You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Clebert Suconic (Jira)" <ji...@apache.org> on 2021/08/09 17:57:00 UTC

[jira] [Closed] (ARTEMIS-3339) Role Based Authorisation for JMX not working as expected

     [ https://issues.apache.org/jira/browse/ARTEMIS-3339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Clebert Suconic closed ARTEMIS-3339.
------------------------------------

> Role Based Authorisation for JMX not working as expected
> --------------------------------------------------------
>
>                 Key: ARTEMIS-3339
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3339
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: Configuration, JMX, Web Console
>    Affects Versions: 2.17.0
>            Reporter: Ivan Trpkov
>            Assignee: Domenico Francesco Bruscino
>            Priority: Major
>              Labels: JMX, console, rbac, security
>             Fix For: 2.18.0
>
>         Attachments: address-settings.xml, addresses.xml, artemis-roles.properties, artemis-users.properties, artemis.profile.cmd, broker.xml, image-2021-06-09-23-22-51-886.png, image-2021-06-09-23-29-49-670.png, management.xml, security-settings.xml
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Hello,
> I tried to specify role based authorisation in management.xml for different addresses/queues (as instructed [here|https://activemq.apache.org/components/artemis/documentation/latest/management.html]):
> !image-2021-06-09-23-22-51-886.png!
> In Artemis profile config I gave hawtio role to the corresponding users:
> _-Dhawtio.role=amq,auser,buser,cuser,duser_
> The problem is that the authorisation is not working as expected, and only the FIRST "match domain" configuration is working fine.
> In my case, I tested with 4 sections as those in the screenshot above:
>  _<match domain="org.apache.activemq.artemis" key="address=*a**">..._
>  _<match domain="org.apache.activemq.artemis" key="address=*b**">..._
>  _<match domain="org.apache.activemq.artemis" key="address=*c**">..._
>  _<match domain="org.apache.activemq.artemis" key="address=*d**">..._
> When I login using "*auser*" in the web console, I can invoke operations on addresses/queues starting with "*a**", and not on the others, as I'd expect.
> But when I login using some of the other users, for example, *buser*, I can still invoke operations on queues starting with "*a*", but not on the queues starting with "*b**", as I'd expect (all operations are disabled, as in the screenshot below):
>  
> !image-2021-06-09-23-29-49-670.png!
>  
> It is interesting that, if I change the order of the sections in management.xml, for example as follows (so address "d*" is first):
> _<match domain="org.apache.activemq.artemis" key="address=*d**">..._
>  _<match domain="org.apache.activemq.artemis" key="address=a*">..._
>  _<match domain="org.apache.activemq.artemis" key="address=b*">..._
>  _<match domain="org.apache.activemq.artemis" key="address=c*">..._
> Then for "duser" that is authorized to work with "d*" queues it works as expected, but when I login with auser, buser or cuser instead, again the same problem happens that all those users can invoke operations on "d*" queues, and not on the queues that they are expected to be autorized for.
> I attach all relevant configuration files for a reference.
>  
> Regards,
> Ivan
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)