You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Fabrice Triboix <fa...@armedia.com> on 2020/09/09 09:31:23 UTC
Please help me with authorisation configuration
Hello,
I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am trying to run Alfresco Repository CE (version 6.3), and it needs to connect to AmazonMQ, but it fails with the following error:
2020-09-09 09:06:49,222 ERROR [component.jms.DefaultJmsMessageListenerContainer] [Camel (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]] Could not refresh JMS Connection for destination 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000, currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is not authorized to create: topic://ActiveMQ.Advisory.Connection
Here is the part of the ActiveMQ configuration related to authorization:
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic="ActiveMQ.Advisory.>" admin="all" read="all" write="all"/>
<authorizationEntry queue="alfresco.>" admin="admin" read="admin,alfresco"
write="admin,alfresco"/>
<authorizationEntry topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
write="admin,alfresco"/>
</authorizationEntries>
<tempDestinationAuthorizationEntry>
<tempDestinationAuthorizationEntry admin="admin" read="admin" write="admin"/>
</tempDestinationAuthorizationEntry>
</authorizationMap>
</map>
</authorizationPlugin>
Anyone would have any idea on what I am doing wrong?
Many thanks for your help!
Fabrice
Re: Please help me with authorisation configuration
Posted by Jean-Baptiste Onofre <jb...@nanthrax.net>.
Hi Fabrice,
Unfortunately, no.
I would check via JMX (not sure though).
Regards
JB
> Le 24 sept. 2020 à 11:35, Fabrice Triboix <fa...@armedia.com> a écrit :
>
> Hi all,
>
> Is it possible to see the users and groups in the ActiveMQ web console?
>
> Thanks,
>
> Fabrice
>
> ________________________________
> From: Fabrice Triboix <fa...@armedia.com>
> Sent: 22 September 2020 09:50
> To: ActiveMQ Users <us...@activemq.apache.org>
> Subject: Re: Please help me with authorisation configuration
>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> Hello,
>
> Apologies for the late response, I have been sucked up on other pieces of work.
>
> So I stripped the configuration of all non-existent entities, and it now looks like this:
>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry topic="ActiveMQ.Advisory.>" admin="alfresco1"
> read="alfresco1" write="alfresco1"/>
> <authorizationEntry queue="alfresco.>" admin="alfresco1"
> read="alfresco1" write="alfresco1"/>
> <authorizationEntry topic="alfresco.Advisory.>" admin="alfresco1"
> read="alfresco1" write="alfresco1"/>
> </authorizationEntries>
> <!-- Fabrice: There is no group `admin`, so commenting this out for now
> <tempDestinationAuthorizationEntry>
> <tempDestinationAuthorizationEntry admin="admin" read="admin" write="admin"/>
> </tempDestinationAuthorizationEntry>
> -->
> </authorizationMap>
> </map>
> </authorizationPlugin>
>
> I still get the same error message from Alfresco:
>
> 2020-09-22 08:25:11,882 ERROR [component.jms.DefaultJmsMessageListenerContainer] [Camel (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]] Could not refresh JMS Connection for destination 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000, currentAttempts=7, maxAttempts=unlimited}. Cause: User alfresco1 is not authorized to create: topic://ActiveMQ.Advisory.Connection
>
> Here is the CloudFormation declaration I use to create the AmazonMQ broker:
>
> Broker:
> Type: AWS::AmazonMQ::Broker
> DependsOn: [ MasterSecret, AlfrescoUserSecret ]
> Properties:
> BrokerName: !Sub AmazonMQ-${AWS::StackName}
> DeploymentMode: ACTIVE_STANDBY_MULTI_AZ
> EncryptionOptions:
> UseAwsOwnedKey: true
> EngineType: ACTIVEMQ
> EngineVersion: 5.15.10
> HostInstanceType: mq.t2.micro
> SecurityGroups: [ !GetAtt BrokerSecurityGroup.GroupId ]
> SubnetIds: [ !Ref SubnetIdA, !Ref SubnetIdB ]
> PubliclyAccessible: false
> Configuration:
> Id: !Ref BrokerConfig
> Revision: !GetAtt BrokerConfig.Revision
> Users:
> - Username: admin1
> Password: XXXXX
> Groups: [ admin ]
> - Username: alfresco1
> Password: XXXXXX
> Groups: [ alfresco ]
> MaintenanceWindowStartTime:
> DayOfWeek: !Ref MaintenanceDayOfWeek
> TimeOfDay: !Ref MaintenanceTimeOfDay
> TimeZone: UTC
> Logs:
> Audit: false
> General: true
> AutoMinorVersionUpgrade: true
>
> Is there a way to debug things further? Maybe by having a look at the ActiveMQ logs, or using some kind of command line tool to try manually create the topic?
>
> Thanks a lot for your help!
>
> ________________________________
> From: Tim Bain <tb...@alumni.duke.edu>
> Sent: 10 September 2020 12:50
> To: ActiveMQ Users <us...@activemq.apache.org>
> Subject: Re: Please help me with authorisation configuration
>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> Also, I don't believe that the admin group is created by default either,
> and I don't know what the broker's behavior is when it encounters a
> non-existent group in the config file. Maybe it denies access to even the
> groups that do exist? I don't know, but it's definitely worth trying with
> only valid/existing groups, so only alfresco in this case, just to try to
> get things working.
>
> Tim
>
> On Thu, Sep 10, 2020, 5:44 AM Tim Bain <tb...@alumni.duke.edu> wrote:
>
>> For the all group, I'm not aware of any default group that's created, and
>> all of the examples I've seen had any similar group created explicitly. But
>> I never used the authentication features personally, so I'm relying heavily
>> on the examples available online, and it's possible that the actual
>> behavior differs from what I've understood. However, the fact that what
>> you've observed matches what I thought I'd understood seems fairly
>> compelling, so I'd suggest you define an 'all' group and explicitly add
>> each user to it, and see if that resolves the issue.
>>
>> For the user/group thing, you're right, I got my wires crossed on the
>> distinction between the two, and you're absolutely right that groups are
>> specified in the config file and as long as the user is a member of the
>> group, it should work as expected. Sorry for the confusion.
>>
>> Tim
>>
>> On Wed, Sep 9, 2020, 5:48 AM Fabrice Triboix <fa...@armedia.com>
>> wrote:
>>
>>> Hi Tim,
>>>
>>> No, I didn't define an `all` group, I just did a copy/paste from the
>>> ActiveMQ website. I guess from your answer that there is no `all` group by
>>> default.
>>>
>>> `alfresco1` is a user and a member of the `alfresco` group. Should I
>>> specify only users `authorizationEntry`?
>>>
>>> Thanks!
>>>
>>> ________________________________
>>> From: Tim Bain <tb...@alumni.duke.edu>
>>> Sent: 09 September 2020 12:41
>>> To: ActiveMQ Users <us...@activemq.apache.org>
>>> Subject: Re: Please help me with authorisation configuration
>>>
>>> CAUTION: This email originated from outside of the organization. Do not
>>> click links or open attachments unless you recognize the sender and know
>>> the content is safe.
>>>
>>>
>>> Also, is 'all' a group you defined, and is alfresco1 in that group?
>>>
>>> Tim
>>>
>>> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu> wrote:
>>>
>>>> Note that the username in the error message is alfresco1, not alfresco,
>>> so
>>>> make sure you authorize the right user when you test explicitly
>>> authorizing
>>>> the user.
>>>>
>>>> Tim
>>>>
>>>> On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
>>> wrote:
>>>>
>>>>> OK,
>>>>>
>>>>> That’s weird as the advisory should be created by the broker itself.
>>>>>
>>>>> Can you try to put admin and alfresco roles for admin action ?
>>>>>
>>>>> By the way, are you using Advisory ? If not, you can disable advisory
>>>>> support.
>>>>>
>>>>> Regards
>>>>> JB
>>>>>
>>>>>> Le 9 sept. 2020 à 12:12, Fabrice Triboix <
>>> fabrice.triboix@armedia.com>
>>>>> a écrit :
>>>>>>
>>>>>> I replace ">" with ">" and that didn't make any difference...
>>>>>>
>>>>>> ________________________________
>>>>>> From: Fabrice Triboix <fa...@armedia.com>
>>>>>> Sent: 09 September 2020 10:47
>>>>>> To: users@activemq.apache.org <us...@activemq.apache.org>
>>>>>> Subject: Re: Please help me with authorisation configuration
>>>>>>
>>>>>> CAUTION: This email originated from outside of the organization. Do
>>> not
>>>>> click links or open attachments unless you recognize the sender and
>>> know
>>>>> the content is safe.
>>>>>>
>>>>>>
>>>>>> Hi Jean-Baptiste,
>>>>>>
>>>>>> I can try with ">", let's see what happens.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Fabrice
>>>>>>
>>>>>> ________________________________
>>>>>> From: Jean-Baptiste Onofre <jb...@nanthrax.net>
>>>>>> Sent: 09 September 2020 10:43
>>>>>> To: users@activemq.apache.org <us...@activemq.apache.org>
>>>>>> Subject: Re: Please help me with authorisation configuration
>>>>>>
>>>>>> CAUTION: This email originated from outside of the organization. Do
>>> not
>>>>> click links or open attachments unless you recognize the sender and
>>> know
>>>>> the content is safe.
>>>>>>
>>>>>>
>>>>>> Hi Fabrice,
>>>>>>
>>>>>> Are you sure about Activemq.Advisory setup ? Did you try
>>>>> ActiveMQ.Advisory.> ?
