> Are there any other methods how to limit destroyQueue functionality just on particular set of queues?
I don't believe there is. For what it's worth the ActiveMQServerControl MBean is the main control for broker management so it's meant for trusted admins. Justin On Thu, Apr 24, 2025 at 6:54 AM Vilius Šumskas <vilius.sums...@rivile.lt.invalid> wrote: > I've actually tried with regex before but still could call destroyQueue() > on those queues, hence my previous assumption that regexes doesn't work. I > have now tried with simple purge() command and I can confirm that regex in > keys work. > > It looks like destroyQueue (and destroyAddress) are not bound to the queue > and only can be called using > org.apache.activemq.artemis:broker="brokername" MBean, so naturally the > following match doesn't prevent destroyQueue usage: > > <match domain="org.apache.activemq.artemis"> > <access method="list*" roles="developer,amq"/> > <access method="get*" roles="developer,amq"/> > <access method="is*" roles="developer,amq"/> > <access method="set*" roles="amq"/> > <!-- Note count and browse are need to access the browse tab > in the console --> > <access method="browse*" roles="developer,amq"/> > <access method="count*" roles="developer,amq"/> > <access method="destroyQueue" roles="developer,amq"/> > <access method="*" roles="amq"/> > </match> > <match domain="org.apache.activemq.artemis" > key="queue=(DLQ|ExpireQueue)"> > <access method="list*" roles="developer,amq"/> > <access method="get*" roles="developer,amq"/> > <access method="is*" roles="developer,amq"/> > <access method="browse*" roles="developer,amq"/> > <access method="count*" roles="developer,amq"/> > <access method="*" roles="amq"/> > </match> > > I have also tried with negative regex and moving destroyQueue method to > the key'ed match. Still doesn't work. > > Are there any other methods how to limit destroyQueue functionality just > on particular set of queues? > > -- > Vilius > > -----Original Message----- > From: Justin Bertram <jbert...@apache.org> > Sent: Wednesday, April 23, 2025 10:25 PM > To: users@activemq.apache.org > Subject: Re: regex key support in management.xml > > The underlying code uses regular expressions so doing so in management.xml > should also work. That said, I'd recommend using this key instead of what > you originally proposed: > > key="queue=(DLQ|ExpireQueue)" > > > Justin > > On Tue, Apr 22, 2025 at 4:39 AM Vilius Šumskas > <vilius.sums...@rivile.lt.invalid> > wrote: > > > Hello, > > > > as an additional measure to lockdown our environments I want some > > roles to be able to create/delete queues and addresses, but limit what > > they can do with system addresses/queues, like DLQ, ExpireQueue, > > activemq.notifications, etc. > > > > Is there a way to define these objects in management.xml using regular > > expressions? I went through > > https://activemq.apache.org/components/artemis/documentation/latest/ma > > nagement.html#role-based-authorisation-for-jmx > > but I found only examples with basic wildcard support. Is it possible > > to have a match for <match domain="org.apache.activemq.artemis" > > key="queue=DLQ|queue=ExpireQueue"> ? Are there any other methods how > > to apply the same management policy to all system queues? > > > > -- > > Best Regards, > > > > Vilius Šumskas > > Rivile > > IT manager > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org > For additional commands, e-mail: users-h...@activemq.apache.org > For further information, visit: https://activemq.apache.org/contact > >
