I would like to rephrase my question regarding createDurableQueue permissions
requirement. Is it required *by the consumer*? Can those topic queues be
created by the producer, or does it go against pub/sub model?
--
Vilius
-----Original Message-----
From: Justin Bertram <jbert...@apache.org>
Sent: Wednesday, April 16, 2025 8:22 PM
To: users@activemq.apache.org
Subject: Re: limiting queue creation in JMS durable subscription flow
> ...I’m not 100% sure if this requirement comes from Qpid library which
> we
are using, or Camel, or is it a requirement for JMS subscribers in general...
This is a requirement for JMS topic subscriptions in general. See the
documentation [1] for more details.
> Is there a way to limit amount of queues a particular role or user can
create?
Yes. See the resource limits documentation [2].
Justin
[1]
https://activemq.apache.org/components/artemis/documentation/latest/jms-core-mapping.html#mapping-jms-concepts-to-the-core-api
[2]
https://activemq.apache.org/components/artemis/documentation/latest/resource-limits.html#resource-limits
On Wed, Apr 16, 2025 at 3:43 AM Vilius Šumskas
<vilius.sums...@rivile.lt.invalid> wrote:
> Hello,
>
> we have a pub/sub Java app which relies on JMS durable subscriptions
> and is using Artemis as messaging broker. The broker runs in our environment.
> The app is deployed externally in the environment we don’t control an
> acts as a subscriber. For this app we have dedicated a separate role
> in the Artemis broker.
>
> We noticed that this role needs to have createDurableQueue and
> deleteDurableQueue permission for the app to work correctly. Something like:
>
> <security-setting match="address-for-external-role">
> <permission type="createDurableQueue" roles="amq,
> external-role"/>
> <permission type="deleteDurableQueue" roles="amq,
> external-role"/>
> <permission type="createAddress" roles="amq"/>
> <permission type="consume" roles="amq, external-role"/>
> <permission type="send" roles="amq"/>
> </security-setting>
>
> Since I’m not a developer I’m not 100% sure if this requirement comes
> from Qpid library which we are using, or Camel, or is it a requirement
> for JMS subscribers in general, however I’m trying to understand what
> could be done to protect our Artemis environment. Mainly I’m concerned
> that even if the role has access to just one address, in theory, the
> user could create as many durable queues in the address as he wants,
> this way overloading the system.
>
> Is there a way to limit amount of queues a particular role or user can
> create? Or maybe our messaging model is wrong and we should not be
> using JMS subscriptions in case of external app at all?
>
> --
> Best Regards,
>
> Vilius Šumskas
> Rivile
> IT manager
>
>
