Re: Artemis 2.0 Security settings

Mon, 15 May 2017 19:11:58 -0700 

> First is security settings did not change.  If previous convention was to add 
> 'jms.queue' and 'jms.topic' then I think migrate command can take care of it.

Agreed.

However, using anycastPrefix and multicastPrefix on your acceptor won't fix 
your security settings. Those should be updated so that they no longer use the 
prefix since your addresses and queues no long use the prefix. The prefixes are 
mainly for legacy clients that still use the old conventions.


Justin

----- Original Message -----
From: "abhijith" <topcoderabhij...@gmail.com>
To: users@activemq.apache.org
Sent: Monday, May 15, 2017 3:51:46 PM
Subject: Artemis 2.0 Security settings

Hi,

With 1.x we had configured security settings and topic like below

 <jms xmlns="urn:activemq:jms">
        
        <queue name="DLQ"/>
        <queue name="ExpiryQueue"/>
        <queue name="divertQueue1"/>
        <queue name="divertQueue2"/>

        
        <topic name="exampleTopic"/>
        <topic name="divertTopic"/>
    </jms>

<security-settings>
            <security-setting match="jms.queue.#">
                <permission type="createDurableQueue" roles="admin"/>
                <permission type="deleteDurableQueue" roles="admin"/>
                <permission type="createNonDurableQueue" roles="admin"/>
                <permission type="deleteNonDurableQueue" roles="admin"/>
                <permission type="consume" roles="admin"/>
                <permission type="send" roles="admin"/>
            </security-setting>
            <security-setting match="jms.topic.#">
                <permission type="createDurableQueue" roles="admin"/>
                <permission type="deleteDurableQueue" roles="admin"/>
                <permission type="createNonDurableQueue" roles="admin"/>
                <permission type="deleteNonDurableQueue" roles="admin"/>
                <permission type="consume" roles="admin"/>
                <permission type="send" roles="admin"/>
            </security-setting>
        </security-settings>

With move to 2.x, I ran migrate1x command.  That changed my jms declaration
like below
<addresses>
            <address name="ExpiryQueue">
                <anycast>
                    <queue name="ExpiryQueue"/>
                </anycast>
            </address>
            <address name="exampleTopic">
                <multicast/>
            </address>
            <address name="DLQ">
                <anycast>
                    <queue name="DLQ"/>
                </anycast>
            </address>
            <address name="divertQueue2">
                <anycast>
                    <queue name="divertQueue2"/>
                </anycast>
            </address>
            <address name="divertTopic">
                <multicast/>
            </address>
            <address name="divertQueue1">
                <anycast>
                    <queue name="divertQueue1"/>
                </anycast>
            </address>
        </addresses>

I see two issues with it.  First is security settings did not change.  If
previous convention was to add 'jms.queue' and 'jms.topic' then I think
migrate command can take care of it.  
To fix this I updated acceptor to add prefix

<acceptor
name="netty-acceptor">tcp://localhost:61616?anycastPrefix=jms.queue.;multicastPrefix=jms.topic.</acceptor>

But still it fails giving below error message.  Notice that it is not giving
right address name

Caused by: javax.jms.JMSSecurityException: AMQ119032: User: admin does not
have permission='CREATE_DURABLE_QUEUE' on address ykkUjHVg
        at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:412)
        at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:322)
        at
org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.createQueue(ActiveMQSessionContext.java:635)
        at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.internalCreateQueue(ClientSessionImpl.java:1836)
        at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.createQueue(ClientSessionImpl.java:389)
        at
org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:670)
        at
org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:359)
        at
org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:331)
        at
org.apache.activemq.artemis.jms.client.ActiveMQJMSContext.createConsumer(ActiveMQJMSContext.java:371)
        ... 29 more
Caused by: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION
message=AMQ119032: User: admin does not have
permission='CREATE_DURABLE_QUEUE' on address ykkUjHVg]
        ... 38 more

Please let me know if I am doing anything wrong?  Do I need to change my
address setting manually?  If I set it to generic '#' then it works fine.



--
View this message in context: 
http://activemq.2283324.n4.nabble.com/Artemis-2-0-Security-settings-tp4726174.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Reply via email to