunction with LegacyLDAPSecuritySettingPlugin that will allow a multicast queue to be created with only a ActiveMQ 5.x Read permission?

      We can have the ability to create multicast queues with a ActiveMQ 5.x Read permission. The current implementation works as documented - the Artemis CREATE_NON_DURABLE_QUEUE and CREATE_DURABLE_QUEUE permissions are mapped to the ActiveMQ 5.x Admin permission. What they want is the capability to also map the CREATE_NON_DURABLE_QUEUE and CREATE_DURABLE_QUEUE permissions to the ActiveMQ 5.x Read permission for multicast queues. This is for using the LDAP security plugin.

        Gliffy Diagrams




              • Assignee:
                jbertram Justin Bertram
                vrlgohel Viral Gohel
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created: