-
Bug
-
Resolution: Done
-
Major
-
AMQ 7.8.2.GA
We use the <role-access> element to define how roles are mapped to particular MBeans and their attributes and methods.
Mapping roles to a specific queue in a domain works fine. But when mapping roles to all queue names that include a specified prefix with a wildcard "*", it does not work consistently. For instance, following configuration in management.xml matches roles to any queue name starts with "apple", "cherry" and "melon" respectively:
<match domain="org.apache.activemq.artemis" key="queue=apple*">
<access method="list*" roles="admin,acl.amq.admin,acl.amq.view,team.apple"/>
<access method="get*" roles="admin,acl.amq.admin,acl.amq.view,team.apple"/>
<access method="is*" roles="admin,acl.amq.admin,acl.amq.view,team.apple"/>
<access method="browse*" roles="admin,acl.amq.admin,acl.amq.view,team.apple"/>
<access method="count*" roles="admin,acl.amq.admin,acl.amq.view,team.apple"/>
<access method="send*" roles="admin,acl.amq.admin,team.apple"/>
<access method="set*" roles="admin,acl.amq.admin,team.apple"/>
<access method="*" roles="admin,acl.amq.admin,team.apple"/>
</match>
<match domain="org.apache.activemq.artemis" key="queue=cherry*">
<access method="list*" roles="admin,acl.amq.admin,acl.amq.view,team.cherry"/>
<access method="get*" roles="admin,acl.amq.admin,acl.amq.view,team.cherry"/>
<access method="is*" roles="admin,acl.amq.admin,acl.amq.view,team.cherry"/>
<access method="browse*" roles="admin,acl.amq.admin,acl.amq.view,team.cherry"/>
<access method="count*" roles="admin,acl.amq.admin,acl.amq.view,team.cherry"/>
<access method="send*" roles="admin,acl.amq.admin,team.cherry"/>
<access method="set*" roles="admin,acl.amq.admin,team.cherry"/>
<access method="*" roles="admin,acl.amq.admin,team.cherry"/>
</match>
<match domain="org.apache.activemq.artemis" key="queue=melon*">
<access method="list*" roles="admin,acl.amq.admin,acl.amq.view,team.melon"/>
<access method="get*" roles="admin,acl.amq.admin,acl.amq.view,team.melon"/>
<access method="is*" roles="admin,acl.amq.admin,acl.amq.view,team.melon"/>
<access method="browse*" roles="admin,acl.amq.admin,acl.amq.view,team.melon"/>
<access method="count**" roles="admin,acl.amq.admin,acl.amq.view,team.melon"/>
<access method="send*" roles="admin,acl.amq.admin,team.melon"/>
<access method="set*" roles="admin,acl.amq.admin,team.melon"/>
<access method="*" roles="admin,acl.amq.admin,team.melon"/>
</match>
and artemis-roles.properties:
amq = admin acl.amq.view = apple.user,banana.user,cherry.user,melon.user,orange.user team.apple = apple.user team.banana = banana.user team.cherry = cherry.user team.melon = melon.user team.orange = orange.user
When login to Hawtio Web Console using "cherry.user" and click on the queue "cherry-event-log", I was getting:
INFO | qtp2116179210-38 | Logging in user: cherry.user 2021-10-08 19:36:31,167 INFO [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" createAddress false 2021-10-08 19:36:31,175 INFO [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" deleteAddress false 2021-10-08 19:36:31,181 INFO [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" createQueue false 2021-10-08 19:36:31,188 INFO [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" destroyQueue false 2021-10-08 19:36:38,570 INFO [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" createAddress false 2021-10-08 19:36:38,578 INFO [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" deleteAddress false 2021-10-08 19:36:38,584 INFO [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" createQueue false 2021-10-08 19:36:38,589 INFO [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0" destroyQueue false 2021-10-08 19:36:43,238 INFO [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0",component=addresses,address="cherry-event-log",subcomponent=queues,routing-type="anycast",queue="cherry-event-log" sendMessage false 2021-10-08 19:36:43,245 INFO [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0",component=addresses,address="cherry-event-log",subcomponent=queues,routing-type="anycast",queue="cherry-event-log" browse false
I was expecting that the user "cherry.user" should be able to "send" and "browse" messages on the queue "cherry-event-log" because of the matching rule configuration in management.xml for the queue "cherry*". But it wasn't the case.
When login using "apple.user", I was able to "send" and "browse" messages on the queue "apple-import" or "apple-import-error" queues as expected, however.
But when I was accessing the queue "melon-error" using the user "apple.user", I was expecting that the user "apple.user" should be able to "browse" the queue since the "apple.user" belongs to role "acl.amq.view" and the role "acl.amq.view" should allow "browse" operation on any queue starts with prefix "melon" based on the matching rule configuration for "melon*" queue (with wildcard "*") in the management.xml. Obviously, it wasn't the case either:
2021-10-11 11:57:35,661 INFO [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0",component=addresses,address="melon-error",subcomponent=queues,routing-type="anycast",queue="melon-error" sendMessage false 2021-10-11 11:57:35,668 INFO [org.apache.activemq.artemis.core.server] org.apache.activemq.artemis:broker="0.0.0.0",component=addresses,address="melon-error",subcomponent=queues,routing-type="anycast",queue="melon-error" browse false
