Hi Doug,
all users with the role defined by the `hawtio.role` property can access
the console and see the full list of the addresses.
The Role Based Authorisation[1] allows to limit access for a specific
queue, i.e. to allow access to `secureQueue` only for users with the
`secure` role, the following `match` element has to be added to the
`management.xml` file:
<match domain="org.apache.activemq.artemis" key="queue=secureQueue">
<access method="list*" roles="secure"/>
<access method="get*" roles="secure"/>
<access method="is*" roles="secure"/>
<access method="set*" roles="secure"/>
<access method="*" roles="secure"/>
</match>
See the following example to define a viewer only role:
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="browse*" roles="view,update,amq"/>
<access method="count*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>
</role-access>
[1]
https://activemq.apache.org/components/artemis/documentation/latest/management.html#role-based-authorisation-for-jmx
Regards,
Domenico
On Thu, 17 Mar 2022 at 18:52, Doug Whitfield <dwhitfi...@perforce.com>
wrote:
> Hi folks,
>
> I have a few requirements. I’m not sure they can all be accomplished in
> Artemis by default, but before setting up a separate instance of hawtio or
> some other reverse proxy, I figured I would ask.
>
> We are using apache-artemis-2.19.1. I have configured a secure
> address/Queue (Secure.Test) and am trying to configure the management
> console accordingly. I am trying to make it so that only a user with secure
> role can access Secure.Test queue (Send / Move / Delete / Browse Messages).
>
> Ideally we would like the address to not even appear in the management
> console, if the user does not have the secure role. This in particular I am
> not sure if we are going to get out of the box.
>
> Currently the readonly (viewer role) user can browse messages on all
> queues including the Secure.Test queue. It is also able to move and delete
> messages from all queues including the Secure.Test queue. We would prefer
> to limit the readonly user (viewer role) to only seeing the contents of the
> Attributes Tab and browse messages on any queue that is not defined
> “secure”, such as the Secure.Test queue.
>
> Best Regards,
> --
>
> Doug Whitfield | Enterprise Architect, OpenLogic
>
>
>
>
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>