>>>>>>
>>>>>> Regards
>>>>>> JB
>>>>>>
>>>>>>> Le 9 sept. 2020 à 11:31, Fabrice Triboix <
>>> fabrice.triboix@armedia.com>
>>>>> a écrit :
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am
>>>>> trying to run Alfresco Repository CE (version 6.3), and it needs to
>>> connect
>>>>> to AmazonMQ, but it fails with the following error:
>>>>>>>
>>>>>>> 2020-09-09 09:06:49,222 ERROR
>>>>> [component.jms.DefaultJmsMessageListenerContainer] [Camel
>>>>> (alfrescoCamelContext) thread #2 -
>>> JmsConsumer[acs-repo-rendition-events]]
>>>>> Could not refresh JMS Connection for destination
>>>>> 'acs-repo-rendition-events' - retrying using
>>> FixedBackOff{interval=5000,
>>>>> currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is
>>> not
>>>>> authorized to create: topic://ActiveMQ.Advisory.Connection
>>>>>>>
>>>>>>> Here is the part of the ActiveMQ configuration related to
>>>>> authorization:
>>>>>>>
>>>>>>> <authorizationPlugin>
>>>>>>> <map>
>>>>>>> <authorizationMap>
>>>>>>> <authorizationEntries>
>>>>>>> <authorizationEntry
>>> topic="ActiveMQ.Advisory.>"
>>>>> admin="all" read="all" write="all"/>
>>>>>>> <authorizationEntry queue="alfresco.>"
>>>>> admin="admin" read="admin,alfresco"
>>>>>>> write="admin,alfresco"/>
>>>>>>> <authorizationEntry
>>>>> topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
>>>>>>> write="admin,alfresco"/>
>>>>>>> </authorizationEntries>
>>>>>>> <tempDestinationAuthorizationEntry>
>>>>>>> <tempDestinationAuthorizationEntry
>>> admin="admin"
>>>>> read="admin" write="admin"/>
>>>>>>> </tempDestinationAuthorizationEntry>
>>>>>>> </authorizationMap>
>>>>>>> </map>
>>>>>>> </authorizationPlugin>
>>>>>>>
>>>>>>> Anyone would have any idea on what I am doing wrong?
>>>>>>>
>>>>>>> Many thanks for your help!
>>>>>>>
>>>>>>> Fabrice
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>
>>
Re: Please help me with authorisation configuration
Posted by Fabrice Triboix <fa...@armedia.com>.
Hi all,
Is it possible to see the users and groups in the ActiveMQ web console?
Thanks,
Fabrice
________________________________
From: Fabrice Triboix <fa...@armedia.com>
Sent: 22 September 2020 09:50
To: ActiveMQ Users <us...@activemq.apache.org>
Subject: Re: Please help me with authorisation configuration
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello,
Apologies for the late response, I have been sucked up on other pieces of work.
So I stripped the configuration of all non-existent entities, and it now looks like this:
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic="ActiveMQ.Advisory.>" admin="alfresco1"
read="alfresco1" write="alfresco1"/>
<authorizationEntry queue="alfresco.>" admin="alfresco1"
read="alfresco1" write="alfresco1"/>
<authorizationEntry topic="alfresco.Advisory.>" admin="alfresco1"
read="alfresco1" write="alfresco1"/>
</authorizationEntries>
<!-- Fabrice: There is no group `admin`, so commenting this out for now
<tempDestinationAuthorizationEntry>
<tempDestinationAuthorizationEntry admin="admin" read="admin" write="admin"/>
</tempDestinationAuthorizationEntry>
-->
</authorizationMap>
</map>
</authorizationPlugin>
I still get the same error message from Alfresco:
2020-09-22 08:25:11,882 ERROR [component.jms.DefaultJmsMessageListenerContainer] [Camel (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]] Could not refresh JMS Connection for destination 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000, currentAttempts=7, maxAttempts=unlimited}. Cause: User alfresco1 is not authorized to create: topic://ActiveMQ.Advisory.Connection
Here is the CloudFormation declaration I use to create the AmazonMQ broker:
Broker:
Type: AWS::AmazonMQ::Broker
DependsOn: [ MasterSecret, AlfrescoUserSecret ]
Properties:
BrokerName: !Sub AmazonMQ-${AWS::StackName}
DeploymentMode: ACTIVE_STANDBY_MULTI_AZ
EncryptionOptions:
UseAwsOwnedKey: true
EngineType: ACTIVEMQ
EngineVersion: 5.15.10
HostInstanceType: mq.t2.micro
SecurityGroups: [ !GetAtt BrokerSecurityGroup.GroupId ]
SubnetIds: [ !Ref SubnetIdA, !Ref SubnetIdB ]
PubliclyAccessible: false
Configuration:
Id: !Ref BrokerConfig
Revision: !GetAtt BrokerConfig.Revision
Users:
- Username: admin1
Password: XXXXX
Groups: [ admin ]
- Username: alfresco1
Password: XXXXXX
Groups: [ alfresco ]
MaintenanceWindowStartTime:
DayOfWeek: !Ref MaintenanceDayOfWeek
TimeOfDay: !Ref MaintenanceTimeOfDay
TimeZone: UTC
Logs:
Audit: false
General: true
AutoMinorVersionUpgrade: true
Is there a way to debug things further? Maybe by having a look at the ActiveMQ logs, or using some kind of command line tool to try manually create the topic?
Thanks a lot for your help!
________________________________
From: Tim Bain <tb...@alumni.duke.edu>
Sent: 10 September 2020 12:50
To: ActiveMQ Users <us...@activemq.apache.org>
Subject: Re: Please help me with authorisation configuration
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Also, I don't believe that the admin group is created by default either,
and I don't know what the broker's behavior is when it encounters a
non-existent group in the config file. Maybe it denies access to even the
groups that do exist? I don't know, but it's definitely worth trying with
only valid/existing groups, so only alfresco in this case, just to try to
get things working.
Tim
On Thu, Sep 10, 2020, 5:44 AM Tim Bain <tb...@alumni.duke.edu> wrote:
> For the all group, I'm not aware of any default group that's created, and
> all of the examples I've seen had any similar group created explicitly. But
> I never used the authentication features personally, so I'm relying heavily
> on the examples available online, and it's possible that the actual
> behavior differs from what I've understood. However, the fact that what
> you've observed matches what I thought I'd understood seems fairly
> compelling, so I'd suggest you define an 'all' group and explicitly add
> each user to it, and see if that resolves the issue.
>
> For the user/group thing, you're right, I got my wires crossed on the
> distinction between the two, and you're absolutely right that groups are
> specified in the config file and as long as the user is a member of the
> group, it should work as expected. Sorry for the confusion.
>
> Tim
>
> On Wed, Sep 9, 2020, 5:48 AM Fabrice Triboix <fa...@armedia.com>
> wrote:
>
>> Hi Tim,
>>
>> No, I didn't define an `all` group, I just did a copy/paste from the
>> ActiveMQ website. I guess from your answer that there is no `all` group by
>> default.
>>
>> `alfresco1` is a user and a member of the `alfresco` group. Should I
>> specify only users `authorizationEntry`?
>>
>> Thanks!
>>
>> ________________________________
>> From: Tim Bain <tb...@alumni.duke.edu>
>> Sent: 09 September 2020 12:41
>> To: ActiveMQ Users <us...@activemq.apache.org>
>> Subject: Re: Please help me with authorisation configuration
>>
>> CAUTION: This email originated from outside of the organization. Do not
>> click links or open attachments unless you recognize the sender and know
>> the content is safe.
>>
>>
>> Also, is 'all' a group you defined, and is alfresco1 in that group?
>>
>> Tim
>>
>> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu> wrote:
>>
>> > Note that the username in the error message is alfresco1, not alfresco,
>> so
>> > make sure you authorize the right user when you test explicitly
>> authorizing
>> > the user.
>> >
>> > Tim
>> >
>> > On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
>> wrote:
>> >
>> >> OK,
>> >>
>> >> That’s weird as the advisory should be created by the broker itself.
>> >>
>> >> Can you try to put admin and alfresco roles for admin action ?
>> >>
>> >> By the way, are you using Advisory ? If not, you can disable advisory
>> >> support.
>> >>
>> >> Regards
>> >> JB
>> >>
>> >> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <
>> fabrice.triboix@armedia.com>
>> >> a écrit :
>> >> >
>> >> > I replace ">" with ">" and that didn't make any difference...
>> >> >
>> >> > ________________________________
>> >> > From: Fabrice Triboix <fa...@armedia.com>
>> >> > Sent: 09 September 2020 10:47
>> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
>> >> > Subject: Re: Please help me with authorisation configuration
>> >> >
>> >> > CAUTION: This email originated from outside of the organization. Do
>> not
>> >> click links or open attachments unless you recognize the sender and
>> know
>> >> the content is safe.
>> >> >
>> >> >
>> >> > Hi Jean-Baptiste,
>> >> >
>> >> > I can try with ">", let's see what happens.
>> >> >
>> >> > Thanks,
>> >> >
>> >> > Fabrice
>> >> >
>> >> > ________________________________
>> >> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
>> >> > Sent: 09 September 2020 10:43
>> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
>> >> > Subject: Re: Please help me with authorisation configuration
>> >> >
>> >> > CAUTION: This email originated from outside of the organization. Do
>> not
>> >> click links or open attachments unless you recognize the sender and
>> know
>> >> the content is safe.
>> >> >
>> >> >
>> >> > Hi Fabrice,
>> >> >
>> >> > Are you sure about Activemq.Advisory setup ? Did you try
>> >> ActiveMQ.Advisory.> ?
>> >> >
>> >> > Regards
>> >> > JB
>> >> >
>> >> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <
>> fabrice.triboix@armedia.com>
>> >> a écrit :
>> >> >>
>> >> >> Hello,
>> >> >>
>> >> >> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am
>> >> trying to run Alfresco Repository CE (version 6.3), and it needs to
>> connect
>> >> to AmazonMQ, but it fails with the following error:
>> >> >>
>> >> >> 2020-09-09 09:06:49,222 ERROR
>> >> [component.jms.DefaultJmsMessageListenerContainer] [Camel
>> >> (alfrescoCamelContext) thread #2 -
>> JmsConsumer[acs-repo-rendition-events]]
>> >> Could not refresh JMS Connection for destination
>> >> 'acs-repo-rendition-events' - retrying using
>> FixedBackOff{interval=5000,
>> >> currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is
>> not
>> >> authorized to create: topic://ActiveMQ.Advisory.Connection
>> >> >>
>> >> >> Here is the part of the ActiveMQ configuration related to
>> >> authorization:
>> >> >>
>> >> >> <authorizationPlugin>
>> >> >> <map>
>> >> >> <authorizationMap>
>> >> >> <authorizationEntries>
>> >> >> <authorizationEntry
>> topic="ActiveMQ.Advisory.>"
>> >> admin="all" read="all" write="all"/>
>> >> >> <authorizationEntry queue="alfresco.>"
>> >> admin="admin" read="admin,alfresco"
>> >> >> write="admin,alfresco"/>
>> >> >> <authorizationEntry
>> >> topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
>> >> >> write="admin,alfresco"/>
>> >> >> </authorizationEntries>
>> >> >> <tempDestinationAuthorizationEntry>
>> >> >> <tempDestinationAuthorizationEntry
>> admin="admin"
>> >> read="admin" write="admin"/>
>> >> >> </tempDestinationAuthorizationEntry>
>> >> >> </authorizationMap>
>> >> >> </map>
>> >> >> </authorizationPlugin>
>> >> >>
>> >> >> Anyone would have any idea on what I am doing wrong?
