OK, thank you, we will try. Not sure why it didn't work few year ago, when we
tried the first time. Maybe because we are using ActiveMQBasicSecurityManager.
Ideally, though, I would prefer to not have create/delete permissions on the
consumer side at all.
--
Vilius
-----Original Message-----
From: Alexander Milovidov <milovid...@gmail.com>
Sent: Thursday, April 17, 2025 11:18 AM
To: users@activemq.apache.org
Subject: Re: limiting queue creation in JMS durable subscription flow
Permissions can be set for address matches which can be exact address name, or
address wildcard, or exact address::queue FQQN.
We have a lot of permissions which are defined for FQQNs in the broker.xml.
I'm sure this can also be set using Management API.
The example of permissions for FQQN name:
https://activemq.apache.org/components/artemis/documentation/latest/security.html#fine-grained-security-using-fully-qualified-queue-name
чт, 17 апр. 2025 г. в 10:54, Vilius Šumskas
<vilius.sums...@rivile.lt.invalid>:
> It is known and I considered this approach, however we have hundreds
> of these external roles and would like to manage permissions
> dynamically via Management API. Correct me if I'm wrong, but there is
> no way to set role permissions for queues via API, just for addresses.
>
> --
> Vilius
>
> -----Original Message-----
> From: Alexander Milovidov <milovid...@gmail.com>
> Sent: Thursday, April 17, 2025 10:22 AM
> To: users@activemq.apache.org
> Subject: Re: limiting queue creation in JMS durable subscription flow
>
> Hi Vilius,
>
> If the name of the subscription queue is known, you can create
> security setting for FQQN queue name, for example
> "address-for-external-role::queue-for-subscription".
>
>
>
>
> чт, 17 апр. 2025 г. в 09:42, Vilius Šumskas
> <vilius.sums...@rivile.lt.invalid>:
>
> > I would like to rephrase my question regarding createDurableQueue
> > permissions requirement. Is it required *by the consumer*? Can those
> > topic queues be created by the producer, or does it go against
> > pub/sub
> model?
> >
> > --
> > Vilius
> >
> > -----Original Message-----
> > From: Justin Bertram <jbert...@apache.org>
> > Sent: Wednesday, April 16, 2025 8:22 PM
> > To: users@activemq.apache.org
> > Subject: Re: limiting queue creation in JMS durable subscription
> > flow
> >
> > > ...I’m not 100% sure if this requirement comes from Qpid library
> > > which we
> > are using, or Camel, or is it a requirement for JMS subscribers in
> > general...
> >
> > This is a requirement for JMS topic subscriptions in general. See
> > the documentation [1] for more details.
> >
> > > Is there a way to limit amount of queues a particular role or user
> > > can
> > create?
> >
> > Yes. See the resource limits documentation [2].
> >
> >
> > Justin
> >
> > [1]
> >
> > https://activemq.apache.org/components/artemis/documentation/latest/
> > jm s-core-mapping.html#mapping-jms-concepts-to-the-core-api
> > [2]
> >
> > https://activemq.apache.org/components/artemis/documentation/latest/
> > re
> > source-limits.html#resource-limits
> >
> > On Wed, Apr 16, 2025 at 3:43 AM Vilius Šumskas
> > <vilius.sums...@rivile.lt.invalid>
> > wrote:
> >
> > > Hello,
> > >
> > > we have a pub/sub Java app which relies on JMS durable
> > > subscriptions and is using Artemis as messaging broker. The broker
> > > runs in our
> > environment.
> > > The app is deployed externally in the environment we don’t control
> > > an acts as a subscriber. For this app we have dedicated a separate
> > > role in the Artemis broker.
> > >
> > > We noticed that this role needs to have createDurableQueue and
> > > deleteDurableQueue permission for the app to work correctly.
> > > Something
> > like:
> > >
> > > <security-setting match="address-for-external-role">
> > > <permission type="createDurableQueue" roles="amq,
> > > external-role"/>
> > > <permission type="deleteDurableQueue" roles="amq,
> > > external-role"/>
> > > <permission type="createAddress" roles="amq"/>
> > > <permission type="consume" roles="amq, external-role"/>
> > > <permission type="send" roles="amq"/>
> > > </security-setting>
> > >
> > > Since I’m not a developer I’m not 100% sure if this requirement
> > > comes from Qpid library which we are using, or Camel, or is it a
> > > requirement for JMS subscribers in general, however I’m trying to
> > > understand what could be done to protect our Artemis environment.
> > > Mainly I’m concerned that even if the role has access to just one
> > > address, in theory, the user could create as many durable queues
> > > in the address as he wants, this way overloading the system.
> > >
> > > Is there a way to limit amount of queues a particular role or user
> > > can create? Or maybe our messaging model is wrong and we should
> > > not be using JMS subscriptions in case of external app at all?
> > >
> > > --
> > > Best Regards,
> > >
> > > Vilius Šumskas
> > > Rivile
> > > IT manager
> > >
> > >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org
> For additional commands, e-mail: users-h...@activemq.apache.org For
> further information, visit: https://activemq.apache.org/contact
>
>
