Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Looking at some tests on auditing and found this is an interesting issue, which works fine for core protocol, but fails on AMQP (bundled client fastest to reproduce)

User anonymous@192.168.64.2:50456 gets security check failure, reason = AMQ229213: User: alice

2023-09-28 19:35:36,701 [AUDIT](Thread-12 (activemq-netty-threads)) AMQ601264: User anonymous@192.168.64.2:50456 gets security check failure, reason = AMQ229213: User: alice does not have permission='CONSUME' for queue myQueue on address myAddress
AMQ601264: User anonymous@192.168.64.2:50456

I believe we already know this anonymous user is Alice.

This is core protocol in audit.log

2023-09-28 18:44:28,084 [AUDIT](Thread-1 (ActiveMQ-server-org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl$6@4525d1d3)) AMQ601264: User alice(senders)@172.28.0.2:38566 gets security check failure, reason = AMQ229213: User: alice does not have permission='CONSUME' for queue myQueue on address myAddress

Easily reproducible with command

Executing command /var/lib/artemis-instance/bin/artemis consumer --url tcp://artemis-margot:61616 --protocol amqp --destination fqqn://myAddress::myQueue --message-count 5 --user alice --password alice

Updated broker.xml & users accordingly (+ enable audit logs in log4j2 file)

<security-settings>
         <security-setting match="#">
            <permission type="createNonDurableQueue" roles="amq,senders,receivers"/>
            <permission type="deleteNonDurableQueue" roles="amq"/>
            <permission type="createDurableQueue" roles="amq,senders,receivers"/>
            <permission type="deleteDurableQueue" roles="amq"/>
            <permission type="createAddress" roles="amq,senders,receivers"/>
            <permission type="deleteAddress" roles="amq"/>
            <permission type="consume" roles="amq,receivers"/>
            <permission type="browse" roles="amq,senders,receivers"/>
            <permission type="send" roles="amq,senders"/>
            <permission type="manage" roles="amq"/>
         </security-setting>
      </security-settings>

roles

amq = admin
senders = alice,charlie
receivers = bob,charlie

Users

admin = admin
alice = alice
bob = bob
charlie = charlie

is related to

ENTMQBR-8520 Incorrect username logging in AMQ601264 events & missing address creation event AMQ601262

Closed

ENTMQBR-8339 Incorrect username logging in AMQ601264 events

Closed

ENTMQBR-8448 [QE] Create tests for audit logging

Resolved

Assignee:: Unassigned

Reporter:: Michal Toth

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2023/09/29 8:47 AM

Updated:: 2023/10/18 9:21 AM

Resolved:: 2023/10/02 9:06 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates