-
Task
-
Resolution: Done
-
Major
-
None
-
AMQ 7.7.0.GA
In ActiveMQ 5.x, clients that have Read permission on a topic are allowed to create a subscription. However, in Red Hat AMQ 7, when mapping Artemis permissions to ActiveMQ 5.x permissions, clients aren’t permitted to create a queue with a ActiveMQ 5.x Read permission. In our migration from ActiveMQ 5.x to AMQ 7 we are constantly receiving errors like the following:
User: x does not have permission='CREATE_NON_DURABLE_QUEUE' for queue 14ed9331-6560-42fa-a1e6-91ffb01ba34e on x.address]
It happens on multicast queues where the ActiveMQ 5.x client only has Read permission on the queue.
I know that queues are allowed to be created if the client has the ActiveMQ 5.x Send permission. Is it possible to do have a similar behavior for the ActiveMQ 5.x Read permission, but only for multicast queues? Maybe, something similar to the following:
1) Possibly introduce a new setting on the LegacyLDAPSecuritySettingPlugin: allowQueueAdministrationOnRead
2) In LegacyLDAPSecuritySettingPlugin.java, update the method private void processSearchResult(Map<String, Set<Role>> securityRoles, SearchResult searchResult) throws NamingException as follows:
boolean allowQueueAdministration = allowQueueAdministrationOnRead && destinationType == “topic” && permissionType.equalsIgnoreCase(readPermissionValue) ; maybe this can be used to update Role.java Role role = new Role(roleName, permissionType.equalsIgnoreCase(writePermissionValue), // send permissionType.equalsIgnoreCase(readPermissionValue), // consume permissionType.equalsIgnoreCase(adminPermissionValue) || allowQueueAdministration, // createDurableQueue permissionType.equalsIgnoreCase(adminPermissionValue) || allowQueueAdministration, // deleteDurableQueue permissionType.equalsIgnoreCase(adminPermissionValue) || allowQueueAdministration, // createNonDurableQueue permissionType.equalsIgnoreCase(adminPermissionValue) || allowQueueAdministration, // deleteNonDurableQueue
Or maybe this can be a new argument on a constructor in the Role class.
Anyway, are there any alternatives that can be used in conjunction with LegacyLDAPSecuritySettingPlugin that will allow a multicast queue to be created with only a ActiveMQ 5.x Read permission?
We can have the ability to create multicast queues with a ActiveMQ 5.x Read permission. The current implementation works as documented - the Artemis CREATE_NON_DURABLE_QUEUE and CREATE_DURABLE_QUEUE permissions are mapped to the ActiveMQ 5.x Admin permission. What they want is the capability to also map the CREATE_NON_DURABLE_QUEUE and CREATE_DURABLE_QUEUE permissions to the ActiveMQ 5.x Read permission for multicast queues. This is for using the LDAP security plugin.
- clones
-
ENTMQBR-3836 AMQ client unable to create a subscription with only ActiveMQ Read Permission
- Closed