You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/06/15 13:09:00 UTC
[jira] [Work logged] (ARTEMIS-3339) Role Based Authorisation for
JMX not working as expected
[ https://issues.apache.org/jira/browse/ARTEMIS-3339?focusedWorklogId=611305&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-611305 ]
ASF GitHub Bot logged work on ARTEMIS-3339:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 15/Jun/21 13:08
Start Date: 15/Jun/21 13:08
Worklog Time Spent: 10m
Work Description: brusdev opened a new pull request #3626:
URL: https://github.com/apache/activemq-artemis/pull/3626
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 611305)
Remaining Estimate: 0h
Time Spent: 10m
> Role Based Authorisation for JMX not working as expected
> --------------------------------------------------------
>
> Key: ARTEMIS-3339
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3339
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: Configuration, JMX, Web Console
> Affects Versions: 2.17.0
> Reporter: Ivan
> Assignee: Domenico Francesco Bruscino
> Priority: Major
> Labels: JMX, console, rbac, security
> Attachments: address-settings.xml, addresses.xml, artemis-roles.properties, artemis-users.properties, artemis.profile.cmd, broker.xml, image-2021-06-09-23-22-51-886.png, image-2021-06-09-23-29-49-670.png, management.xml, security-settings.xml
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Hello,
> I tried to specify role based authorisation in management.xml for different addresses/queues (as instructed [here|https://activemq.apache.org/components/artemis/documentation/latest/management.html]):
> !image-2021-06-09-23-22-51-886.png!
> In Artemis profile config I gave hawtio role to the corresponding users:
> _-Dhawtio.role=amq,auser,buser,cuser,duser_
> The problem is that the authorisation is not working as expected, and only the FIRST "match domain" configuration is working fine.
> In my case, I tested with 4 sections as those in the screenshot above:
> _<match domain="org.apache.activemq.artemis" key="address=*a**">..._
> _<match domain="org.apache.activemq.artemis" key="address=*b**">..._
> _<match domain="org.apache.activemq.artemis" key="address=*c**">..._
> _<match domain="org.apache.activemq.artemis" key="address=*d**">..._
> When I login using "*auser*" in the web console, I can invoke operations on addresses/queues starting with "*a**", and not on the others, as I'd expect.
> But when I login using some of the other users, for example, *buser*, I can still invoke operations on queues starting with "*a*", but not on the queues starting with "*b**", as I'd expect (all operations are disabled, as in the screenshot below):
>
> !image-2021-06-09-23-29-49-670.png!
>
> It is interesting that, if I change the order of the sections in management.xml, for example as follows (so address "d*" is first):
> _<match domain="org.apache.activemq.artemis" key="address=*d**">..._
> _<match domain="org.apache.activemq.artemis" key="address=a*">..._
> _<match domain="org.apache.activemq.artemis" key="address=b*">..._
> _<match domain="org.apache.activemq.artemis" key="address=c*">..._
> Then for "duser" that is authorized to work with "d*" queues it works as expected, but when I login with auser, buser or cuser instead, again the same problem happens that all those users can invoke operations on "d*" queues, and not on the queues that they are expected to be autorized for.
> I attach all relevant configuration files for a reference.
>
> Regards,
> Ivan
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)