You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Martyn Taylor (JIRA)" <ji...@apache.org> on 2017/02/24 15:00:49 UTC
[jira] [Commented] (ARTEMIS-990) AMQ119032: User: Customer does not
have permission='CREATE_DURABLE_QUEUE' on address $sys.mqtt.queue.qos2
[ https://issues.apache.org/jira/browse/ARTEMIS-990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15882835#comment-15882835 ]
Martyn Taylor commented on ARTEMIS-990:
---------------------------------------
This issue here is that the security permissions are applied when creating internal management queues. This is a bug, I'll aim to get this fixed in the next maintenence release.
In the mean time, you should be able to work around this by ensuring your MQTT clients have the relevant permissions for creating the management queues. The following XML snippet should do it:
<security-setting match="$sys.mqtt.#">
<permission type="createDurableQueue" roles="<MQTT Client Roles Here>"/>
<permission type="deleteDurableQueue" roles="<MQTT Client Roles Here>"/>
<permission type="consume" roles="<MQTT Client Roles Here>"/>
<permission type="send" roles="<MQTT Client Roles Here>"/-->
</security-setting-->
> AMQ119032: User: Customer does not have permission='CREATE_DURABLE_QUEUE' on address $sys.mqtt.queue.qos2
> ---------------------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-990
> URL: https://issues.apache.org/jira/browse/ARTEMIS-990
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: Broker
> Affects Versions: 1.5.3
> Environment: RHEL 7
> Reporter: Himer MARTINEZ
>
> Hello Guys,
> We are experiencing this issue with MQTT,
> Our issue : *AMQ119032: User: Customer does not have permission='CREATE_DURABLE_QUEUE' on address $sys.mqtt.queue.qos2.0a971d7ad7de58aea7c0*
> {code:title=MQTTBasicPubSubExample.java|borderStyle=solid}
> package com.mycompany.mqtt;
> import java.security.SecureRandom;
> import java.security.cert.CertificateException;
> import java.security.cert.X509Certificate;
> import java.util.concurrent.TimeUnit;
> import javax.net.ssl.KeyManager;
> import javax.net.ssl.SSLContext;
> import javax.net.ssl.TrustManager;
> import javax.net.ssl.X509TrustManager;
> import org.fusesource.hawtbuf.UTF8Buffer;
> import org.fusesource.mqtt.client.BlockingConnection;
> import org.fusesource.mqtt.client.MQTT;
> import org.fusesource.mqtt.client.Message;
> import org.fusesource.mqtt.client.QoS;
> import org.fusesource.mqtt.client.Topic;
> /**
> * A simple MQTT publish and subscribe example.
> */
> public class MQTTBasicPubSubExample {
> public static void main(final String[] args) throws Exception {
> // Create a new MQTT connection to the broker. We are not setting the client ID. The broker will pick one for us.
> System.out.println("Connecting to Artemis using MQTT");
> MQTT mqtt = new MQTT();
> mqtt.setConnectAttemptsMax(2);
> mqtt.setReconnectAttemptsMax(1);
>
> mqtt.setUserName("Customer");
> mqtt.setPassword("customerpwd");
>
>
> mqtt.setHost("ssl://localhost:1883");
> BlockingConnection connection = mqtt.blockingConnection();
> connection.connect();
> System.out.println("Connected to Artemis");
> // Subscribe to topics
> Topic[] topics = {new Topic("digital/test/data", QoS.AT_LEAST_ONCE)};
> System.out.println("start subscribe");
> connection.subscribe(topics);
> System.out.println("end subscribe");
>
> System.out.println("Subscribed to topics.");
> // Publish Messages
> String payload4 = "This is message 4";
>
> System.out.println("start publish");
> connection.publish("digital/test/data", payload4.getBytes(), QoS.AT_MOST_ONCE, false);
> System.out.println("end publish");
> System.out.println("Sent messages.");
> Message message4 = connection.receive(5, TimeUnit.SECONDS);
> System.out.println("Received messages.");
> System.out.println(new String(message4.getPayload()));
> message4.ack();
> connection.disconnect();
> }
> }
> {code}
> {code:title=broker.xml|borderStyle=solid}
> <?xml version='1.0'?>
> <!--
> Licensed to the Apache Software Foundation (ASF) under one
> or more contributor license agreements. See the NOTICE file
> distributed with this work for additional information
> regarding copyright ownership. The ASF licenses this file
> to you under the Apache License, Version 2.0 (the
> "License"); you may not use this file except in compliance
> with the License. You may obtain a copy of the License at
> http://www.apache.org/licenses/LICENSE-2.0
> Unless required by applicable law or agreed to in writing,
> software distributed under the License is distributed on an
> "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> KIND, either express or implied. See the License for the
> specific language governing permissions and limitations
> under the License.
