It is known and I considered this approach, however we have hundreds of these
external roles and would like to manage permissions dynamically via Management
API. Correct me if I'm wrong, but there is no way to set role permissions for
queues via API, just for addresses.
--
Vilius
-----Original Message-----
From: Alexander Milovidov <[email protected]>
Sent: Thursday, April 17, 2025 10:22 AM
To: [email protected]
Subject: Re: limiting queue creation in JMS durable subscription flow
Hi Vilius,
If the name of the subscription queue is known, you can create security setting
for FQQN queue name, for example
"address-for-external-role::queue-for-subscription".
чт, 17 апр. 2025 г. в 09:42, Vilius Šumskas
<[email protected]>:
> I would like to rephrase my question regarding createDurableQueue
> permissions requirement. Is it required *by the consumer*? Can those
> topic queues be created by the producer, or does it go against pub/sub model?
>
> --
> Vilius
>
> -----Original Message-----
> From: Justin Bertram <[email protected]>
> Sent: Wednesday, April 16, 2025 8:22 PM
> To: [email protected]
> Subject: Re: limiting queue creation in JMS durable subscription flow
>
> > ...I’m not 100% sure if this requirement comes from Qpid library
> > which we
> are using, or Camel, or is it a requirement for JMS subscribers in
> general...
>
> This is a requirement for JMS topic subscriptions in general. See the
> documentation [1] for more details.
>
> > Is there a way to limit amount of queues a particular role or user
> > can
> create?
>
> Yes. See the resource limits documentation [2].
>
>
> Justin
>
> [1]
>
> https://activemq.apache.org/components/artemis/documentation/latest/jm
> s-core-mapping.html#mapping-jms-concepts-to-the-core-api
> [2]
>
> https://activemq.apache.org/components/artemis/documentation/latest/re
> source-limits.html#resource-limits
>
> On Wed, Apr 16, 2025 at 3:43 AM Vilius Šumskas
> <[email protected]>
> wrote:
>
> > Hello,
> >
> > we have a pub/sub Java app which relies on JMS durable subscriptions
> > and is using Artemis as messaging broker. The broker runs in our
> environment.
> > The app is deployed externally in the environment we don’t control
> > an acts as a subscriber. For this app we have dedicated a separate
> > role in the Artemis broker.
> >
> > We noticed that this role needs to have createDurableQueue and
> > deleteDurableQueue permission for the app to work correctly.
> > Something
> like:
> >
> > <security-setting match="address-for-external-role">
> > <permission type="createDurableQueue" roles="amq,
> > external-role"/>
> > <permission type="deleteDurableQueue" roles="amq,
> > external-role"/>
> > <permission type="createAddress" roles="amq"/>
> > <permission type="consume" roles="amq, external-role"/>
> > <permission type="send" roles="amq"/>
> > </security-setting>
> >
> > Since I’m not a developer I’m not 100% sure if this requirement
> > comes from Qpid library which we are using, or Camel, or is it a
> > requirement for JMS subscribers in general, however I’m trying to
> > understand what could be done to protect our Artemis environment.
> > Mainly I’m concerned that even if the role has access to just one
> > address, in theory, the user could create as many durable queues in
> > the address as he wants, this way overloading the system.
> >
> > Is there a way to limit amount of queues a particular role or user
> > can create? Or maybe our messaging model is wrong and we should not
> > be using JMS subscriptions in case of external app at all?
> >
> > --
> > Best Regards,
> >
> > Vilius Šumskas
> > Rivile
> > IT manager
> >
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
