Re: Changed securitySettings don't effect until consumer is restarted in Artemis

[Justin Bertram <jb...@apache.org>]

I think this is likely _not_ a bug. I believe you're seeing the expected
behavior. This is because authorization is checked when the consumer is
created. So when you create the consumer and the proper security-setting is
present then authorization succeeds. When you remove the relevant
security-setting the consumer continues on receiving messages because it
has already been authorized to do so. When the consumer is restarted then
it must be reauthorized. Reauthorization fails because the proper
security-setting is no longer present.

The broker could theoretically check authorization for every message
dispatched to the consumer, but I think that would impose a relatively
significant performance penalty for not much gain. If you want the ensure
the security changes are enforced before the consumer reconnects on its own
then you can just close the consumer administratively via the web console.

Hope that helps!


Justin

On Mon, Feb 20, 2023 at 8:00 AM Thorsten Meinl <th...@knime.com>
wrote:

> Hi,
>
> We recently observed a strange behaviour with Artemis (2.24) which
> makes us wonder whether it's a bug.
> We have an Artemis user that has one (or more) roles attached to it.
> The role grants permissions to read a certain topic. Even after this
> role has been deleted from Artemis the consumer is still being able to
> consume messages from that topic. Only after the consumer is restarted
> it is denied access. I would expect that changes to security settings
> take effect more or less immediately and not only after consumers are
> restarted.
>
> Regards,
>
> Thorsten
>
> --
> Dr.-Ing. Thorsten Meinl
> KNIME AG
> Talacker 50
> 8001 Zurich, Switzerland
>
>
>