>> >> >>
>> >> >> Many thanks for your help!
>> >> >>
>> >> >> Fabrice
>> >> >>
>> >> >
>> >>
>> >>
>>
>
Re: Please help me with authorisation configuration
Posted by Tim Bain <tb...@alumni.duke.edu>.
I'm glad you got it working, and thanks for letting us know.
Tim
On Tue, Sep 29, 2020, 9:23 AM Fabrice Triboix <fa...@armedia.com>
wrote:
> Hi Tim,
>
> So you were right. I used only groups when configuring the
> authorizationEntries and that worked.
>
> Thanks a lot everyone for your support!
>
> Best regards,
>
> Fabrice
>
> ________________________________
> From: Tim Bain <tb...@alumni.duke.edu>
> Sent: 26 September 2020 15:26
> To: ActiveMQ Users <us...@activemq.apache.org>
> Subject: Re: Please help me with authorisation configuration
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
> Lucas,
>
> Thanks for the confirmation that Amazon passes the full set of
> authorizationEntries through unmodified. I wasn't sure if maybe you treated
> the advisories differently since they're more internal/administrative, but
> I'm happy to hear that you're not.
>
> And thanks for monitoring this thread even though there's typically no need
> for your team to respond, and for the quick response.
>
> Tim
>
> On Fri, Sep 25, 2020, 12:31 PM Tetreault, Lucas
> <te...@amazon.com.invalid>
> wrote:
>
> > Hey folks,
> >
> > I am a manager on the AmazonMQ team and I asked one of the engineers to
> > have a look at this thread. Their analysis lines up with what Tim said
> and
> > it doesn’t sound like anything we are doing would be causing this error.
> > Here is what the engineer had to say:
> >
> >
> > This particular error is caused by not giving permissions for
> > users to create advisory topics. Advisories are created in response to a
> > variety of events, see the ActiveMQ documentation here:
> > https://activemq.apache.org/advisory-message.html.
> >
> > In this particular case, what the customer needs to do is create
> a
> > group that contains all users that will be connecting to the broker, and
> > allow that group permission to create advisory topics. For example, if
> > they name this group "users", they would add the following
> > "AuthorizationEntry":
> >
> > <authorizationEntry topic="ActiveMQ.Advisory.>" read="users"
> > write="users" admin="users"/>
> >
> > Here's a full example from the ActiveMQ docs (
> > http://activemq.apache.org/security) under "Controlling Access To
> > Temporary Destinations". In the customer's config, it seems they are
> > entering the user directly into the AuthorizationEntry, while in the
> > documentation they add the group the user belongs to.
> >
> >
> > I hope this helps!
> >
> >
> > On 2020-09-25, 4:43 AM, "Tim Bain" <tb...@alumni.duke.edu> wrote:
> >
> > CAUTION: This email originated from outside of the organization. Do
> > not click links or open attachments unless you can confirm the sender and
> > know the content is safe.
> >
> >
> >
> > I believe that the authorizationEntry should reference groups rather
> > than
> > individual users (so alfresco rather than alfresco1). Can you try it
> > with
> > that configuration?
> >
> > If that doesn't work, can you try explicitly
> > authorizing ActiveMQ.Advisory.Connection so we're not dependent on
> the
> > wildcard? It shouldn't be necessary, but at this point we want to
> > eliminate
> > all possible variables.
> >
> > There's another possibility, which is that maybe Amazon strips out
> > certain
> > patterns of authorizationEntry from your config file when creating
> the
> > broker for you. Are there any members of Amazon's AmazonMQ team
> > monitoring
> > this forum who could tell us if anything like that is in play?
> >
> > Tim
> >
> > On Tue, Sep 22, 2020, 2:50 AM Fabrice Triboix <
> > fabrice.triboix@armedia.com>
> > wrote:
> >
> > > Hello,
> > >
> > > Apologies for the late response, I have been sucked up on other
> > pieces of
> > > work.
> > >
> > > So I stripped the configuration of all non-existent entities, and
> it
> > now
> > > looks like this:
> > >
> > > <authorizationPlugin>
> > > <map>
> > > <authorizationMap>
> > > <authorizationEntries>
> > > <authorizationEntry topic="ActiveMQ.Advisory.>"
> > > admin="alfresco1"
> > > read="alfresco1" write="alfresco1"/>
> > > <authorizationEntry queue="alfresco.>" admin="alfresco1"
> > > read="alfresco1" write="alfresco1"/>
> > > <authorizationEntry topic="alfresco.Advisory.>"
> > > admin="alfresco1"
> > > read="alfresco1" write="alfresco1"/>
> > > </authorizationEntries>
> > > <!-- Fabrice: There is no group `admin`, so commenting this
> > out for
> > > now
> > > <tempDestinationAuthorizationEntry>
> > > <tempDestinationAuthorizationEntry admin="admin"
> read="admin"
> > > write="admin"/>
> > > </tempDestinationAuthorizationEntry>
> > > -->
> > > </authorizationMap>
> > > </map>
> > > </authorizationPlugin>
> > >
> > > I still get the same error message from Alfresco:
> > >
> > > 2020-09-22 08:25:11,882 ERROR
> > > [component.jms.DefaultJmsMessageListenerContainer] [Camel
> > > (alfrescoCamelContext) thread #2 -
> > JmsConsumer[acs-repo-rendition-events]]
> > > Could not refresh JMS Connection for destination
> > > 'acs-repo-rendition-events' - retrying using
> > FixedBackOff{interval=5000,
> > > currentAttempts=7, maxAttempts=unlimited}. Cause: User alfresco1 is
> > not
> > > authorized to create: topic://ActiveMQ.Advisory.Connection
> > >
> > > Here is the CloudFormation declaration I use to create the AmazonMQ
> > broker:
> > >
> > > Broker:
> > > Type: AWS::AmazonMQ::Broker
> > > DependsOn: [ MasterSecret, AlfrescoUserSecret ]
> > > Properties:
> > > BrokerName: !Sub AmazonMQ-${AWS::StackName}
> > > DeploymentMode: ACTIVE_STANDBY_MULTI_AZ
> > > EncryptionOptions:
> > > UseAwsOwnedKey: true
> > > EngineType: ACTIVEMQ
> > > EngineVersion: 5.15.10
> > > HostInstanceType: mq.t2.micro
> > > SecurityGroups: [ !GetAtt BrokerSecurityGroup.GroupId ]
> > > SubnetIds: [ !Ref SubnetIdA, !Ref SubnetIdB ]
> > > PubliclyAccessible: false
> > > Configuration:
> > > Id: !Ref BrokerConfig
> > > Revision: !GetAtt BrokerConfig.Revision
> > > Users:
> > > - Username: admin1
> > > Password: XXXXX
> > > Groups: [ admin ]
> > > - Username: alfresco1
> > > Password: XXXXXX
> > > Groups: [ alfresco ]
> > > MaintenanceWindowStartTime:
> > > DayOfWeek: !Ref MaintenanceDayOfWeek
> > > TimeOfDay: !Ref MaintenanceTimeOfDay
> > > TimeZone: UTC
> > > Logs:
> > > Audit: false
> > > General: true
> > > AutoMinorVersionUpgrade: true
> > >
> > > Is there a way to debug things further? Maybe by having a look at
> the
> > > ActiveMQ logs, or using some kind of command line tool to try
> > manually
> > > create the topic?
> > >
> > > Thanks a lot for your help!
> > >
> > > ________________________________
> > > From: Tim Bain <tb...@alumni.duke.edu>
> > > Sent: 10 September 2020 12:50
> > > To: ActiveMQ Users <us...@activemq.apache.org>
> > > Subject: Re: Please help me with authorisation configuration
> > >
> > > CAUTION: This email originated from outside of the organization. Do
> > not
> > > click links or open attachments unless you recognize the sender and
> > know
> > > the content is safe.
> > >
> > >
> > > Also, I don't believe that the admin group is created by default
> > either,
> > > and I don't know what the broker's behavior is when it encounters a
> > > non-existent group in the config file. Maybe it denies access to
> > even the
> > > groups that do exist? I don't know, but it's definitely worth
> trying
> > with
> > > only valid/existing groups, so only alfresco in this case, just to
> > try to
> > > get things working.
> > >
> > > Tim
> > >
> > > On Thu, Sep 10, 2020, 5:44 AM Tim Bain <tb...@alumni.duke.edu>
> > wrote:
> > >
> > > > For the all group, I'm not aware of any default group that's
> > created, and
> > > > all of the examples I've seen had any similar group created
> > explicitly.
> > > But
> > > > I never used the authentication features personally, so I'm
> relying
> > > heavily
> > > > on the examples available online, and it's possible that the
> actual
> > > > behavior differs from what I've understood. However, the fact
> that
> > what
> > > > you've observed matches what I thought I'd understood seems
> fairly
> > > > compelling, so I'd suggest you define an 'all' group and
> > explicitly add
> > > > each user to it, and see if that resolves the issue.
> > > >
> > > > For the user/group thing, you're right, I got my wires crossed on
> > the
> > > > distinction between the two, and you're absolutely right that
> > groups are
> > > > specified in the config file and as long as the user is a member
> > of the
> > > > group, it should work as expected. Sorry for the confusion.
> > > >
> > > > Tim
> > > >
> > > > On Wed, Sep 9, 2020, 5:48 AM Fabrice Triboix <
> > > fabrice.triboix@armedia.com>
> > > > wrote:
> > > >
> > > >> Hi Tim,
> > > >>
> > > >> No, I didn't define an `all` group, I just did a copy/paste from
> > the
> > > >> ActiveMQ website. I guess from your answer that there is no
> `all`
> > group
> > > by
> > > >> default.
> > > >>
> > > >> `alfresco1` is a user and a member of the `alfresco` group.
> > Should I
> > > >> specify only users `authorizationEntry`?
> > > >>
> > > >> Thanks!
> > > >>
> > > >> ________________________________
> > > >> From: Tim Bain <tb...@alumni.duke.edu>
> > > >> Sent: 09 September 2020 12:41
> > > >> To: ActiveMQ Users <us...@activemq.apache.org>
> > > >> Subject: Re: Please help me with authorisation configuration
> > > >>
> > > >> CAUTION: This email originated from outside of the organization.