> -->
> <configuration xmlns="urn:activemq"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="urn:activemq /schema/artemis-configuration.xsd">
> <jms xmlns="urn:activemq:jms">
> <queue name="DLQ"/>
> <queue name="ExpiryQueue"/>
> </jms>
> <core xmlns="urn:activemq:core">
> <name>localhost</name>
> <persistence-enabled>true</persistence-enabled>
> <!-- this could be ASYNCIO or NIO
> -->
> <journal-type>ASYNCIO</journal-type>
> <paging-directory>/artemis/datas/paging</paging-directory>
> <bindings-directory>/artemis/datas/bindings</bindings-directory>
> <journal-directory>/artemis/datas/journal</journal-directory>
> <large-messages-directory>/artemis/datas/large-messages</large-messages-directory>
> <journal-datasync>true</journal-datasync>
> <journal-min-files>2</journal-min-files>
> <journal-pool-files>-1</journal-pool-files>
> <!--
> You can specify the NIC you want to use to verify if the network
> <network-check-NIC>theNickName</network-check-NIC>
> -->
> <!--
> Use this to use an HTTP server to validate the network
> <network-check-URL-list>http://www.apache.org</network-check-URL-list> -->
> <!-- <network-check-period>10000</network-check-period> -->
> <!-- <network-check-timeout>1000</network-check-timeout> -->
> <!-- this is a comma separated list, no spaces, just DNS or IPs
> it should accept IPV6
> Warning: Make sure you understand your network topology as this is meant to validate if your network is valid.
> Using IPs that could eventually disappear or be partially visible may defeat the purpose.
> You can use a list of multiple IPs, and if any successful ping will make the server OK to continue running -->
> <!-- <network-check-list>10.0.0.1</network-check-list> -->
> <!-- use this to customize the ping used for ipv4 addresses -->
> <!-- <network-check-ping-command>ping -c 1 -t %d %s</network-check-ping-command> -->
> <!-- use this to customize the ping used for ipv6 addresses -->
> <!-- <network-check-ping6-command>ping6 -c 1 %2$s</network-check-ping6-command> -->
> <!--
> This value was determined through a calculation.
> Your system could perform 1 writes per millisecond
> on the current journal configuration.
> That translates as a sync write every 1004000 nanoseconds
> -->
> <journal-buffer-timeout>1004000</journal-buffer-timeout>
> <connectors>
> <!-- Connector used to be announced through cluster connections and notifications -->
> <connector name="artemis">tcp://localhost:61616</connector>
> </connectors>
> <ha-policy>
> <shared-store>
> <master>
> <failover-on-shutdown>true</failover-on-shutdown>
> </master>
> </shared-store>
> </ha-policy>
> <!-- how often we are looking for how many bytes are being used on the disk in ms -->
> <disk-scan-period>5000</disk-scan-period>
> <!-- once the disk hits this limit the system will block, or close the connection in certain protocols
> that won't support flow control. -->
> <max-disk-usage>90</max-disk-usage>
> <!-- the system will enter into page mode once you hit this limit.
