You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by KevinO <on...@gmail.com> on 2022/02/16 21:59:38 UTC
Role Based Security on Temporary Queues
Is there a way to add Role Based Security to temporary queues? So far I get
the error:
User: myUser does not have permission='CREATE_NON_DURABLE_QUEUE' for queue
b9b3ac6e-8d1e-47c6-b168-495a5b35e39f on address
b9b3ac6e-8d1e-47c6-b168-495a5b35e39f]
The security setting all myUser to send and receive on its queue specified
as follows:
<security-setting match="MYADDRESS.#">
<permission type="createNonDurableQueue" roles="amq,myRole"/>
<permission type="deleteNonDurableQueue" roles="amq,myRole"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq,myRole"/>
<permission type="browse" roles="amq,myRole"/>
<permission type="send" roles="amq,myRole"/>
<!-- we need this otherwise ./artemis data imp wouldn't work -->
<permission type="manage" roles="amq"/>
</security-setting>
I've tried setting
<temporary-queue-namespace>TEMP</temporary-queue-namespace>, and then added
security-settings to allow myRole access, but to no great success.
Any alternate recommendation on how to accomplish the request/reply pattern
would also be appreciated.
Re: Role Based Security on Temporary Queues
Posted by KevinO <on...@gmail.com>.
Thanks for the info, Justin.
I've created a ticket: https://issues.apache.org/jira/browse/ARTEMIS-3692
If someone points me in the right direction, I'd be willing to take a stab
at a PR.
On Thu, Feb 17, 2022 at 10:03 PM Justin Bertram <jb...@apache.org> wrote:
> Currently the temporary-queue-namespace is only relevant for
> address-settings, not security-settings. Therefore, the only way to enforce
> security settings on temporary queues is to use the match "#". I think
> extending the functionality of temporary-queue-namespace to
> security-settings would be worthwhile. Feel free to open a Jira [1] for
> this if you like.
>
>
> Justin
>
> [1] https://issues.apache.org/jira/browse/ARTEMIS
>
>
> On Wed, Feb 16, 2022 at 4:00 PM KevinO <on...@gmail.com> wrote:
>
> > Is there a way to add Role Based Security to temporary queues? So far I
> get
> > the error:
> >
> > User: myUser does not have permission='CREATE_NON_DURABLE_QUEUE' for
> queue
> > b9b3ac6e-8d1e-47c6-b168-495a5b35e39f on address
> > b9b3ac6e-8d1e-47c6-b168-495a5b35e39f]
> >
> > The security setting all myUser to send and receive on its queue
> specified
> > as follows:
> >
> > <security-setting match="MYADDRESS.#">
> >
> > <permission type="createNonDurableQueue" roles="amq,myRole"/>
> >
> > <permission type="deleteNonDurableQueue" roles="amq,myRole"/>
> >
> > <permission type="createDurableQueue" roles="amq"/>
> >
> > <permission type="deleteDurableQueue" roles="amq"/>
> >
> > <permission type="createAddress" roles="amq"/>
> >
> > <permission type="deleteAddress" roles="amq"/>
> >
> > <permission type="consume" roles="amq,myRole"/>
> >
> > <permission type="browse" roles="amq,myRole"/>
> > <permission type="send" roles="amq,myRole"/>
> > <!-- we need this otherwise ./artemis data imp wouldn't work
> > -->
> > <permission type="manage" roles="amq"/>
> > </security-setting>
> >
> > I've tried setting
> > <temporary-queue-namespace>TEMP</temporary-queue-namespace>, and then
> added
> > security-settings to allow myRole access, but to no great success.
> >
> > Any alternate recommendation on how to accomplish the request/reply
> pattern
> > would also be appreciated.
> >
>
Re: Role Based Security on Temporary Queues
Posted by Justin Bertram <jb...@apache.org>.
Currently the temporary-queue-namespace is only relevant for
address-settings, not security-settings. Therefore, the only way to enforce
security settings on temporary queues is to use the match "#". I think
extending the functionality of temporary-queue-namespace to
security-settings would be worthwhile. Feel free to open a Jira [1] for
this if you like.
Justin
[1] https://issues.apache.org/jira/browse/ARTEMIS
On Wed, Feb 16, 2022 at 4:00 PM KevinO <on...@gmail.com> wrote:
> Is there a way to add Role Based Security to temporary queues? So far I get
> the error:
>
> User: myUser does not have permission='CREATE_NON_DURABLE_QUEUE' for queue
> b9b3ac6e-8d1e-47c6-b168-495a5b35e39f on address
> b9b3ac6e-8d1e-47c6-b168-495a5b35e39f]
>
> The security setting all myUser to send and receive on its queue specified
> as follows:
>
> <security-setting match="MYADDRESS.#">
>
> <permission type="createNonDurableQueue" roles="amq,myRole"/>
>
> <permission type="deleteNonDurableQueue" roles="amq,myRole"/>
>
> <permission type="createDurableQueue" roles="amq"/>
>
> <permission type="deleteDurableQueue" roles="amq"/>
>
> <permission type="createAddress" roles="amq"/>
>
> <permission type="deleteAddress" roles="amq"/>
>
> <permission type="consume" roles="amq,myRole"/>
>
> <permission type="browse" roles="amq,myRole"/>
> <permission type="send" roles="amq,myRole"/>
> <!-- we need this otherwise ./artemis data imp wouldn't work
> -->
> <permission type="manage" roles="amq"/>
> </security-setting>
>
> I've tried setting
> <temporary-queue-namespace>TEMP</temporary-queue-namespace>, and then added
> security-settings to allow myRole access, but to no great success.
>
> Any alternate recommendation on how to accomplish the request/reply pattern
> would also be appreciated.
>