> > Do not
> > > >> click links or open attachments unless you recognize the sender
> > and know
> > > >> the content is safe.
> > > >>
> > > >>
> > > >> Also, is 'all' a group you defined, and is alfresco1 in that
> > group?
> > > >>
> > > >> Tim
> > > >>
> > > >> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu>
> > wrote:
> > > >>
> > > >> > Note that the username in the error message is alfresco1, not
> > > alfresco,
> > > >> so
> > > >> > make sure you authorize the right user when you test
> explicitly
> > > >> authorizing
> > > >> > the user.
> > > >> >
> > > >> > Tim
> > > >> >
> > > >> > On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <
> > jb@nanthrax.net>
> > > >> wrote:
> > > >> >
> > > >> >> OK,
> > > >> >>
> > > >> >> That’s weird as the advisory should be created by the broker
> > itself.
> > > >> >>
> > > >> >> Can you try to put admin and alfresco roles for admin action
> ?
> > > >> >>
> > > >> >> By the way, are you using Advisory ? If not, you can disable
> > advisory
> > > >> >> support.
> > > >> >>
> > > >> >> Regards
> > > >> >> JB
> > > >> >>
> > > >> >> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <
> > > >> fabrice.triboix@armedia.com>
> > > >> >> a écrit :
> > > >> >> >
> > > >> >> > I replace ">" with ">" and that didn't make any
> > difference...
> > > >> >> >
> > > >> >> > ________________________________
> > > >> >> > From: Fabrice Triboix <fa...@armedia.com>
> > > >> >> > Sent: 09 September 2020 10:47
> > > >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> > > >> >> > Subject: Re: Please help me with authorisation
> configuration
> > > >> >> >
> > > >> >> > CAUTION: This email originated from outside of the
> > organization. Do
> > > >> not
> > > >> >> click links or open attachments unless you recognize the
> > sender and
> > > >> know
> > > >> >> the content is safe.
> > > >> >> >
> > > >> >> >
> > > >> >> > Hi Jean-Baptiste,
> > > >> >> >
> > > >> >> > I can try with ">", let's see what happens.
> > > >> >> >
> > > >> >> > Thanks,
> > > >> >> >
> > > >> >> > Fabrice
> > > >> >> >
> > > >> >> > ________________________________
> > > >> >> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
> > > >> >> > Sent: 09 September 2020 10:43
> > > >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> > > >> >> > Subject: Re: Please help me with authorisation
> configuration
> > > >> >> >
> > > >> >> > CAUTION: This email originated from outside of the
> > organization. Do
> > > >> not
> > > >> >> click links or open attachments unless you recognize the
> > sender and
> > > >> know
> > > >> >> the content is safe.
> > > >> >> >
> > > >> >> >
> > > >> >> > Hi Fabrice,
> > > >> >> >
> > > >> >> > Are you sure about Activemq.Advisory setup ? Did you try
> > > >> >> ActiveMQ.Advisory.> ?
> > > >> >> >
> > > >> >> > Regards
> > > >> >> > JB
> > > >> >> >
> > > >> >> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <
> > > >> fabrice.triboix@armedia.com>
> > > >> >> a écrit :
> > > >> >> >>
> > > >> >> >> Hello,
> > > >> >> >>
> > > >> >> >> I am using AmazonMQ, which is running ActiveMQ version
> > 5.15.12. I
> > > am
> > > >> >> trying to run Alfresco Repository CE (version 6.3), and it
> > needs to
> > > >> connect
> > > >> >> to AmazonMQ, but it fails with the following error:
> > > >> >> >>
> > > >> >> >> 2020-09-09 09:06:49,222 ERROR
> > > >> >> [component.jms.DefaultJmsMessageListenerContainer] [Camel
> > > >> >> (alfrescoCamelContext) thread #2 -
> > > >> JmsConsumer[acs-repo-rendition-events]]
> > > >> >> Could not refresh JMS Connection for destination
> > > >> >> 'acs-repo-rendition-events' - retrying using
> > > >> FixedBackOff{interval=5000,
> > > >> >> currentAttempts=652, maxAttempts=unlimited}. Cause: User
> > alfresco1 is
> > > >> not
> > > >> >> authorized to create: topic://ActiveMQ.Advisory.Connection
> > > >> >> >>
> > > >> >> >> Here is the part of the ActiveMQ configuration related to
> > > >> >> authorization:
> > > >> >> >>
> > > >> >> >> <authorizationPlugin>
> > > >> >> >> <map>
> > > >> >> >> <authorizationMap>
> > > >> >> >> <authorizationEntries>
> > > >> >> >> <authorizationEntry
> > > >> topic="ActiveMQ.Advisory.>"
> > > >> >> admin="all" read="all" write="all"/>
> > > >> >> >> <authorizationEntry
> > queue="alfresco.>"
> > > >> >> admin="admin" read="admin,alfresco"
> > > >> >> >> write="admin,alfresco"/>
> > > >> >> >> <authorizationEntry
> > > >> >> topic="alfresco.Advisory.>" admin="admin"
> > read="admin,alfresco"
> > > >> >> >> write="admin,alfresco"/>
> > > >> >> >> </authorizationEntries>
> > > >> >> >> <tempDestinationAuthorizationEntry>
> > > >> >> >> <tempDestinationAuthorizationEntry
> > > >> admin="admin"
> > > >> >> read="admin" write="admin"/>
> > > >> >> >> </tempDestinationAuthorizationEntry>
> > > >> >> >> </authorizationMap>
> > > >> >> >> </map>
> > > >> >> >> </authorizationPlugin>
> > > >> >> >>
> > > >> >> >> Anyone would have any idea on what I am doing wrong?
> > > >> >> >>
> > > >> >> >> Many thanks for your help!
> > > >> >> >>
> > > >> >> >> Fabrice
> > > >> >> >>
> > > >> >> >
> > > >> >>
> > > >> >>
> > > >>
> > > >
> > >
> >
> >
>
Re: Please help me with authorisation configuration
Posted by Fabrice Triboix <fa...@armedia.com>.
Hi Tim,
So you were right. I used only groups when configuring the authorizationEntries and that worked.
Thanks a lot everyone for your support!
Best regards,
Fabrice
________________________________
From: Tim Bain <tb...@alumni.duke.edu>
Sent: 26 September 2020 15:26
To: ActiveMQ Users <us...@activemq.apache.org>
Subject: Re: Please help me with authorisation configuration
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Lucas,
Thanks for the confirmation that Amazon passes the full set of
authorizationEntries through unmodified. I wasn't sure if maybe you treated
the advisories differently since they're more internal/administrative, but
I'm happy to hear that you're not.
And thanks for monitoring this thread even though there's typically no need
for your team to respond, and for the quick response.
Tim
On Fri, Sep 25, 2020, 12:31 PM Tetreault, Lucas <te...@amazon.com.invalid>
wrote:
> Hey folks,
>
> I am a manager on the AmazonMQ team and I asked one of the engineers to
> have a look at this thread. Their analysis lines up with what Tim said and
> it doesn’t sound like anything we are doing would be causing this error.
> Here is what the engineer had to say:
>
>
> This particular error is caused by not giving permissions for
> users to create advisory topics. Advisories are created in response to a
> variety of events, see the ActiveMQ documentation here:
> https://activemq.apache.org/advisory-message.html.
>
> In this particular case, what the customer needs to do is create a
> group that contains all users that will be connecting to the broker, and
> allow that group permission to create advisory topics. For example, if
> they name this group "users", they would add the following
> "AuthorizationEntry":
>
> <authorizationEntry topic="ActiveMQ.Advisory.>" read="users"
> write="users" admin="users"/>
>
> Here's a full example from the ActiveMQ docs (
> http://activemq.apache.org/security) under "Controlling Access To
> Temporary Destinations". In the customer's config, it seems they are
> entering the user directly into the AuthorizationEntry, while in the
> documentation they add the group the user belongs to.
>
>
> I hope this helps!
>
>
> On 2020-09-25, 4:43 AM, "Tim Bain" <tb...@alumni.duke.edu> wrote:
>
> CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you can confirm the sender and
> know the content is safe.
>
>
>
> I believe that the authorizationEntry should reference groups rather
> than
> individual users (so alfresco rather than alfresco1). Can you try it
> with
> that configuration?
>
> If that doesn't work, can you try explicitly
> authorizing ActiveMQ.Advisory.Connection so we're not dependent on the
> wildcard? It shouldn't be necessary, but at this point we want to
> eliminate
> all possible variables.
>
> There's another possibility, which is that maybe Amazon strips out
> certain
> patterns of authorizationEntry from your config file when creating the
> broker for you. Are there any members of Amazon's AmazonMQ team
> monitoring
> this forum who could tell us if anything like that is in play?
>
> Tim
>
> On Tue, Sep 22, 2020, 2:50 AM Fabrice Triboix <
> fabrice.triboix@armedia.com>
> wrote:
>
> > Hello,
> >
> > Apologies for the late response, I have been sucked up on other
> pieces of
> > work.