> This is an estimate in bytes of how much the messages are using in memory -->
> <global-max-size>104857600</global-max-size>
> <acceptors>
> <!-- Acceptor for every supported protocol -->
> <acceptor name="artemis">tcp://localhost:61616?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE</acceptor>
> <!-- AMQP Acceptor. Listens on default AMQP port for AMQP traffic.-->
> <acceptor name="amqp">tcp://localhost:5672?protocols=AMQP</acceptor>
> <!-- STOMP Acceptor. -->
> <acceptor name="stomp">tcp://localhost:61613?protocols=STOMP</acceptor>
> <!-- HornetQ Compatibility Acceptor. Enables HornetQ Core and STOMP for legacy HornetQ clients. -->
> <acceptor name="hornetq">tcp://localhost:5445?protocols=HORNETQ,STOMP</acceptor>
> <!-- MQTT Acceptor -->
> <acceptor name="mqtt">tcp://localhost:1883?protocols=MQTT;sslEnabled=true;keyStorePath=/artemis/brokers/certificats/keystore.jks;keyStorePassword=artemispwd</acceptor>
> </acceptors>
> <cluster-user>AdminCluster</cluster-user>
> <cluster-password>AdminCluster</cluster-password>
> <broadcast-groups>
> <broadcast-group name="bg-group1">
> <group-address>231.7.7.7</group-address>
> <group-port>9876</group-port>
> <broadcast-period>5000</broadcast-period>
> <connector-ref>artemis</connector-ref>
> </broadcast-group>
> </broadcast-groups>
> <discovery-groups>
> <discovery-group name="dg-group1">
> <group-address>231.7.7.7</group-address>
> <group-port>9876</group-port>
> <refresh-timeout>10000</refresh-timeout>
> </discovery-group>
> </discovery-groups>
> <cluster-connections>
> <cluster-connection name="my-cluster">
> <address>jms</address>
> <connector-ref>artemis</connector-ref>
> <message-load-balancing>ON_DEMAND</message-load-balancing>
> <max-hops>0</max-hops>
> <discovery-group-ref discovery-group-name="dg-group1"/>
> </cluster-connection>
> </cluster-connections>
> <security-enabled>true</security-enabled>
> <security-settings>
> <security-setting match="#">
> <permission type="createNonDurableQueue" roles="Digital"/>
> <permission type="deleteNonDurableQueue" roles="Digital"/>
> <permission type="createDurableQueue" roles="Digital"/>
> <permission type="deleteDurableQueue" roles="Digital"/>
> <permission type="consume" roles="Digital"/>
> <permission type="browse" roles="Digital"/>
> <permission type="send" roles="Digital"/-->
> <!-- we need this otherwise ./artemis data imp wouldn't work -->
> <permission type="manage" roles="Digital"/>
> </security-setting-->
> <security-setting match="digital.test.#">
> <!-- permission type="createNonDurableQueue" roles="Commerce"/-->
> <!--permission type="deleteNonDurableQueue" roles="digital,Commerce"/-->
> <!--permission type="createDurableQueue" roles="Commerce"/-->
> <!--permission type="deleteDurableQueue" roles="digital,Commerce"/-->
> <!-- permission type="consume" roles="Commerce"/-->
> <!-- permission type="browse" roles="Commerce"/-->
> <permission type="send" roles="Client"/>
> <!-- permission type="manage" roles="Commerce" /-->
> </security-setting>
> </security-settings>
> <queues>
> <queue name="digital.test.data">
> <durable>true</durable>
> </queue>
> </queues>
> <address-settings>
> <!--default for catch all-->
> <address-setting match="#">
> <dead-letter-address>jms.queue.DLQ</dead-letter-address>
> <expiry-address>jms.queue.ExpiryQueue</expiry-address>
> <redelivery-delay>0</redelivery-delay>
> <!-- with -1 only the global-max-size is in use for limiting -->
> <max-size-bytes>-1</max-size-bytes>
> <message-counter-history-day-limit>1</message-counter-history-day-limit>
> <address-full-policy>PAGE</address-full-policy>
> <expiry-delay>10</expiry-delay>
> </address-setting>
> </address-settings>
> </core>
> </configuration>
> {code}
> {code:title=Issue en client side|borderStyle=solid}
> Exception in thread "main" java.io.EOFException: Peer disconnected
> at org.fusesource.hawtdispatch.transport.AbstractProtocolCodec.read(AbstractProtocolCodec.java:331)
> at org.fusesource.hawtdispatch.transport.TcpTransport.drainInbound(TcpTransport.java:710)
> at org.fusesource.hawtdispatch.transport.TcpTransport$6.run(TcpTransport.java:592)
> at org.fusesource.hawtdispatch.internal.NioDispatchSource$3.run(NioDispatchSource.java:209)
