I've actually tried with regex before but still could call destroyQueue() on
those queues, hence my previous assumption that regexes doesn't work. I have
now tried with simple purge() command and I can confirm that regex in keys work.
It looks like destroyQueue (and destroyAddress) are not bound to the queue and
only can be called using org.apache.activemq.artemis:broker="brokername" MBean,
so naturally the following match doesn't prevent destroyQueue usage:
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="developer,amq"/>
<access method="get*" roles="developer,amq"/>
<access method="is*" roles="developer,amq"/>
<access method="set*" roles="amq"/>
<!-- Note count and browse are need to access the browse tab in the
console -->
<access method="browse*" roles="developer,amq"/>
<access method="count*" roles="developer,amq"/>
<access method="destroyQueue" roles="developer,amq"/>
<access method="*" roles="amq"/>
</match>
<match domain="org.apache.activemq.artemis"
key="queue=(DLQ|ExpireQueue)">
<access method="list*" roles="developer,amq"/>
<access method="get*" roles="developer,amq"/>
<access method="is*" roles="developer,amq"/>
<access method="browse*" roles="developer,amq"/>
<access method="count*" roles="developer,amq"/>
<access method="*" roles="amq"/>
</match>
I have also tried with negative regex and moving destroyQueue method to the
key'ed match. Still doesn't work.
Are there any other methods how to limit destroyQueue functionality just on
particular set of queues?
--
Vilius
-----Original Message-----
From: Justin Bertram <jbert...@apache.org>
Sent: Wednesday, April 23, 2025 10:25 PM
To: users@activemq.apache.org
Subject: Re: regex key support in management.xml
The underlying code uses regular expressions so doing so in management.xml
should also work. That said, I'd recommend using this key instead of what you
originally proposed:
key="queue=(DLQ|ExpireQueue)"
Justin
On Tue, Apr 22, 2025 at 4:39 AM Vilius Šumskas
<vilius.sums...@rivile.lt.invalid> wrote:
> Hello,
>
> as an additional measure to lockdown our environments I want some
> roles to be able to create/delete queues and addresses, but limit what
> they can do with system addresses/queues, like DLQ, ExpireQueue,
> activemq.notifications, etc.
>
> Is there a way to define these objects in management.xml using regular
> expressions? I went through
> https://activemq.apache.org/components/artemis/documentation/latest/ma
> nagement.html#role-based-authorisation-for-jmx
> but I found only examples with basic wildcard support. Is it possible
> to have a match for <match domain="org.apache.activemq.artemis"
> key="queue=DLQ|queue=ExpireQueue"> ? Are there any other methods how
> to apply the same management policy to all system queues?
>
> --
> Best Regards,
>
> Vilius Šumskas
> Rivile
> IT manager
>
>