> >
> > So I stripped the configuration of all non-existent entities, and it
> now
> > looks like this:
> >
> > <authorizationPlugin>
> > <map>
> > <authorizationMap>
> > <authorizationEntries>
> > <authorizationEntry topic="ActiveMQ.Advisory.>"
> > admin="alfresco1"
> > read="alfresco1" write="alfresco1"/>
> > <authorizationEntry queue="alfresco.>" admin="alfresco1"
> > read="alfresco1" write="alfresco1"/>
> > <authorizationEntry topic="alfresco.Advisory.>"
> > admin="alfresco1"
> > read="alfresco1" write="alfresco1"/>
> > </authorizationEntries>
> > <!-- Fabrice: There is no group `admin`, so commenting this
> out for
> > now
> > <tempDestinationAuthorizationEntry>
> > <tempDestinationAuthorizationEntry admin="admin" read="admin"
> > write="admin"/>
> > </tempDestinationAuthorizationEntry>
> > -->
> > </authorizationMap>
> > </map>
> > </authorizationPlugin>
> >
> > I still get the same error message from Alfresco:
> >
> > 2020-09-22 08:25:11,882 ERROR
> > [component.jms.DefaultJmsMessageListenerContainer] [Camel
> > (alfrescoCamelContext) thread #2 -
> JmsConsumer[acs-repo-rendition-events]]
> > Could not refresh JMS Connection for destination
> > 'acs-repo-rendition-events' - retrying using
> FixedBackOff{interval=5000,
> > currentAttempts=7, maxAttempts=unlimited}. Cause: User alfresco1 is
> not
> > authorized to create: topic://ActiveMQ.Advisory.Connection
> >
> > Here is the CloudFormation declaration I use to create the AmazonMQ
> broker:
> >
> > Broker:
> > Type: AWS::AmazonMQ::Broker
> > DependsOn: [ MasterSecret, AlfrescoUserSecret ]
> > Properties:
> > BrokerName: !Sub AmazonMQ-${AWS::StackName}
> > DeploymentMode: ACTIVE_STANDBY_MULTI_AZ
> > EncryptionOptions:
> > UseAwsOwnedKey: true
> > EngineType: ACTIVEMQ
> > EngineVersion: 5.15.10
> > HostInstanceType: mq.t2.micro
> > SecurityGroups: [ !GetAtt BrokerSecurityGroup.GroupId ]
> > SubnetIds: [ !Ref SubnetIdA, !Ref SubnetIdB ]
> > PubliclyAccessible: false
> > Configuration:
> > Id: !Ref BrokerConfig
> > Revision: !GetAtt BrokerConfig.Revision
> > Users:
> > - Username: admin1
> > Password: XXXXX
> > Groups: [ admin ]
> > - Username: alfresco1
> > Password: XXXXXX
> > Groups: [ alfresco ]
> > MaintenanceWindowStartTime:
> > DayOfWeek: !Ref MaintenanceDayOfWeek
> > TimeOfDay: !Ref MaintenanceTimeOfDay
> > TimeZone: UTC
> > Logs:
> > Audit: false
> > General: true
> > AutoMinorVersionUpgrade: true
> >
> > Is there a way to debug things further? Maybe by having a look at the
> > ActiveMQ logs, or using some kind of command line tool to try
> manually
> > create the topic?
> >
> > Thanks a lot for your help!
> >
> > ________________________________
> > From: Tim Bain <tb...@alumni.duke.edu>
> > Sent: 10 September 2020 12:50
> > To: ActiveMQ Users <us...@activemq.apache.org>
> > Subject: Re: Please help me with authorisation configuration
> >
> > CAUTION: This email originated from outside of the organization. Do
> not
> > click links or open attachments unless you recognize the sender and
> know
> > the content is safe.
> >
> >
> > Also, I don't believe that the admin group is created by default
> either,
> > and I don't know what the broker's behavior is when it encounters a
> > non-existent group in the config file. Maybe it denies access to
> even the
> > groups that do exist? I don't know, but it's definitely worth trying
> with
> > only valid/existing groups, so only alfresco in this case, just to
> try to
> > get things working.
> >
> > Tim
> >
> > On Thu, Sep 10, 2020, 5:44 AM Tim Bain <tb...@alumni.duke.edu>
> wrote:
> >
> > > For the all group, I'm not aware of any default group that's
> created, and
> > > all of the examples I've seen had any similar group created
> explicitly.
> > But
> > > I never used the authentication features personally, so I'm relying
> > heavily
> > > on the examples available online, and it's possible that the actual
> > > behavior differs from what I've understood. However, the fact that
> what
> > > you've observed matches what I thought I'd understood seems fairly
> > > compelling, so I'd suggest you define an 'all' group and
> explicitly add
> > > each user to it, and see if that resolves the issue.
> > >
> > > For the user/group thing, you're right, I got my wires crossed on
> the
> > > distinction between the two, and you're absolutely right that
> groups are
> > > specified in the config file and as long as the user is a member
> of the
> > > group, it should work as expected. Sorry for the confusion.
> > >
> > > Tim
> > >
> > > On Wed, Sep 9, 2020, 5:48 AM Fabrice Triboix <
> > fabrice.triboix@armedia.com>
> > > wrote:
> > >
> > >> Hi Tim,
> > >>
> > >> No, I didn't define an `all` group, I just did a copy/paste from
> the
> > >> ActiveMQ website. I guess from your answer that there is no `all`
> group
> > by
> > >> default.
> > >>
> > >> `alfresco1` is a user and a member of the `alfresco` group.
> Should I
> > >> specify only users `authorizationEntry`?
> > >>
> > >> Thanks!
> > >>
> > >> ________________________________
> > >> From: Tim Bain <tb...@alumni.duke.edu>
> > >> Sent: 09 September 2020 12:41
> > >> To: ActiveMQ Users <us...@activemq.apache.org>
> > >> Subject: Re: Please help me with authorisation configuration
> > >>
> > >> CAUTION: This email originated from outside of the organization.
> Do not
> > >> click links or open attachments unless you recognize the sender
> and know
> > >> the content is safe.
> > >>
> > >>
> > >> Also, is 'all' a group you defined, and is alfresco1 in that
> group?
> > >>
> > >> Tim
> > >>
> > >> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu>
> wrote:
> > >>
> > >> > Note that the username in the error message is alfresco1, not
> > alfresco,
> > >> so
> > >> > make sure you authorize the right user when you test explicitly
> > >> authorizing
> > >> > the user.
> > >> >
> > >> > Tim
> > >> >
> > >> > On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <
> jb@nanthrax.net>
> > >> wrote:
> > >> >
> > >> >> OK,
> > >> >>
> > >> >> That’s weird as the advisory should be created by the broker
> itself.
> > >> >>
> > >> >> Can you try to put admin and alfresco roles for admin action ?
> > >> >>
> > >> >> By the way, are you using Advisory ? If not, you can disable
> advisory
> > >> >> support.
> > >> >>
> > >> >> Regards
> > >> >> JB
> > >> >>
> > >> >> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <
> > >> fabrice.triboix@armedia.com>
> > >> >> a écrit :
> > >> >> >
> > >> >> > I replace ">" with ">" and that didn't make any
> difference...
> > >> >> >
> > >> >> > ________________________________
> > >> >> > From: Fabrice Triboix <fa...@armedia.com>
> > >> >> > Sent: 09 September 2020 10:47
> > >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> > >> >> > Subject: Re: Please help me with authorisation configuration
> > >> >> >
> > >> >> > CAUTION: This email originated from outside of the
> organization. Do
> > >> not
> > >> >> click links or open attachments unless you recognize the
> sender and
> > >> know
> > >> >> the content is safe.
> > >> >> >
> > >> >> >
> > >> >> > Hi Jean-Baptiste,
> > >> >> >
> > >> >> > I can try with ">", let's see what happens.
> > >> >> >
> > >> >> > Thanks,
> > >> >> >
> > >> >> > Fabrice
> > >> >> >
> > >> >> > ________________________________
> > >> >> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
> > >> >> > Sent: 09 September 2020 10:43
> > >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> > >> >> > Subject: Re: Please help me with authorisation configuration
> > >> >> >
> > >> >> > CAUTION: This email originated from outside of the
> organization. Do
> > >> not
> > >> >> click links or open attachments unless you recognize the
> sender and
> > >> know
> > >> >> the content is safe.
> > >> >> >
> > >> >> >
> > >> >> > Hi Fabrice,
> > >> >> >
> > >> >> > Are you sure about Activemq.Advisory setup ? Did you try
> > >> >> ActiveMQ.Advisory.> ?
> > >> >> >
> > >> >> > Regards
> > >> >> > JB
> > >> >> >
> > >> >> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <
> > >> fabrice.triboix@armedia.com>
> > >> >> a écrit :
> > >> >> >>
> > >> >> >> Hello,
> > >> >> >>
> > >> >> >> I am using AmazonMQ, which is running ActiveMQ version
> 5.15.12. I
> > am
> > >> >> trying to run Alfresco Repository CE (version 6.3), and it
> needs to
> > >> connect
> > >> >> to AmazonMQ, but it fails with the following error:
> > >> >> >>
> > >> >> >> 2020-09-09 09:06:49,222 ERROR
> > >> >> [component.jms.DefaultJmsMessageListenerContainer] [Camel
> > >> >> (alfrescoCamelContext) thread #2 -
> > >> JmsConsumer[acs-repo-rendition-events]]
> > >> >> Could not refresh JMS Connection for destination
> > >> >> 'acs-repo-rendition-events' - retrying using
> > >> FixedBackOff{interval=5000,
> > >> >> currentAttempts=652, maxAttempts=unlimited}. Cause: User
> alfresco1 is
> > >> not
> > >> >> authorized to create: topic://ActiveMQ.Advisory.Connection
> > >> >> >>
> > >> >> >> Here is the part of the ActiveMQ configuration related to
> > >> >> authorization:
> > >> >> >>
> > >> >> >> <authorizationPlugin>
> > >> >> >> <map>
> > >> >> >> <authorizationMap>
> > >> >> >> <authorizationEntries>
> > >> >> >> <authorizationEntry
> > >> topic="ActiveMQ.Advisory.>"
> > >> >> admin="all" read="all" write="all"/>
> > >> >> >> <authorizationEntry
> queue="alfresco.>"
> > >> >> admin="admin" read="admin,alfresco"
> > >> >> >> write="admin,alfresco"/>
> > >> >> >> <authorizationEntry
> > >> >> topic="alfresco.Advisory.>" admin="admin"
> read="admin,alfresco"
> > >> >> >> write="admin,alfresco"/>
> > >> >> >> </authorizationEntries>
> > >> >> >> <tempDestinationAuthorizationEntry>
> > >> >> >> <tempDestinationAuthorizationEntry
> > >> admin="admin"
> > >> >> read="admin" write="admin"/>
> > >> >> >> </tempDestinationAuthorizationEntry>
> > >> >> >> </authorizationMap>
> > >> >> >> </map>
> > >> >> >> </authorizationPlugin>
> > >> >> >>
> > >> >> >> Anyone would have any idea on what I am doing wrong?
> > >> >> >>
> > >> >> >> Many thanks for your help!
> > >> >> >>
> > >> >> >> Fabrice
> > >> >> >>
> > >> >> >
> > >> >>
> > >> >>
> > >>
> > >
> >
>
>
Re: Please help me with authorisation configuration
Posted by Fabrice Triboix <fa...@armedia.com>.
Thanks to the AWS support team for looking into this problem. I will give it a try.
Thanks a lot!