> at org.fusesource.hawtdispatch.internal.SerialDispatchQueue.run(SerialDispatchQueue.java:100)
> at org.fusesource.hawtdispatch.internal.pool.SimpleThread.run(SimpleThread.java:77)
> {code}
> {code:title=artemis log file extract|borderStyle=solid}
> 10:13:37,116 DEBUG [org.apache.activemq.artemis.core.postoffice.impl.PostOfficeImpl] Couldn't find any bindings for address=activemq.notifications on message=ServerMessage[messageID=234572,durable=true,userID=null,priority=0, bodySize=512, timestamp=0,expiration=Thu Feb 23 10:13:37 CET 2017, durable=true, address=activemq.notifications,properties=TypedProperties[_AMQ_User=Customer,_AMQ_Address=$sys.mqtt.queue.qos2.0a971d7ad7de58aea7c0,_AMQ_NotifType=SECURITY_PERMISSION_VIOLATION,_AMQ_NotifTimestamp=1487841217116,_AMQ_CheckType=CREATE_DURABLE_QUEUE]]@1241929264
> 10:13:37,116 DEBUG [org.apache.activemq.artemis.core.postoffice.impl.PostOfficeImpl] Message ServerMessage[messageID=234572,durable=true,userID=null,priority=0, bodySize=512, timestamp=0,expiration=Thu Feb 23 10:13:37 CET 2017, durable=true, address=activemq.notifications,properties=TypedProperties[_AMQ_User=Customer,_AMQ_Address=$sys.mqtt.queue.qos2.0a971d7ad7de58aea7c0,_AMQ_NotifType=SECURITY_PERMISSION_VIOLATION,_AMQ_NotifTimestamp=1487841217116,_AMQ_CheckType=CREATE_DURABLE_QUEUE]]@1241929264 is not going anywhere as it didn't have a binding on address:activemq.notifications
> 10:13:37,116 DEBUG [org.apache.activemq.artemis.core.protocol.mqtt] Error processing Control Packet, Disconnecting Client: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ119032: User: Customer does not have permission='CREATE_DURABLE_QUEUE' on address $sys.mqtt.queue.qos2.0a971d7ad7de58aea7c0]
> at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:201) [artemis-server-1.5.2.jar:1.5.2]
> at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:401) [artemis-server-1.5.2.jar:1.5.2]
> at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createQueue(ServerSessionImpl.java:506) [artemis-server-1.5.2.jar:1.5.2]
> at org.apache.activemq.artemis.core.protocol.mqtt.MQTTPublishManager.createManagementQueue(MQTTPublishManager.java:92) [artemis-mqtt-protocol-1.5.2.jar:]
> at org.apache.activemq.artemis.core.protocol.mqtt.MQTTPublishManager.start(MQTTPublishManager.java:65) [artemis-mqtt-protocol-1.5.2.jar:]
> at org.apache.activemq.artemis.core.protocol.mqtt.MQTTSession.start(MQTTSession.java:71) [artemis-mqtt-protocol-1.5.2.jar:]
> at org.apache.activemq.artemis.core.protocol.mqtt.MQTTConnectionManager.connect(MQTTConnectionManager.java:83) [artemis-mqtt-protocol-1.5.2.jar:]
> at org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.handleConnect(MQTTProtocolHandler.java:163) [artemis-mqtt-protocol-1.5.2.jar:]
> at org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.channelRead(MQTTProtocolHandler.java:103) [artemis-mqtt-protocol-1.5.2.jar:]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.handlerRemoved(ByteToMessageDecoder.java:219) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.DefaultChannelPipeline.callHandlerRemoved0(DefaultChannelPipeline.java:631) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.DefaultChannelPipeline.remove(DefaultChannelPipeline.java:468) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.DefaultChannelPipeline.remove(DefaultChannelPipeline.java:428) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at org.apache.activemq.artemis.core.protocol.ProtocolHandler$ProtocolDecoder.decode(ProtocolHandler.java:186) [artemis-server-1.5.2.jar:1.5.2]
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at org.apache.activemq.artemis.core.protocol.ProtocolHandler$ProtocolDecoder.channelRead(ProtocolHandler.java:129) [artemis-server-1.5.2.jar:1.5.2]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:610) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:551) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:465) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:437) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-all-4.1.5.Final.jar:4.1.5.Final]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_91]
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)