The createDurableQueue permission is required for JMS durable subscribers (i.e. consumers) since the durable subscription they create is represented by a durable, multicast queue. The name of the queue is based on the client ID & subscription name provided by the client.
Sending a message to the JMS topic (i.e. Core address) won't result in the creation of a queue as that would violate pub/sub semantics. Queues (i.e. subscriptions) are only created in response to a consumer. Justin On Thu, Apr 17, 2025 at 1:43 AM Vilius Šumskas <vilius.sums...@rivile.lt.invalid> wrote: > I would like to rephrase my question regarding createDurableQueue > permissions requirement. Is it required *by the consumer*? Can those topic > queues be created by the producer, or does it go against pub/sub model? > > -- > Vilius > > -----Original Message----- > From: Justin Bertram <jbert...@apache.org> > Sent: Wednesday, April 16, 2025 8:22 PM > To: users@activemq.apache.org > Subject: Re: limiting queue creation in JMS durable subscription flow > > > ...I’m not 100% sure if this requirement comes from Qpid library which > > we > are using, or Camel, or is it a requirement for JMS subscribers in > general... > > This is a requirement for JMS topic subscriptions in general. See the > documentation [1] for more details. > > > Is there a way to limit amount of queues a particular role or user can > create? > > Yes. See the resource limits documentation [2]. > > > Justin > > [1] > > https://activemq.apache.org/components/artemis/documentation/latest/jms-core-mapping.html#mapping-jms-concepts-to-the-core-api > [2] > > https://activemq.apache.org/components/artemis/documentation/latest/resource-limits.html#resource-limits > > On Wed, Apr 16, 2025 at 3:43 AM Vilius Šumskas > <vilius.sums...@rivile.lt.invalid> > wrote: > > > Hello, > > > > we have a pub/sub Java app which relies on JMS durable subscriptions > > and is using Artemis as messaging broker. The broker runs in our > environment. > > The app is deployed externally in the environment we don’t control an > > acts as a subscriber. For this app we have dedicated a separate role > > in the Artemis broker. > > > > We noticed that this role needs to have createDurableQueue and > > deleteDurableQueue permission for the app to work correctly. Something > like: > > > > <security-setting match="address-for-external-role"> > > <permission type="createDurableQueue" roles="amq, > > external-role"/> > > <permission type="deleteDurableQueue" roles="amq, > > external-role"/> > > <permission type="createAddress" roles="amq"/> > > <permission type="consume" roles="amq, external-role"/> > > <permission type="send" roles="amq"/> > > </security-setting> > > > > Since I’m not a developer I’m not 100% sure if this requirement comes > > from Qpid library which we are using, or Camel, or is it a requirement > > for JMS subscribers in general, however I’m trying to understand what > > could be done to protect our Artemis environment. Mainly I’m concerned > > that even if the role has access to just one address, in theory, the > > user could create as many durable queues in the address as he wants, > > this way overloading the system. > > > > Is there a way to limit amount of queues a particular role or user can > > create? Or maybe our messaging model is wrong and we should not be > > using JMS subscriptions in case of external app at all? > > > > -- > > Best Regards, > > > > Vilius Šumskas > > Rivile > > IT manager > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org > For additional commands, e-mail: users-h...@activemq.apache.org > For further information, visit: https://activemq.apache.org/contact > >