Fabrice
________________________________
From: Tim Bain <tb...@alumni.duke.edu>
Sent: 26 September 2020 15:26
To: ActiveMQ Users <us...@activemq.apache.org>
Subject: Re: Please help me with authorisation configuration
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Lucas,
Thanks for the confirmation that Amazon passes the full set of
authorizationEntries through unmodified. I wasn't sure if maybe you treated
the advisories differently since they're more internal/administrative, but
I'm happy to hear that you're not.
And thanks for monitoring this thread even though there's typically no need
for your team to respond, and for the quick response.
Tim
On Fri, Sep 25, 2020, 12:31 PM Tetreault, Lucas <te...@amazon.com.invalid>
wrote:
> Hey folks,
>
> I am a manager on the AmazonMQ team and I asked one of the engineers to
> have a look at this thread. Their analysis lines up with what Tim said and
> it doesn’t sound like anything we are doing would be causing this error.
> Here is what the engineer had to say:
>
>
> This particular error is caused by not giving permissions for
> users to create advisory topics. Advisories are created in response to a
> variety of events, see the ActiveMQ documentation here:
> https://activemq.apache.org/advisory-message.html.
>
> In this particular case, what the customer needs to do is create a
> group that contains all users that will be connecting to the broker, and
> allow that group permission to create advisory topics. For example, if
> they name this group "users", they would add the following
> "AuthorizationEntry":
>
> <authorizationEntry topic="ActiveMQ.Advisory.>" read="users"
> write="users" admin="users"/>
>
> Here's a full example from the ActiveMQ docs (
> http://activemq.apache.org/security) under "Controlling Access To
> Temporary Destinations". In the customer's config, it seems they are
> entering the user directly into the AuthorizationEntry, while in the
> documentation they add the group the user belongs to.
>
>
> I hope this helps!
>
>
> On 2020-09-25, 4:43 AM, "Tim Bain" <tb...@alumni.duke.edu> wrote:
>
> CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you can confirm the sender and
> know the content is safe.
>
>
>
> I believe that the authorizationEntry should reference groups rather
> than
> individual users (so alfresco rather than alfresco1). Can you try it
> with
> that configuration?
>
> If that doesn't work, can you try explicitly
> authorizing ActiveMQ.Advisory.Connection so we're not dependent on the
> wildcard? It shouldn't be necessary, but at this point we want to
> eliminate
> all possible variables.
>
> There's another possibility, which is that maybe Amazon strips out
> certain
> patterns of authorizationEntry from your config file when creating the
> broker for you. Are there any members of Amazon's AmazonMQ team
> monitoring
> this forum who could tell us if anything like that is in play?
>
> Tim
>
> On Tue, Sep 22, 2020, 2:50 AM Fabrice Triboix <
> fabrice.triboix@armedia.com>
> wrote:
>
> > Hello,
> >
> > Apologies for the late response, I have been sucked up on other
> pieces of
> > work.
> >
> > So I stripped the configuration of all non-existent entities, and it
> now
> > looks like this:
> >
> > <authorizationPlugin>
> > <map>
> > <authorizationMap>
> > <authorizationEntries>
> > <authorizationEntry topic="ActiveMQ.Advisory.>"
> > admin="alfresco1"
> > read="alfresco1" write="alfresco1"/>
> > <authorizationEntry queue="alfresco.>" admin="alfresco1"
> > read="alfresco1" write="alfresco1"/>
> > <authorizationEntry topic="alfresco.Advisory.>"
> > admin="alfresco1"
> > read="alfresco1" write="alfresco1"/>
> > </authorizationEntries>
> > <!-- Fabrice: There is no group `admin`, so commenting this
> out for
> > now
> > <tempDestinationAuthorizationEntry>
> > <tempDestinationAuthorizationEntry admin="admin" read="admin"
> > write="admin"/>
> > </tempDestinationAuthorizationEntry>
> > -->
> > </authorizationMap>
> > </map>
> > </authorizationPlugin>
> >
> > I still get the same error message from Alfresco:
> >
> > 2020-09-22 08:25:11,882 ERROR
> > [component.jms.DefaultJmsMessageListenerContainer] [Camel
> > (alfrescoCamelContext) thread #2 -
> JmsConsumer[acs-repo-rendition-events]]
> > Could not refresh JMS Connection for destination
> > 'acs-repo-rendition-events' - retrying using
> FixedBackOff{interval=5000,
> > currentAttempts=7, maxAttempts=unlimited}. Cause: User alfresco1 is
> not
> > authorized to create: topic://ActiveMQ.Advisory.Connection
> >
> > Here is the CloudFormation declaration I use to create the AmazonMQ
> broker:
> >
> > Broker:
> > Type: AWS::AmazonMQ::Broker
> > DependsOn: [ MasterSecret, AlfrescoUserSecret ]
> > Properties:
> > BrokerName: !Sub AmazonMQ-${AWS::StackName}
> > DeploymentMode: ACTIVE_STANDBY_MULTI_AZ
> > EncryptionOptions:
> > UseAwsOwnedKey: true
> > EngineType: ACTIVEMQ
> > EngineVersion: 5.15.10
> > HostInstanceType: mq.t2.micro
> > SecurityGroups: [ !GetAtt BrokerSecurityGroup.GroupId ]
> > SubnetIds: [ !Ref SubnetIdA, !Ref SubnetIdB ]
> > PubliclyAccessible: false
> > Configuration:
> > Id: !Ref BrokerConfig
> > Revision: !GetAtt BrokerConfig.Revision
> > Users:
> > - Username: admin1
> > Password: XXXXX
> > Groups: [ admin ]
> > - Username: alfresco1
> > Password: XXXXXX
> > Groups: [ alfresco ]
> > MaintenanceWindowStartTime:
> > DayOfWeek: !Ref MaintenanceDayOfWeek
> > TimeOfDay: !Ref MaintenanceTimeOfDay
> > TimeZone: UTC
> > Logs:
> > Audit: false
> > General: true
> > AutoMinorVersionUpgrade: true
> >
> > Is there a way to debug things further? Maybe by having a look at the
> > ActiveMQ logs, or using some kind of command line tool to try
> manually
> > create the topic?
> >
> > Thanks a lot for your help!
> >
> > ________________________________
> > From: Tim Bain <tb...@alumni.duke.edu>
> > Sent: 10 September 2020 12:50
> > To: ActiveMQ Users <us...@activemq.apache.org>
> > Subject: Re: Please help me with authorisation configuration
> >
> > CAUTION: This email originated from outside of the organization. Do
> not
> > click links or open attachments unless you recognize the sender and
> know
> > the content is safe.
> >
> >
> > Also, I don't believe that the admin group is created by default
> either,
> > and I don't know what the broker's behavior is when it encounters a
> > non-existent group in the config file. Maybe it denies access to
> even the
> > groups that do exist? I don't know, but it's definitely worth trying
> with
> > only valid/existing groups, so only alfresco in this case, just to
> try to
> > get things working.
> >
> > Tim
> >
> > On Thu, Sep 10, 2020, 5:44 AM Tim Bain <tb...@alumni.duke.edu>
> wrote:
> >
> > > For the all group, I'm not aware of any default group that's
> created, and
> > > all of the examples I've seen had any similar group created
> explicitly.
> > But
> > > I never used the authentication features personally, so I'm relying
> > heavily
> > > on the examples available online, and it's possible that the actual
> > > behavior differs from what I've understood. However, the fact that
> what
> > > you've observed matches what I thought I'd understood seems fairly
> > > compelling, so I'd suggest you define an 'all' group and
> explicitly add
> > > each user to it, and see if that resolves the issue.
> > >
> > > For the user/group thing, you're right, I got my wires crossed on
> the
> > > distinction between the two, and you're absolutely right that
> groups are
> > > specified in the config file and as long as the user is a member
> of the
> > > group, it should work as expected. Sorry for the confusion.
> > >
> > > Tim
> > >
> > > On Wed, Sep 9, 2020, 5:48 AM Fabrice Triboix <
> > fabrice.triboix@armedia.com>
> > > wrote:
> > >
> > >> Hi Tim,
> > >>
> > >> No, I didn't define an `all` group, I just did a copy/paste from
> the
> > >> ActiveMQ website. I guess from your answer that there is no `all`
> group
> > by
> > >> default.
> > >>
> > >> `alfresco1` is a user and a member of the `alfresco` group.
> Should I
> > >> specify only users `authorizationEntry`?
> > >>
> > >> Thanks!
> > >>
> > >> ________________________________
> > >> From: Tim Bain <tb...@alumni.duke.edu>
> > >> Sent: 09 September 2020 12:41
> > >> To: ActiveMQ Users <us...@activemq.apache.org>
> > >> Subject: Re: Please help me with authorisation configuration
> > >>
> > >> CAUTION: This email originated from outside of the organization.
> Do not
> > >> click links or open attachments unless you recognize the sender
> and know
> > >> the content is safe.
> > >>
> > >>
> > >> Also, is 'all' a group you defined, and is alfresco1 in that
> group?
> > >>
> > >> Tim
> > >>
> > >> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu>
> wrote:
> > >>
> > >> > Note that the username in the error message is alfresco1, not
> > alfresco,
> > >> so
> > >> > make sure you authorize the right user when you test explicitly
> > >> authorizing
> > >> > the user.
> > >> >
> > >> > Tim
> > >> >
> > >> > On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <
> jb@nanthrax.net>
> > >> wrote:
> > >> >
> > >> >> OK,
> > >> >>
> > >> >> That’s weird as the advisory should be created by the broker
> itself.
> > >> >>
> > >> >> Can you try to put admin and alfresco roles for admin action ?
> > >> >>
> > >> >> By the way, are you using Advisory ? If not, you can disable
> advisory
> > >> >> support.
> > >> >>
> > >> >> Regards
> > >> >> JB
> > >> >>
> > >> >> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <
> > >> fabrice.triboix@armedia.com>
> > >> >> a écrit :
> > >> >> >
> > >> >> > I replace ">" with ">" and that didn't make any
> difference...
> > >> >> >
> > >> >> > ________________________________
> > >> >> > From: Fabrice Triboix <fa...@armedia.com>
> > >> >> > Sent: 09 September 2020 10:47
> > >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> > >> >> > Subject: Re: Please help me with authorisation configuration
> > >> >> >
> > >> >> > CAUTION: This email originated from outside of the
> organization. Do
> > >> not
> > >> >> click links or open attachments unless you recognize the
> sender and
> > >> know
> > >> >> the content is safe.
> > >> >> >
> > >> >> >
> > >> >> > Hi Jean-Baptiste,
> > >> >> >
> > >> >> > I can try with ">", let's see what happens.
> > >> >> >
> > >> >> > Thanks,
> > >> >> >
> > >> >> > Fabrice
> > >> >> >
> > >> >> > ________________________________
> > >> >> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
> > >> >> > Sent: 09 September 2020 10:43
> > >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> > >> >> > Subject: Re: Please help me with authorisation configuration
> > >> >> >
> > >> >> > CAUTION: This email originated from outside of the
> organization. Do
> > >> not
> > >> >> click links or open attachments unless you recognize the
> sender and
> > >> know
> > >> >> the content is safe.
> > >> >> >
> > >> >> >
> > >> >> > Hi Fabrice,
> > >> >> >
> > >> >> > Are you sure about Activemq.Advisory setup ? Did you try
> > >> >> ActiveMQ.Advisory.> ?
> > >> >> >
> > >> >> > Regards
> > >> >> > JB
> > >> >> >
> > >> >> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <
> > >> fabrice.triboix@armedia.com>
> > >> >> a écrit :
> > >> >> >>
> > >> >> >> Hello,
> > >> >> >>
> > >> >> >> I am using AmazonMQ, which is running ActiveMQ version
> 5.15.12. I
> > am
> > >> >> trying to run Alfresco Repository CE (version 6.3), and it
> needs to
> > >> connect
> > >> >> to AmazonMQ, but it fails with the following error:
> > >> >> >>
> > >> >> >> 2020-09-09 09:06:49,222 ERROR
> > >> >> [component.jms.DefaultJmsMessageListenerContainer] [Camel
> > >> >> (alfrescoCamelContext) thread #2 -
> > >> JmsConsumer[acs-repo-rendition-events]]
> > >> >> Could not refresh JMS Connection for destination
> > >> >> 'acs-repo-rendition-events' - retrying using
> > >> FixedBackOff{interval=5000,
> > >> >> currentAttempts=652, maxAttempts=unlimited}. Cause: User
> alfresco1 is
> > >> not
> > >> >> authorized to create: topic://ActiveMQ.Advisory.Connection
> > >> >> >>
> > >> >> >> Here is the part of the ActiveMQ configuration related to
> > >> >> authorization:
> > >> >> >>
> > >> >> >> <authorizationPlugin>
> > >> >> >> <map>
> > >> >> >> <authorizationMap>
> > >> >> >> <authorizationEntries>
> > >> >> >> <authorizationEntry
> > >> topic="ActiveMQ.Advisory.>"
> > >> >> admin="all" read="all" write="all"/>
> > >> >> >> <authorizationEntry
> queue="alfresco.>"
> > >> >> admin="admin" read="admin,alfresco"
> > >> >> >> write="admin,alfresco"/>
> > >> >> >> <authorizationEntry
> > >> >> topic="alfresco.Advisory.>" admin="admin"
> read="admin,alfresco"
> > >> >> >> write="admin,alfresco"/>
> > >> >> >> </authorizationEntries>
> > >> >> >> <tempDestinationAuthorizationEntry>
> > >> >> >> <tempDestinationAuthorizationEntry
> > >> admin="admin"
> > >> >> read="admin" write="admin"/>
> > >> >> >> </tempDestinationAuthorizationEntry>
> > >> >> >> </authorizationMap>
> > >> >> >> </map>
> > >> >> >> </authorizationPlugin>
> > >> >> >>
> > >> >> >> Anyone would have any idea on what I am doing wrong?
> > >> >> >>
> > >> >> >> Many thanks for your help!
> > >> >> >>
> > >> >> >> Fabrice
> > >> >> >>
> > >> >> >
> > >> >>
> > >> >>
> > >>
> > >
> >
>
>
Re: Please help me with authorisation configuration
Posted by Tim Bain <tb...@alumni.duke.edu>.
Lucas,
Thanks for the confirmation that Amazon passes the full set of
authorizationEntries through unmodified. I wasn't sure if maybe you treated
the advisories differently since they're more internal/administrative, but
I'm happy to hear that you're not.
And thanks for monitoring this thread even though there's typically no need
for your team to respond, and for the quick response.
Tim
On Fri, Sep 25, 2020, 12:31 PM Tetreault, Lucas <te...@amazon.com.invalid>
wrote:
> Hey folks,
>
> I am a manager on the AmazonMQ team and I asked one of the engineers to
> have a look at this thread. Their analysis lines up with what Tim said and
> it doesn’t sound like anything we are doing would be causing this error.
> Here is what the engineer had to say:
>
>
> This particular error is caused by not giving permissions for
> users to create advisory topics. Advisories are created in response to a
> variety of events, see the ActiveMQ documentation here:
> https://activemq.apache.org/advisory-message.html.
>
> In this particular case, what the customer needs to do is create a
> group that contains all users that will be connecting to the broker, and
> allow that group permission to create advisory topics. For example, if
> they name this group "users", they would add the following
> "AuthorizationEntry":
>
> <authorizationEntry topic="ActiveMQ.Advisory.>" read="users"
> write="users" admin="users"/>
>
> Here's a full example from the ActiveMQ docs (
> http://activemq.apache.org/security) under "Controlling Access To
> Temporary Destinations". In the customer's config, it seems they are
> entering the user directly into the AuthorizationEntry, while in the
> documentation they add the group the user belongs to.
>
>
> I hope this helps!
>
>
> On 2020-09-25, 4:43 AM, "Tim Bain" <tb...@alumni.duke.edu> wrote:
>
> CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you can confirm the sender and
> know the content is safe.
>
>
>
> I believe that the authorizationEntry should reference groups rather
> than
> individual users (so alfresco rather than alfresco1). Can you try it
> with
> that configuration?
>
> If that doesn't work, can you try explicitly
> authorizing ActiveMQ.Advisory.Connection so we're not dependent on the
> wildcard? It shouldn't be necessary, but at this point we want to
> eliminate
> all possible variables.
>
> There's another possibility, which is that maybe Amazon strips out
> certain
> patterns of authorizationEntry from your config file when creating the
> broker for you. Are there any members of Amazon's AmazonMQ team
> monitoring
> this forum who could tell us if anything like that is in play?
>
> Tim
>
> On Tue, Sep 22, 2020, 2:50 AM Fabrice Triboix <
> fabrice.triboix@armedia.com>
> wrote:
>
> > Hello,
> >
> > Apologies for the late response, I have been sucked up on other
> pieces of
> > work.
> >
> > So I stripped the configuration of all non-existent entities, and it
> now
> > looks like this:
> >
> > <authorizationPlugin>
> > <map>
> > <authorizationMap>
> > <authorizationEntries>
> > <authorizationEntry topic="ActiveMQ.Advisory.>"
> > admin="alfresco1"
> > read="alfresco1" write="alfresco1"/>
> > <authorizationEntry queue="alfresco.>" admin="alfresco1"
> > read="alfresco1" write="alfresco1"/>
> > <authorizationEntry topic="alfresco.Advisory.>"
> > admin="alfresco1"
> > read="alfresco1" write="alfresco1"/>
> > </authorizationEntries>
> > <!-- Fabrice: There is no group `admin`, so commenting this
> out for
> > now
> > <tempDestinationAuthorizationEntry>
> > <tempDestinationAuthorizationEntry admin="admin" read="admin"
> > write="admin"/>
> > </tempDestinationAuthorizationEntry>
> > -->
> > </authorizationMap>
> > </map>
> > </authorizationPlugin>
> >
> > I still get the same error message from Alfresco:
> >
> > 2020-09-22 08:25:11,882 ERROR
> > [component.jms.DefaultJmsMessageListenerContainer] [Camel
> > (alfrescoCamelContext) thread #2 -
> JmsConsumer[acs-repo-rendition-events]]
> > Could not refresh JMS Connection for destination
> > 'acs-repo-rendition-events' - retrying using
> FixedBackOff{interval=5000,
> > currentAttempts=7, maxAttempts=unlimited}. Cause: User alfresco1 is
> not
> > authorized to create: topic://ActiveMQ.Advisory.Connection
> >
> > Here is the CloudFormation declaration I use to create the AmazonMQ
> broker:
> >
> > Broker:
> > Type: AWS::AmazonMQ::Broker
> > DependsOn: [ MasterSecret, AlfrescoUserSecret ]
> > Properties:
> > BrokerName: !Sub AmazonMQ-${AWS::StackName}
> > DeploymentMode: ACTIVE_STANDBY_MULTI_AZ
> > EncryptionOptions:
> > UseAwsOwnedKey: true
> > EngineType: ACTIVEMQ
> > EngineVersion: 5.15.10
> > HostInstanceType: mq.t2.micro
> > SecurityGroups: [ !GetAtt BrokerSecurityGroup.GroupId ]
> > SubnetIds: [ !Ref SubnetIdA, !Ref SubnetIdB ]
> > PubliclyAccessible: false
> > Configuration:
> > Id: !Ref BrokerConfig
> > Revision: !GetAtt BrokerConfig.Revision
> > Users:
> > - Username: admin1
> > Password: XXXXX
> > Groups: [ admin ]
> > - Username: alfresco1
> > Password: XXXXXX
> > Groups: [ alfresco ]
> > MaintenanceWindowStartTime:
> > DayOfWeek: !Ref MaintenanceDayOfWeek
> > TimeOfDay: !Ref MaintenanceTimeOfDay
> > TimeZone: UTC
> > Logs:
> > Audit: false
> > General: true
> > AutoMinorVersionUpgrade: true
> >
> > Is there a way to debug things further? Maybe by having a look at the
> > ActiveMQ logs, or using some kind of command line tool to try
> manually
> > create the topic?
> >
> > Thanks a lot for your help!
> >
> > ________________________________
> > From: Tim Bain <tb...@alumni.duke.edu>
> > Sent: 10 September 2020 12:50
> > To: ActiveMQ Users <us...@activemq.apache.org>
> > Subject: Re: Please help me with authorisation configuration
> >
> > CAUTION: This email originated from outside of the organization. Do
> not
> > click links or open attachments unless you recognize the sender and
> know
> > the content is safe.
> >
> >
> > Also, I don't believe that the admin group is created by default
> either,
> > and I don't know what the broker's behavior is when it encounters a
> > non-existent group in the config file. Maybe it denies access to
> even the
> > groups that do exist? I don't know, but it's definitely worth trying
> with
> > only valid/existing groups, so only alfresco in this case, just to
> try to
> > get things working.
