Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: amqp-protocol, broker-core
Labels:
- CR1
- upstream-test-coverage

Story Points:
1
Blocked:
False
Blocked Reason:
None
Ready:
False
GSS Priority:
Target Release:

AMQ 7.12.2.GA
Upstream Jira:
https://issues.apache.org/jira/browse/ARTEMIS-4982
Steps to Reproduce:
Hide

1. Create a broker with multiple roles and with the send permission restricted to one role. I used guest for the read-only role:

<security-settings> <security-setting match="#"> <permission type="createNonDurableQueue" roles="amq,guest"/> <permission type="deleteNonDurableQueue" roles="amq,guest"/> <permission type="createDurableQueue" roles="amq,guest"/> <permission type="deleteDurableQueue" roles="amq,guest"/> <permission type="createAddress" roles="amq,guest"/> <permission type="deleteAddress" roles="amq,guest"/> <permission type="consume" roles="amq,guest"/> <permission type="browse" roles="amq,guest"/> <permission type="send" roles="amq"/>  <permission type="manage" roles="amq"/> </security-setting> </security-settings>

2. Create user with the "guest" role.
3. Send large messages to the broker using the guest role
4. Examine the large-messages directory of the broker. Some large messages are written to the directory, despite the rejection of the send operation
Show
1. Create a broker with multiple roles and with the send permission restricted to one role. I used guest for the read-only role: <security-settings> <security-setting match="#"> <permission type="createNonDurableQueue" roles="amq,guest"/> <permission type="deleteNonDurableQueue" roles="amq,guest"/> <permission type="createDurableQueue" roles="amq,guest"/> <permission type="deleteDurableQueue" roles="amq,guest"/> <permission type="createAddress" roles="amq,guest"/> <permission type="deleteAddress" roles="amq,guest"/> <permission type="consume" roles="amq,guest"/> <permission type="browse" roles="amq,guest"/> <permission type="send" roles="amq"/>  <permission type="manage" roles="amq"/> </security-setting> </security-settings> 2. Create user with the "guest" role. 3. Send large messages to the broker using the guest role 4. Examine the large-messages directory of the broker. Some large messages are written to the directory, despite the rejection of the send operation
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

If an AMQP client authenticates, but tries sending large messages to a destination, the sender correctly receives an error:

javax.jms.JMSSecurityException: AMQ119017: not authorized to create producer, AMQ229032: User: client2 does not have permission='SEND' on address TEST.Q.0 [condition = amqp:unauthorized-access]
	at org.apache.qpid.jms.provider.exceptions.ProviderSecurityException.toJMSException(ProviderSecurityException.java:41)
	at org.apache.qpid.jms.provider.exceptions.ProviderSecurityException.toJMSException(ProviderSecurityException.java:27)
	at org.apache.qpid.jms.exceptions.JmsExceptionSupport.create(JmsExceptionSupport.java:80)
	at org.apache.qpid.jms.exceptions.JmsExceptionSupport.create(JmsExceptionSupport.java:112)
	at org.apache.qpid.jms.JmsConnection.createResource(JmsConnection.java:698)
	at org.apache.qpid.jms.JmsMessageProducer.<init>(JmsMessageProducer.java:73)
	at org.apache.qpid.jms.JmsSession.createProducer(JmsSession.java:676)
	at org.fusebyexample.amqp.client.simple.ProducerThread.run(ProducerThread.java:226)
Caused by: org.apache.qpid.jms.provider.exceptions.ProviderSecurityException: AMQ119017: not authorized to create producer, AMQ229032: User: client2 does not have permission='SEND' on address TEST.Q.0 [condition = amqp:unauthorized-access]
	at org.apache.qpid.jms.provider.amqp.AmqpSupport.convertToNonFatalException(AmqpSupport.java:173)
	at org.apache.qpid.jms.provider.amqp.builders.AmqpResourceBuilder.getOpenAbortExceptionFromRemote(AmqpResourceBuilder.java:305)
	at org.apache.qpid.jms.provider.amqp.builders.AmqpResourceBuilder.handleClosed(AmqpResourceBuilder.java:191)
	at org.apache.qpid.jms.provider.amqp.builders.AmqpResourceBuilder.processRemoteClose(AmqpResourceBuilder.java:132)
	at org.apache.qpid.jms.provider.amqp.AmqpProvider.processUpdates(AmqpProvider.java:992)
	at org.apache.qpid.jms.provider.amqp.AmqpProvider.onData(AmqpProvider.java:878)
	at org.apache.qpid.jms.transports.netty.NettyTcpTransport$NettyTcpTransportHandler.channelRead0(NettyTcpTransport.java:548)
	at org.apache.qpid.jms.transports.netty.NettyTcpTransport$NettyTcpTransportHandler.channelRead0(NettyTcpTransport.java:541)
	at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1373)
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1236)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1285)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:800)
	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:499)
	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:397)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at java.base/java.lang.Thread.run(Thread.java:840)

and in the broker log:

 2024-08-08 12:25:44,740 WARN  [org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback] AMQ229032: User: client2 does not have permission='SEND' on address TEST.Q.0
org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229032: User: client2 does not have permission='SEND' on address TEST.Q.0
	at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:318) ~[artemis-server-2.33.0.redhat-00013.jar:2.33.0.redhat-00013]
	at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:517) ~[artemis-server-2.33.0.redhat-00013.jar:2.33.0.redhat-00013]
	at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.doSend(ServerSessionImpl.java:2329) ~[artemis-server-2.33.0.redhat-00013.jar:2.33.0.redhat-00013]
	at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.send(ServerSessionImpl.java:1962) ~[artemis-server-2.33.0.redhat-00013.jar:2.33.0.redhat-00013]
	at org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.inSessionSend(AMQPSessionCallback.java:559) ~[artemis-amqp-protocol-2.33.0.redhat-00013.jar:2.33.0.redhat-00013]
	at org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.lambda$serverSend$2(AMQPSessionCallback.java:518) ~[artemis-amqp-protocol-2.33.0.redhat-00013.jar:2.33.0.redhat-00013]
	at org.apache.activemq.artemis.utils.actors.OrderedExecutor.doTask(OrderedExecutor.java:57) ~[artemis-commons-2.33.0.redhat-00013.jar:2.33.0.redhat-00013]
	at org.apache.activemq.artemis.utils.actors.OrderedExecutor.doTask(OrderedExecutor.java:32) ~[artemis-commons-2.33.0.redhat-00013.jar:2.33.0.redhat-00013]
	at org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:68) ~[artemis-commons-2.33.0.redhat-00013.jar:2.33.0.redhat-00013]
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
	at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) [artemis-commons-2.33.0.redhat-00013.jar:2.33.0.redhat-00013]
2024-08-08 12:25:47,627 INFO  [org.apache.activemq.artemis.protocol.amqp.logger] AMQ111002:

But an inspection of the large-messages directory reveals that large messages are still written to disk, even though the message count on the broker shows as 0 for the address / queue.

Assignee:: Tim Bish

Reporter:: Duane Hawkins

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/08/08 4:35 PM

Updated:: 2024/10/02 11:42 AM

Resolved:: 2024/08/31 7:15 AM

Details

Description

Attachments

Activity

People

Dates