Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-3836

AMQ client unable to create a subscription with only ActiveMQ Read Permission

    XMLWordPrintable

Details

    Description

      In ActiveMQ 5.x, clients that have Read permission on a topic are allowed to create a subscription. However, in Red Hat AMQ 7, when mapping Artemis permissions to ActiveMQ 5.x permissions, clients aren’t permitted to create a queue with a ActiveMQ 5.x Read permission. In our migration from ActiveMQ 5.x to AMQ 7 we are constantly receiving errors like the following:

      User: x does not have permission='CREATE_NON_DURABLE_QUEUE' for queue 14ed9331-6560-42fa-a1e6-91ffb01ba34e on x.address]

      It happens on multicast queues where the ActiveMQ 5.x client only has Read permission on the queue.
      I know that queues are allowed to be created if the client has the ActiveMQ 5.x Send permission. Is it possible to do have a similar behavior for the ActiveMQ 5.x Read permission, but only for multicast queues? Maybe, something similar to the following:

      1) Possibly introduce a new setting on the LegacyLDAPSecuritySettingPlugin: allowQueueAdministrationOnRead
      2) In LegacyLDAPSecuritySettingPlugin.java, update the method private void processSearchResult(Map<String, Set<Role>> securityRoles, SearchResult searchResult) throws NamingException as follows:

      boolean allowQueueAdministration = allowQueueAdministrationOnRead && destinationType == “topic” && permissionType.equalsIgnoreCase(readPermissionValue) ;
maybe this can be used to update Role.java

Role role = new Role(roleName,
     permissionType.equalsIgnoreCase(writePermissionValue), // send
     permissionType.equalsIgnoreCase(readPermissionValue),  // consume
     permissionType.equalsIgnoreCase(adminPermissionValue) || allowQueueAdministration, // createDurableQueue
     permissionType.equalsIgnoreCase(adminPermissionValue) || allowQueueAdministration, // deleteDurableQueue
     permissionType.equalsIgnoreCase(adminPermissionValue) || allowQueueAdministration, // createNonDurableQueue
   permissionType.equalsIgnoreCase(adminPermissionValue) || allowQueueAdministration, // deleteNonDurableQueue

      Or maybe this can be a new argument on a constructor in the Role class.

      Anyway, are there any alternatives that can be used in conjunction with LegacyLDAPSecuritySettingPlugin that will allow a multicast queue to be created with only a ActiveMQ 5.x Read permission?

      We can have the ability to create multicast queues with a ActiveMQ 5.x Read permission. The current implementation works as documented - the Artemis CREATE_NON_DURABLE_QUEUE and CREATE_DURABLE_QUEUE permissions are mapped to the ActiveMQ 5.x Admin permission. What they want is the capability to also map the CREATE_NON_DURABLE_QUEUE and CREATE_DURABLE_QUEUE permissions to the ActiveMQ 5.x Read permission for multicast queues. This is for using the LDAP security plugin.

      Attachments

        Issue Links

          is cloned by

          Task - Represents a small unit of work that is not end-user facing. ENTMQBR-4302 Doc: AMQ client unable to create a subscription with only ActiveMQ Read Permission

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-jbertram Justin Bertram
              rhn-support-vgohel Viral Gohel
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: