Artemis 2.0 Security settings

Mon, 15 May 2017 14:05:30 -0700 

Hi,

With 1.x we had configured security settings and topic like below

 <jms xmlns="urn:activemq:jms">
        
        <queue name="DLQ"/>
        <queue name="ExpiryQueue"/>
        <queue name="divertQueue1"/>
        <queue name="divertQueue2"/>

        
        <topic name="exampleTopic"/>
        <topic name="divertTopic"/>
    </jms>

<security-settings>
            <security-setting match="jms.queue.#">
                <permission type="createDurableQueue" roles="admin"/>
                <permission type="deleteDurableQueue" roles="admin"/>
                <permission type="createNonDurableQueue" roles="admin"/>
                <permission type="deleteNonDurableQueue" roles="admin"/>
                <permission type="consume" roles="admin"/>
                <permission type="send" roles="admin"/>
            </security-setting>
            <security-setting match="jms.topic.#">
                <permission type="createDurableQueue" roles="admin"/>
                <permission type="deleteDurableQueue" roles="admin"/>
                <permission type="createNonDurableQueue" roles="admin"/>
                <permission type="deleteNonDurableQueue" roles="admin"/>
                <permission type="consume" roles="admin"/>
                <permission type="send" roles="admin"/>
            </security-setting>
        </security-settings>

With move to 2.x, I ran migrate1x command.  That changed my jms declaration
like below
<addresses>
            <address name="ExpiryQueue">
                <anycast>
                    <queue name="ExpiryQueue"/>
                </anycast>
            </address>
            <address name="exampleTopic">
                <multicast/>
            </address>
            <address name="DLQ">
                <anycast>
                    <queue name="DLQ"/>
                </anycast>
            </address>
            <address name="divertQueue2">
                <anycast>
                    <queue name="divertQueue2"/>
                </anycast>
            </address>
            <address name="divertTopic">
                <multicast/>
            </address>
            <address name="divertQueue1">
                <anycast>
                    <queue name="divertQueue1"/>
                </anycast>
            </address>
        </addresses>

I see two issues with it.  First is security settings did not change.  If
previous convention was to add 'jms.queue' and 'jms.topic' then I think
migrate command can take care of it.  
To fix this I updated acceptor to add prefix

<acceptor
name="netty-acceptor">tcp://localhost:61616?anycastPrefix=jms.queue.;multicastPrefix=jms.topic.</acceptor>

But still it fails giving below error message.  Notice that it is not giving
right address name

Caused by: javax.jms.JMSSecurityException: AMQ119032: User: admin does not
have permission='CREATE_DURABLE_QUEUE' on address ykkUjHVg
        at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:412)
        at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:322)
        at
org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.createQueue(ActiveMQSessionContext.java:635)
        at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.internalCreateQueue(ClientSessionImpl.java:1836)
        at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.createQueue(ClientSessionImpl.java:389)
        at
org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:670)
        at
org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:359)
        at
org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:331)
        at
org.apache.activemq.artemis.jms.client.ActiveMQJMSContext.createConsumer(ActiveMQJMSContext.java:371)
        ... 29 more
Caused by: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION
message=AMQ119032: User: admin does not have
permission='CREATE_DURABLE_QUEUE' on address ykkUjHVg]
        ... 38 more

Please let me know if I am doing anything wrong?  Do I need to change my
address setting manually?  If I set it to generic '#' then it works fine.



--
View this message in context: 
http://activemq.2283324.n4.nabble.com/Artemis-2-0-Security-settings-tp4726174.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Reply via email to