Permissions can be set for address matches which can be exact address name, or address wildcard, or exact address::queue FQQN. We have a lot of permissions which are defined for FQQNs in the broker.xml. I'm sure this can also be set using Management API.
The example of permissions for FQQN name: https://activemq.apache.org/components/artemis/documentation/latest/security.html#fine-grained-security-using-fully-qualified-queue-name чт, 17 апр. 2025 г. в 10:54, Vilius Šumskas <vilius.sums...@rivile.lt.invalid>: > It is known and I considered this approach, however we have hundreds of > these external roles and would like to manage permissions dynamically via > Management API. Correct me if I'm wrong, but there is no way to set role > permissions for queues via API, just for addresses. > > -- > Vilius > > -----Original Message----- > From: Alexander Milovidov <milovid...@gmail.com> > Sent: Thursday, April 17, 2025 10:22 AM > To: users@activemq.apache.org > Subject: Re: limiting queue creation in JMS durable subscription flow > > Hi Vilius, > > If the name of the subscription queue is known, you can create security > setting for FQQN queue name, for example > "address-for-external-role::queue-for-subscription". > > > > > чт, 17 апр. 2025 г. в 09:42, Vilius Šumskas > <vilius.sums...@rivile.lt.invalid>: > > > I would like to rephrase my question regarding createDurableQueue > > permissions requirement. Is it required *by the consumer*? Can those > > topic queues be created by the producer, or does it go against pub/sub > model? > > > > -- > > Vilius > > > > -----Original Message----- > > From: Justin Bertram <jbert...@apache.org> > > Sent: Wednesday, April 16, 2025 8:22 PM > > To: users@activemq.apache.org > > Subject: Re: limiting queue creation in JMS durable subscription flow > > > > > ...I’m not 100% sure if this requirement comes from Qpid library > > > which we > > are using, or Camel, or is it a requirement for JMS subscribers in > > general... > > > > This is a requirement for JMS topic subscriptions in general. See the > > documentation [1] for more details. > > > > > Is there a way to limit amount of queues a particular role or user > > > can > > create? > > > > Yes. See the resource limits documentation [2]. > > > > > > Justin > > > > [1] > > > > https://activemq.apache.org/components/artemis/documentation/latest/jm > > s-core-mapping.html#mapping-jms-concepts-to-the-core-api > > [2] > > > > https://activemq.apache.org/components/artemis/documentation/latest/re > > source-limits.html#resource-limits > > > > On Wed, Apr 16, 2025 at 3:43 AM Vilius Šumskas > > <vilius.sums...@rivile.lt.invalid> > > wrote: > > > > > Hello, > > > > > > we have a pub/sub Java app which relies on JMS durable subscriptions > > > and is using Artemis as messaging broker. The broker runs in our > > environment. > > > The app is deployed externally in the environment we don’t control > > > an acts as a subscriber. For this app we have dedicated a separate > > > role in the Artemis broker. > > > > > > We noticed that this role needs to have createDurableQueue and > > > deleteDurableQueue permission for the app to work correctly. > > > Something > > like: > > > > > > <security-setting match="address-for-external-role"> > > > <permission type="createDurableQueue" roles="amq, > > > external-role"/> > > > <permission type="deleteDurableQueue" roles="amq, > > > external-role"/> > > > <permission type="createAddress" roles="amq"/> > > > <permission type="consume" roles="amq, external-role"/> > > > <permission type="send" roles="amq"/> > > > </security-setting> > > > > > > Since I’m not a developer I’m not 100% sure if this requirement > > > comes from Qpid library which we are using, or Camel, or is it a > > > requirement for JMS subscribers in general, however I’m trying to > > > understand what could be done to protect our Artemis environment. > > > Mainly I’m concerned that even if the role has access to just one > > > address, in theory, the user could create as many durable queues in > > > the address as he wants, this way overloading the system. > > > > > > Is there a way to limit amount of queues a particular role or user > > > can create? Or maybe our messaging model is wrong and we should not > > > be using JMS subscriptions in case of external app at all? > > > > > > -- > > > Best Regards, > > > > > > Vilius Šumskas > > > Rivile > > > IT manager > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org > For additional commands, e-mail: users-h...@activemq.apache.org > For further information, visit: https://activemq.apache.org/contact > >
