Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-8452

amqp - AuditLogs reports anonymous user instead of logged in on failed security check for consume/produce

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • False
    • None
    • False

      Looking at some tests on auditing and found this is an interesting issue, which works fine for core protocol, but fails on AMQP (bundled client fastest to reproduce)

      User anonymous@192.168.64.2:50456 gets security check failure, reason = AMQ229213: User: alice 
      2023-09-28 19:35:36,701 [AUDIT](Thread-12 (activemq-netty-threads)) AMQ601264: User anonymous@192.168.64.2:50456 gets security check failure, reason = AMQ229213: User: alice does not have permission='CONSUME' for queue myQueue on address myAddress
      AMQ601264: User anonymous@192.168.64.2:50456
      

      I believe we already know this anonymous user is Alice.

       

      This is core protocol in audit.log

      2023-09-28 18:44:28,084 [AUDIT](Thread-1 (ActiveMQ-server-org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl$6@4525d1d3)) AMQ601264: User alice(senders)@172.28.0.2:38566 gets security check failure, reason = AMQ229213: User: alice does not have permission='CONSUME' for queue myQueue on address myAddress
      

      Easily reproducible with command

      Executing command /var/lib/artemis-instance/bin/artemis consumer --url tcp://artemis-margot:61616 --protocol amqp --destination fqqn://myAddress::myQueue --message-count 5 --user alice --password alice
      

      Updated broker.xml & users accordingly (+ enable audit logs in log4j2 file)

      <security-settings>
               <security-setting match="#">
                  <permission type="createNonDurableQueue" roles="amq,senders,receivers"/>
                  <permission type="deleteNonDurableQueue" roles="amq"/>
                  <permission type="createDurableQueue" roles="amq,senders,receivers"/>
                  <permission type="deleteDurableQueue" roles="amq"/>
                  <permission type="createAddress" roles="amq,senders,receivers"/>
                  <permission type="deleteAddress" roles="amq"/>
                  <permission type="consume" roles="amq,receivers"/>
                  <permission type="browse" roles="amq,senders,receivers"/>
                  <permission type="send" roles="amq,senders"/>
                  <permission type="manage" roles="amq"/>
               </security-setting>
            </security-settings>
      

      roles

      amq = admin
      senders = alice,charlie
      receivers = bob,charlie
      

      Users

      admin = admin
      alice = alice
      bob = bob
      charlie = charlie
      

              Unassigned Unassigned
              mtoth@redhat.com Michal Toth
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: