Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-5592

[LTS] Mapping roles to all queue names that include a specified prefix using a wildcard "*" does not work consistently

XMLWordPrintable

    • False
    • False
    • Hide
      1. add following roles to "etc/artemis.profile" file for "-Dhawtio.role" option:
        -Dhawtio.role=amq,team.apple,team.banana,team.cherry,team.melon,team.orange 
      2. modify "etc/broker.xml" file to add all pre-defined addresses as attached broker.xml <addresses> section. 
      3. modify "etc/broker.xml" file to change "send" permission in <security-setting> section for "#", like: 
        <security-setting match="#">
            ...    
            <permission type="send" roles="amq,team.apple,team.banana,team.cherry,team.melon,team.orange"/>
        ...
        </security-setting>
        This permission allows you to invoke "Send Message" on all queues with appropriate "send" permissions.
      4. copy over attached management.xml to your "etc/" folder to overwrite the original one;

      Please note, the password for all users is "password" in attached "artemis-users.properties.

      Show
      add following roles to "etc/artemis.profile" file for "-Dhawtio.role" option: -Dhawtio.role=amq,team.apple,team.banana,team.cherry,team.melon,team.orange  modify "etc/broker.xml" file to add all pre-defined addresses as attached broker.xml <addresses> section.  modify "etc/broker.xml" file to change "send" permission in <security-setting> section for "#", like:  <security-setting match="#">     ...         <permission type="send" roles="amq,team.apple,team.banana,team.cherry,team.melon,team.orange"/> ... </security-setting> This permission allows you to invoke "Send Message" on all queues with appropriate "send" permissions. copy over attached management.xml to your "etc/" folder to overwrite the original one; Please note, the password for all users is "password" in attached "artemis-users.properties.

      We use the <role-access> element to define how roles are mapped to particular MBeans and their attributes and methods.

      Mapping roles to a specific queue in a domain works fine. But when mapping roles to all queue names that include a specified prefix with a wildcard "*", it does not work consistently. For instance, following configuration in management.xml matches roles to any queue name starts with "apple", "cherry" and "melon" respectively:

                 <match domain="org.apache.activemq.artemis" key="queue=apple*">
                      <access method="list*" roles="admin,acl.amq.admin,acl.amq.view,team.apple"/>
                      <access method="get*" roles="admin,acl.amq.admin,acl.amq.view,team.apple"/>
                      <access method="is*" roles="admin,acl.amq.admin,acl.amq.view,team.apple"/>
                      <access method="browse*" roles="admin,acl.amq.admin,acl.amq.view,team.apple"/>
                      <access method="count*" roles="admin,acl.amq.admin,acl.amq.view,team.apple"/>
                      <access method="send*" roles="admin,acl.amq.admin,team.apple"/>
                      <access method="set*" roles="admin,acl.amq.admin,team.apple"/>
                      <access method="*" roles="admin,acl.amq.admin,team.apple"/>
                  </match>
      
                  <match domain="org.apache.activemq.artemis" key="queue=cherry*">
                      <access method="list*" roles="admin,acl.amq.admin,acl.amq.view,team.cherry"/>
                      <access method="get*" roles="admin,acl.amq.admin,acl.amq.view,team.cherry"/>
                      <access method="is*" roles="admin,acl.amq.admin,acl.amq.view,team.cherry"/>
                      <access method="browse*" roles="admin,acl.amq.admin,acl.amq.view,team.cherry"/>
                      <access method="count*" roles="admin,acl.amq.admin,acl.amq.view,team.cherry"/>
                      <access method="send*" roles="admin,acl.amq.admin,team.cherry"/>
                      <access method="set*" roles="admin,acl.amq.admin,team.cherry"/>
                      <access method="*" roles="admin,acl.amq.admin,team.cherry"/>
                  </match>
      
                  <match domain="org.apache.activemq.artemis" key="queue=melon*">
                      <access method="list*" roles="admin,acl.amq.admin,acl.amq.view,team.melon"/>
                      <access method="get*" roles="admin,acl.amq.admin,acl.amq.view,team.melon"/>
                      <access method="is*" roles="admin,acl.amq.admin,acl.amq.view,team.melon"/>
                      <access method="browse*" roles="admin,acl.amq.admin,acl.amq.view,team.melon"/>
                      <access method="count**" roles="admin,acl.amq.admin,acl.amq.view,team.melon"/>
                      <access method="send*" roles="admin,acl.amq.admin,team.melon"/>
                      <access method="set*" roles="admin,acl.amq.admin,team.melon"/>
                      <access method="*" roles="admin,acl.amq.admin,team.melon"/>
                  </match>
      

      and artemis-roles.properties:

      amq = admin
      acl.amq.view = apple.user,banana.user,cherry.user,melon.user,orange.user
      team.apple = apple.user
      team.banana = banana.user
      team.cherry = cherry.user
      team.melon = melon.user
      team.orange = orange.user
      

       
      When login to Hawtio Web Console using "cherry.user" and click on the queue "cherry-event-log", I was getting:

      INFO  | qtp2116179210-38 | Logging in user: cherry.user
      
      2021-10-08 19:36:31,167 INFO  [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" createAddress false
      
      2021-10-08 19:36:31,175 INFO  [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" deleteAddress false
      
      2021-10-08 19:36:31,181 INFO  [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" createQueue false
      
      2021-10-08 19:36:31,188 INFO  [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" destroyQueue false
      
      2021-10-08 19:36:38,570 INFO  [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" createAddress false
      
      2021-10-08 19:36:38,578 INFO  [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" deleteAddress false
      
      2021-10-08 19:36:38,584 INFO  [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" createQueue false
      
      2021-10-08 19:36:38,589 INFO  [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" destroyQueue false
      
      2021-10-08 19:36:43,238 INFO  [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0",component=addresses,address="cherry-event-log",subcomponent=queues,routing-type="anycast",queue="cherry-event-log" sendMessage false
      
      2021-10-08 19:36:43,245 INFO  [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0",component=addresses,address="cherry-event-log",subcomponent=queues,routing-type="anycast",queue="cherry-event-log" browse false
      

      I was expecting that the user "cherry.user" should be able to "send" and "browse" messages on the queue "cherry-event-log" because of the matching rule configuration in management.xml for the queue "cherry*". But it wasn't the case.

      When login using "apple.user", I was able to "send" and "browse" messages on the queue "apple-import" or "apple-import-error" queues as expected, however.

      But when I was accessing the queue "melon-error" using the user "apple.user", I was expecting that the user "apple.user" should be able to "browse" the queue since the "apple.user" belongs to role "acl.amq.view" and the role "acl.amq.view" should allow "browse" operation on any queue starts with prefix "melon" based on the matching rule configuration for "melon*" queue (with wildcard "*") in the management.xml. Obviously, it wasn't the case either:

      2021-10-11 11:57:35,661 INFO  [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0",component=addresses,address="melon-error",subcomponent=queues,routing-type="anycast",queue="melon-error" sendMessage false
      2021-10-11 11:57:35,668 INFO  [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0",component=addresses,address="melon-error",subcomponent=queues,routing-type="anycast",queue="melon-error" browse false
      

       

              dbruscin Domenico Francesco Bruscino
              rhn-support-qluo Joe Luo
              Roman Vais Roman Vais (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: