One more question. Do you know if resource limits are available to be set via
Management API too? I didn't find anything in the documentation.
--
Vilius
-----Original Message-----
From: Vilius Šumskas <vilius.sums...@rivile.lt.INVALID>
Sent: Thursday, April 17, 2025 12:39 PM
To: users@activemq.apache.org
Subject: RE: limiting queue creation in JMS durable subscription flow
OK, thank you, we will try. Not sure why it didn't work few year ago, when we
tried the first time. Maybe because we are using ActiveMQBasicSecurityManager.
Ideally, though, I would prefer to not have create/delete permissions on the
consumer side at all.
--
Vilius
-----Original Message-----
From: Alexander Milovidov <milovid...@gmail.com>
Sent: Thursday, April 17, 2025 11:18 AM
To: users@activemq.apache.org
Subject: Re: limiting queue creation in JMS durable subscription flow
Permissions can be set for address matches which can be exact address name, or
address wildcard, or exact address::queue FQQN.
We have a lot of permissions which are defined for FQQNs in the broker.xml.
I'm sure this can also be set using Management API.
The example of permissions for FQQN name:
https://activemq.apache.org/components/artemis/documentation/latest/security.html#fine-grained-security-using-fully-qualified-queue-name
чт, 17 апр. 2025 г. в 10:54, Vilius Šumskas
<vilius.sums...@rivile.lt.invalid>:
> It is known and I considered this approach, however we have hundreds
> of these external roles and would like to manage permissions
> dynamically via Management API. Correct me if I'm wrong, but there is
> no way to set role permissions for queues via API, just for addresses.
>
> --
> Vilius
>
> -----Original Message-----
> From: Alexander Milovidov <milovid...@gmail.com>
> Sent: Thursday, April 17, 2025 10:22 AM
> To: users@activemq.apache.org
> Subject: Re: limiting queue creation in JMS durable subscription flow
>
> Hi Vilius,
>
> If the name of the subscription queue is known, you can create
> security setting for FQQN queue name, for example
> "address-for-external-role::queue-for-subscription".
>
>
>
>
> чт, 17 апр. 2025 г. в 09:42, Vilius Šumskas
> <vilius.sums...@rivile.lt.invalid>:
>
> > I would like to rephrase my question regarding createDurableQueue
> > permissions requirement. Is it required *by the consumer*? Can those
> > topic queues be created by the producer, or does it go against
> > pub/sub
> model?
> >
> > --
> > Vilius
> >
> > -----Original Message-----
> > From: Justin Bertram <jbert...@apache.org>
> > Sent: Wednesday, April 16, 2025 8:22 PM
> > To: users@activemq.apache.org
> > Subject: Re: limiting queue creation in JMS durable subscription
> > flow
> >
> > > ...I’m not 100% sure if this requirement comes from Qpid library
> > > which we
> > are using, or Camel, or is it a requirement for JMS subscribers in
> > general...
> >
> > This is a requirement for JMS topic subscriptions in general. See
> > the documentation [1] for more details.
> >
> > > Is there a way to limit amount of queues a particular role or user
> > > can
> > create?
> >
> > Yes. See the resource limits documentation [2].
> >
> >
> > Justin
> >
> > [1]
> >
> > https://activemq.apache.org/components/artemis/documentation/latest/
> > jm s-core-mapping.html#mapping-jms-concepts-to-the-core-api
> > [2]
> >
> > https://activemq.apache.org/components/artemis/documentation/latest/
> > re
> > source-limits.html#resource-limits
> >
> > On Wed, Apr 16, 2025 at 3:43 AM Vilius Šumskas
> > <vilius.sums...@rivile.lt.invalid>
> > wrote:
> >
> > > Hello,
> > >
> > > we have a pub/sub Java app which relies on JMS durable
> > > subscriptions and is using Artemis as messaging broker. The broker
> > > runs in our
> > environment.
> > > The app is deployed externally in the environment we don’t control
> > > an acts as a subscriber. For this app we have dedicated a separate
> > > role in the Artemis broker.
> > >
> > > We noticed that this role needs to have createDurableQueue and
> > > deleteDurableQueue permission for the app to work correctly.
> > > Something
> > like:
> > >
> > > <security-setting match="address-for-external-role">
> > > <permission type="createDurableQueue" roles="amq,
> > > external-role"/>
> > > <permission type="deleteDurableQueue" roles="amq,
> > > external-role"/>
> > > <permission type="createAddress" roles="amq"/>
> > > <permission type="consume" roles="amq, external-role"/>
> > > <permission type="send" roles="amq"/>
> > > </security-setting>
> > >
> > > Since I’m not a developer I’m not 100% sure if this requirement
> > > comes from Qpid library which we are using, or Camel, or is it a
> > > requirement for JMS subscribers in general, however I’m trying to
> > > understand what could be done to protect our Artemis environment.
> > > Mainly I’m concerned that even if the role has access to just one
> > > address, in theory, the user could create as many durable queues
> > > in the address as he wants, this way overloading the system.
> > >
> > > Is there a way to limit amount of queues a particular role or user
> > > can create? Or maybe our messaging model is wrong and we should
> > > not be using JMS subscriptions in case of external app at all?
> > >
> > > --
> > > Best Regards,
> > >
> > > Vilius Šumskas
> > > Rivile
> > > IT manager
> > >
> > >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org
> For additional commands, e-mail: users-h...@activemq.apache.org For
> further information, visit: https://activemq.apache.org/contact
>
>
�B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB � �[
X ܚX K��K[XZ[
�\ \ ][ X ܚX P�X �] [\K \�X �K ܙ B ܈�Y��]�[ۘ[�� [X[ � ��K[XZ[
�\ \ Z�[���X �] [\K \�X �K ܙ B ܈� \ ��\ �[ ܛX]�[ۋ�� \ ]
����� X �] [\K \�X �K ܙ �X �B B
