Hi Benjamin, I see your point, the documentation doesn't include any help to create a read-only role for management API. Feel free to send a PR[1] to improve the documentation[2] if you like or to raise a JIRA[3].
[1] https://github.com/apache/activemq-artemis/blob/main/docs/hacking-guide/en/code.md#typical-development-cycle [2] https://github.com/apache/activemq-artemis/blob/main/docs/user-manual/en/management.md#role-based-authorisation-for-jmx [3] https://issues.apache.org/jira/projects/ARTEMIS/issues Thanks, Domenico On Mon, 14 Jun 2021 at 12:52, Benny K <ben...@gmx.net> wrote: > > Hi again, > > I think I found the solution on my own - for whom it may itnerest, please > see my results and my comment: > I am really not experienced in devopment, etc. I am just a little admin :-) > > - I just cloned the artemis-repo from github and did some greps, looking > for something like "list*", etc... > - there was a lucky punch looking finally for "access method="list*"" > > there is a file called > artemis_github\activemq-artemis\artemis-cli\src\main\resources\org\apache\activemq\artemis\cli\commands\etc\management.xml > > > and within this file there is a little hint: > > <!-- Note count and browse are need to access the browse tab in the > console--> > <access method="browse*" roles="${role}"/> > <access method="count*" roles="${role}"/> > > > I just updated my own management.xml like: > > <match domain="org.apache.activemq.artemis" key="subcomponent=queues"> > <access method="list*" roles="view,update,amq"/> > <access method="get*" roles="view,update,amq"/> > <access method="is*" roles="view,update,amq"/> > <access method="set*" roles="view,update,amq"/> > <access method="browse*" roles="view,amq"/> > <access method="count*" roles="view,amq"/> > <access method="*" roles="amq"/> > </match> > > > Now my user "view" is able to browse queues without beeing able to delete > messages. > > Now I would like to ask, why this is not documented in any way? I mean, > not every active-mq-operator is experienced in figuring out this stuff.. > for me it was just luck this time... > I think implementing "read-only-users" for the web-ui is a common > approach/feature in so many different software. > > I would like to ask the projects maintainer to update the documentation. I > mean you are teasing an "view"-role in default-configuration after fresh > installs but it is not working without further configuration. how should a > simple user like me to know about other methods like browse* and count* if > it is not written in the main-documentation? > > If I can help in some way please let me know :-) I would like to give > somthing back to the community. > > Wish you a nice week, stay healthy and best regards > Benjamin > > > > > > > Gesendet: Montag, 14. Juni 2021 um 10:58 Uhr > Von: "Benny K" <ben...@gmx.net> > An: users@activemq.apache.org > Betreff: Artemis: Struggling with setting up a readyonly-user for > web-console > Hi people, hope your doing fine! > I am pretty new to Active MQ.. Never worked with "classic" or artemis > before. > > I run a simple artemis-2.17.0-Instance and I am really struggling setting > up a "read-only-user" for the web-console: > > What i did so far: > > - As Admin-User I successfully run a "artemis producer" via. cli to create > some messages to the TEST-Queue > - If I login to the web-console as Admin I can see all queues and I can > browse the queues successfully > > For setting up the read-only-user i made the following steps and > modifications: > > - I added a user "view" with the role "view" via. artemis-cli > > - artemis.profile changed to: > HAWTIO_ROLE='amq,view' > > > - management.xml: > [...] > <role-access> > <match domain="org.apache.activemq.artemis"> > <access method="list*" roles="amq,view"/> > <access method="get*" roles="amq,view"/> > <access method="is*" roles="amq"/> > <access method="set*" roles="amq"/> > <access method="*" roles="amq"/> > </match> > <match domain="org.apache.activemq.artemis" key="subcomponent=queues"> > <access method="list*" roles="view,update,amq"/> > <access method="get*" roles="view,update,amq"/> > <access method="is*" roles="view,update,amq"/> > <access method="set*" roles="update,amq"/> > <access method="*" roles="amq"/> > </match> > > > > I can login as user "view" and I can see an overview/list of all queues, > but I cant browse the queues. > If I change the line in <match domain="org.apache.activemq.artemis" > key="subcomponent=queues"> > From > <access method="*" roles="amq"/> > to > <access method="*" roles="amq,view"/> > then I can browse the queues, but I am also able to delete messages. > > As far as i understand the method "*" is a catch-all for methods other > than "list*", "get*", etc. > But I dont know what there are for other methods, I cant find any > information in artemis-documentation and google really dont help... > > Help me obi wan kenobi you're my only hope! > > Thanks and Best Regards > Benjamin > > > >
