-
Bug
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
None
-
False
-
None
-
False
-
-
Looking at some tests on auditing and found this is an interesting issue, which works fine for core protocol, but fails on AMQP (bundled client fastest to reproduce)
User anonymous@192.168.64.2:50456 gets security check failure, reason = AMQ229213: User: alice
2023-09-28 19:35:36,701 [AUDIT](Thread-12 (activemq-netty-threads)) AMQ601264: User anonymous@192.168.64.2:50456 gets security check failure, reason = AMQ229213: User: alice does not have permission='CONSUME' for queue myQueue on address myAddress AMQ601264: User anonymous@192.168.64.2:50456
I believe we already know this anonymous user is Alice.
This is core protocol in audit.log
2023-09-28 18:44:28,084 [AUDIT](Thread-1 (ActiveMQ-server-org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl$6@4525d1d3)) AMQ601264: User alice(senders)@172.28.0.2:38566 gets security check failure, reason = AMQ229213: User: alice does not have permission='CONSUME' for queue myQueue on address myAddress
Easily reproducible with command
Executing command /var/lib/artemis-instance/bin/artemis consumer --url tcp://artemis-margot:61616 --protocol amqp --destination fqqn://myAddress::myQueue --message-count 5 --user alice --password alice
Updated broker.xml & users accordingly (+ enable audit logs in log4j2 file)
<security-settings> <security-setting match="#"> <permission type="createNonDurableQueue" roles="amq,senders,receivers"/> <permission type="deleteNonDurableQueue" roles="amq"/> <permission type="createDurableQueue" roles="amq,senders,receivers"/> <permission type="deleteDurableQueue" roles="amq"/> <permission type="createAddress" roles="amq,senders,receivers"/> <permission type="deleteAddress" roles="amq"/> <permission type="consume" roles="amq,receivers"/> <permission type="browse" roles="amq,senders,receivers"/> <permission type="send" roles="amq,senders"/> <permission type="manage" roles="amq"/> </security-setting> </security-settings>
roles
amq = admin senders = alice,charlie receivers = bob,charlie
Users
admin = admin alice = alice bob = bob charlie = charlie
- is related to
-
ENTMQBR-8520 Incorrect username logging in AMQ601264 events & missing address creation event AMQ601262
- Closed
-
ENTMQBR-8339 Incorrect username logging in AMQ601264 events
- Closed
-
ENTMQBR-8448 [QE] Create tests for audit logging
- Resolved