Hi Vilius, If the name of the subscription queue is known, you can create security setting for FQQN queue name, for example "address-for-external-role::queue-for-subscription".
чт, 17 апр. 2025 г. в 09:42, Vilius Šumskas <vilius.sums...@rivile.lt.invalid>: > I would like to rephrase my question regarding createDurableQueue > permissions requirement. Is it required *by the consumer*? Can those topic > queues be created by the producer, or does it go against pub/sub model? > > -- > Vilius > > -----Original Message----- > From: Justin Bertram <jbert...@apache.org> > Sent: Wednesday, April 16, 2025 8:22 PM > To: users@activemq.apache.org > Subject: Re: limiting queue creation in JMS durable subscription flow > > > ...I’m not 100% sure if this requirement comes from Qpid library which > > we > are using, or Camel, or is it a requirement for JMS subscribers in > general... > > This is a requirement for JMS topic subscriptions in general. See the > documentation [1] for more details. > > > Is there a way to limit amount of queues a particular role or user can > create? > > Yes. See the resource limits documentation [2]. > > > Justin > > [1] > > https://activemq.apache.org/components/artemis/documentation/latest/jms-core-mapping.html#mapping-jms-concepts-to-the-core-api > [2] > > https://activemq.apache.org/components/artemis/documentation/latest/resource-limits.html#resource-limits > > On Wed, Apr 16, 2025 at 3:43 AM Vilius Šumskas > <vilius.sums...@rivile.lt.invalid> > wrote: > > > Hello, > > > > we have a pub/sub Java app which relies on JMS durable subscriptions > > and is using Artemis as messaging broker. The broker runs in our > environment. > > The app is deployed externally in the environment we don’t control an > > acts as a subscriber. For this app we have dedicated a separate role > > in the Artemis broker. > > > > We noticed that this role needs to have createDurableQueue and > > deleteDurableQueue permission for the app to work correctly. Something > like: > > > > <security-setting match="address-for-external-role"> > > <permission type="createDurableQueue" roles="amq, > > external-role"/> > > <permission type="deleteDurableQueue" roles="amq, > > external-role"/> > > <permission type="createAddress" roles="amq"/> > > <permission type="consume" roles="amq, external-role"/> > > <permission type="send" roles="amq"/> > > </security-setting> > > > > Since I’m not a developer I’m not 100% sure if this requirement comes > > from Qpid library which we are using, or Camel, or is it a requirement > > for JMS subscribers in general, however I’m trying to understand what > > could be done to protect our Artemis environment. Mainly I’m concerned > > that even if the role has access to just one address, in theory, the > > user could create as many durable queues in the address as he wants, > > this way overloading the system. > > > > Is there a way to limit amount of queues a particular role or user can > > create? Or maybe our messaging model is wrong and we should not be > > using JMS subscriptions in case of external app at all? > > > > -- > > Best Regards, > > > > Vilius Šumskas > > Rivile > > IT manager > > > > >
