Hi Nilesh, I'm not able to see your screenshots and I'm not able to reproduce this issue using Apache ActiveMQ Artemis 2.23.1 with org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule. Are you able to reproduce this issue using org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule?
Execute the following steps to get a working example: 1) create a new broker instance: ./bin/artemis create broker --user admin --password admin --require-login 2) add test user with monitor role echo -e "\nguest = guest" >> ./broker/etc/artemis-users.properties echo -e "\nguests = guest" >> ./broker/etc/artemis-roles.properties 3) add the monitor role to HAWTIO_ROLE in artemis.profile sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,guests'/" ./broker/etc/artemis.profile 4) add the access for the send method in management.xml sed -i 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\ method="send"\ roles="amq,guests"\/>/' ./broker/etc/management.xml 5) run the broker ./broker/bin/artemis run Regards, Domenico On Mon, 9 Jan 2023 at 09:56, Nilesh Khokale (Contractor) <nilesh.khok...@officedepot.com.invalid> wrote: > Hi Team, > > > > As part of our project requirement we need to restrict non-amq user (LDAP > users) for performing write & execute operation inside jolokia console > (connection, session, consumer, producer) > > And, we need to grant them only send message permission. We able to > achieved it in version 2.18 by removing non-amq role (LDAP users role) from > <role-access> block in below management.xml & by giving only send message > permission in broker.xml files & which is working fine as per expectation. > However, when we do same configurations in 2.23.1 it is not working. It > allows non-amq user to perform any write/execute operation which we do not > want. So here I am looking for your suggestion on how we can achieve the > same in Apache Artemis 2.23.1 version. Please let us know if you need more > details. Thank you > > > > *2.18 management.xml file – * > > > > <role-access> > > <match domain="org.apache.activemq.artemis"> > > <access method="list*" roles="amq"/> > > <access method="get*" roles="amq"/> > > <access method="is*" roles="amq"/> > > <access method="set*" roles="amq"/> > > <access method="*" roles="amq"/> > > </role-access> > > > > > > *2.18.1 broker.xml file – In this file we are giving only send message > permission to our LDAP users role.* > > > > <security-settings> > > <security-setting match="#"> > > <permission type="createNonDurableQueue" roles="amq"/> > > <permission type="deleteNonDurableQueue" roles="amq"/> > > <permission type="createDurableQueue" roles="amq"/> > > <permission type="deleteDurableQueue" roles="amq"/> > > <permission type="createAddress" roles="amq"/> > > <permission type="deleteAddress" roles="amq"/> > > <permission type="consume" roles="amq"/> > > <permission type="browse" roles="amq"/> > > *<permission type="send" roles="amq,EAI_Administrator_G"/>* > > </security-settings> > > > > > > > > With above changes when we login in 2.18 jolokia console using non-amq > role user (LDAP user) and navigate to any tab like connection, session, > consumer, producers we get below restriction message which is correct as > per the above changes & that is what our requirement is. Please suggest how > we can achieve the same in 2.23.1 version. Thank you. > > > > Below Snapshot are from 2.18. > > > > > > > > We just need grant send message permission to any Non-amq role user like > below. > > > > > > > > > > *Thank you,* > > *Nilesh* > > CONFIDENTIALITY NOTICE: The information contained in this email and > attached document(s) may contain confidential information that is intended > only for the addressee(s). If you are not the intended recipient, you are > hereby advised that any disclosure, copying, distribution or the taking of > any action in reliance upon the information is prohibited. If you have > received this email in error, please immediately notify the sender and > delete it from your system. >