> >
> > Tim
> >
> > On Thu, Sep 10, 2020, 5:44 AM Tim Bain <tb...@alumni.duke.edu>
> wrote:
> >
> > > For the all group, I'm not aware of any default group that's
> created, and
> > > all of the examples I've seen had any similar group created
> explicitly.
> > But
> > > I never used the authentication features personally, so I'm relying
> > heavily
> > > on the examples available online, and it's possible that the actual
> > > behavior differs from what I've understood. However, the fact that
> what
> > > you've observed matches what I thought I'd understood seems fairly
> > > compelling, so I'd suggest you define an 'all' group and
> explicitly add
> > > each user to it, and see if that resolves the issue.
> > >
> > > For the user/group thing, you're right, I got my wires crossed on
> the
> > > distinction between the two, and you're absolutely right that
> groups are
> > > specified in the config file and as long as the user is a member
> of the
> > > group, it should work as expected. Sorry for the confusion.
> > >
> > > Tim
> > >
> > > On Wed, Sep 9, 2020, 5:48 AM Fabrice Triboix <
> > fabrice.triboix@armedia.com>
> > > wrote:
> > >
> > >> Hi Tim,
> > >>
> > >> No, I didn't define an `all` group, I just did a copy/paste from
> the
> > >> ActiveMQ website. I guess from your answer that there is no `all`
> group
> > by
> > >> default.
> > >>
> > >> `alfresco1` is a user and a member of the `alfresco` group.
> Should I
> > >> specify only users `authorizationEntry`?
> > >>
> > >> Thanks!
> > >>
> > >> ________________________________
> > >> From: Tim Bain <tb...@alumni.duke.edu>
> > >> Sent: 09 September 2020 12:41
> > >> To: ActiveMQ Users <us...@activemq.apache.org>
> > >> Subject: Re: Please help me with authorisation configuration
> > >>
> > >> CAUTION: This email originated from outside of the organization.
> Do not
> > >> click links or open attachments unless you recognize the sender
> and know
> > >> the content is safe.
> > >>
> > >>
> > >> Also, is 'all' a group you defined, and is alfresco1 in that
> group?
> > >>
> > >> Tim
> > >>
> > >> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu>
> wrote:
> > >>
> > >> > Note that the username in the error message is alfresco1, not
> > alfresco,
> > >> so
> > >> > make sure you authorize the right user when you test explicitly
> > >> authorizing
> > >> > the user.
> > >> >
> > >> > Tim
> > >> >
> > >> > On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <
> jb@nanthrax.net>
> > >> wrote:
> > >> >
> > >> >> OK,
> > >> >>
> > >> >> That’s weird as the advisory should be created by the broker
> itself.
> > >> >>
> > >> >> Can you try to put admin and alfresco roles for admin action ?
> > >> >>
> > >> >> By the way, are you using Advisory ? If not, you can disable
> advisory
> > >> >> support.
> > >> >>
> > >> >> Regards
> > >> >> JB
> > >> >>
> > >> >> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <
> > >> fabrice.triboix@armedia.com>
> > >> >> a écrit :
> > >> >> >
> > >> >> > I replace ">" with ">" and that didn't make any
> difference...
> > >> >> >
> > >> >> > ________________________________
> > >> >> > From: Fabrice Triboix <fa...@armedia.com>
> > >> >> > Sent: 09 September 2020 10:47
> > >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> > >> >> > Subject: Re: Please help me with authorisation configuration
> > >> >> >
> > >> >> > CAUTION: This email originated from outside of the
> organization. Do
> > >> not
> > >> >> click links or open attachments unless you recognize the
> sender and
> > >> know
> > >> >> the content is safe.
> > >> >> >
> > >> >> >
> > >> >> > Hi Jean-Baptiste,
> > >> >> >
> > >> >> > I can try with ">", let's see what happens.
> > >> >> >
> > >> >> > Thanks,
> > >> >> >
> > >> >> > Fabrice
> > >> >> >
> > >> >> > ________________________________
> > >> >> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
> > >> >> > Sent: 09 September 2020 10:43
> > >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> > >> >> > Subject: Re: Please help me with authorisation configuration
> > >> >> >
> > >> >> > CAUTION: This email originated from outside of the
> organization. Do
> > >> not
> > >> >> click links or open attachments unless you recognize the
> sender and
> > >> know
> > >> >> the content is safe.
> > >> >> >
> > >> >> >
> > >> >> > Hi Fabrice,
> > >> >> >
> > >> >> > Are you sure about Activemq.Advisory setup ? Did you try
> > >> >> ActiveMQ.Advisory.> ?
> > >> >> >
> > >> >> > Regards
> > >> >> > JB
> > >> >> >
> > >> >> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <
> > >> fabrice.triboix@armedia.com>
> > >> >> a écrit :
> > >> >> >>
> > >> >> >> Hello,
> > >> >> >>
> > >> >> >> I am using AmazonMQ, which is running ActiveMQ version
> 5.15.12. I
> > am
> > >> >> trying to run Alfresco Repository CE (version 6.3), and it
> needs to
> > >> connect
> > >> >> to AmazonMQ, but it fails with the following error:
> > >> >> >>
> > >> >> >> 2020-09-09 09:06:49,222 ERROR
> > >> >> [component.jms.DefaultJmsMessageListenerContainer] [Camel
> > >> >> (alfrescoCamelContext) thread #2 -
> > >> JmsConsumer[acs-repo-rendition-events]]
> > >> >> Could not refresh JMS Connection for destination
> > >> >> 'acs-repo-rendition-events' - retrying using
> > >> FixedBackOff{interval=5000,
> > >> >> currentAttempts=652, maxAttempts=unlimited}. Cause: User
> alfresco1 is
> > >> not
> > >> >> authorized to create: topic://ActiveMQ.Advisory.Connection
> > >> >> >>
> > >> >> >> Here is the part of the ActiveMQ configuration related to
> > >> >> authorization:
> > >> >> >>
> > >> >> >> <authorizationPlugin>
> > >> >> >> <map>
> > >> >> >> <authorizationMap>
> > >> >> >> <authorizationEntries>
> > >> >> >> <authorizationEntry
> > >> topic="ActiveMQ.Advisory.>"
> > >> >> admin="all" read="all" write="all"/>
> > >> >> >> <authorizationEntry
> queue="alfresco.>"
> > >> >> admin="admin" read="admin,alfresco"
> > >> >> >> write="admin,alfresco"/>
> > >> >> >> <authorizationEntry
> > >> >> topic="alfresco.Advisory.>" admin="admin"
> read="admin,alfresco"
> > >> >> >> write="admin,alfresco"/>
> > >> >> >> </authorizationEntries>
> > >> >> >> <tempDestinationAuthorizationEntry>
> > >> >> >> <tempDestinationAuthorizationEntry
> > >> admin="admin"
> > >> >> read="admin" write="admin"/>
> > >> >> >> </tempDestinationAuthorizationEntry>
> > >> >> >> </authorizationMap>
> > >> >> >> </map>
> > >> >> >> </authorizationPlugin>
> > >> >> >>
> > >> >> >> Anyone would have any idea on what I am doing wrong?
> > >> >> >>
> > >> >> >> Many thanks for your help!
> > >> >> >>
> > >> >> >> Fabrice
> > >> >> >>
> > >> >> >
> > >> >>
> > >> >>
> > >>
> > >
> >
>
>
Re: Please help me with authorisation configuration
Posted by "Tetreault, Lucas" <te...@amazon.com.INVALID>.
Hey folks,
I am a manager on the AmazonMQ team and I asked one of the engineers to have a look at this thread. Their analysis lines up with what Tim said and it doesn’t sound like anything we are doing would be causing this error. Here is what the engineer had to say:
This particular error is caused by not giving permissions for users to create advisory topics. Advisories are created in response to a variety of events, see the ActiveMQ documentation here: https://activemq.apache.org/advisory-message.html.
In this particular case, what the customer needs to do is create a group that contains all users that will be connecting to the broker, and allow that group permission to create advisory topics. For example, if they name this group "users", they would add the following "AuthorizationEntry":
<authorizationEntry topic="ActiveMQ.Advisory.>" read="users" write="users" admin="users"/>
Here's a full example from the ActiveMQ docs (http://activemq.apache.org/security) under "Controlling Access To Temporary Destinations". In the customer's config, it seems they are entering the user directly into the AuthorizationEntry, while in the documentation they add the group the user belongs to.
I hope this helps!
On 2020-09-25, 4:43 AM, "Tim Bain" <tb...@alumni.duke.edu> wrote:
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
I believe that the authorizationEntry should reference groups rather than
individual users (so alfresco rather than alfresco1). Can you try it with
that configuration?
If that doesn't work, can you try explicitly
authorizing ActiveMQ.Advisory.Connection so we're not dependent on the
wildcard? It shouldn't be necessary, but at this point we want to eliminate
all possible variables.
There's another possibility, which is that maybe Amazon strips out certain
patterns of authorizationEntry from your config file when creating the
broker for you. Are there any members of Amazon's AmazonMQ team monitoring
this forum who could tell us if anything like that is in play?
Tim
On Tue, Sep 22, 2020, 2:50 AM Fabrice Triboix <fa...@armedia.com>
wrote:
> Hello,
>
> Apologies for the late response, I have been sucked up on other pieces of
> work.
>
> So I stripped the configuration of all non-existent entities, and it now
> looks like this:
>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry topic="ActiveMQ.Advisory.>"
> admin="alfresco1"
> read="alfresco1" write="alfresco1"/>
> <authorizationEntry queue="alfresco.>" admin="alfresco1"
> read="alfresco1" write="alfresco1"/>
> <authorizationEntry topic="alfresco.Advisory.>"
> admin="alfresco1"
> read="alfresco1" write="alfresco1"/>
> </authorizationEntries>
> <!-- Fabrice: There is no group `admin`, so commenting this out for
> now
> <tempDestinationAuthorizationEntry>
> <tempDestinationAuthorizationEntry admin="admin" read="admin"
> write="admin"/>
> </tempDestinationAuthorizationEntry>
> -->
> </authorizationMap>
> </map>
> </authorizationPlugin>
>
> I still get the same error message from Alfresco:
>
> 2020-09-22 08:25:11,882 ERROR
> [component.jms.DefaultJmsMessageListenerContainer] [Camel
> (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]]
> Could not refresh JMS Connection for destination
> 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000,
> currentAttempts=7, maxAttempts=unlimited}. Cause: User alfresco1 is not
> authorized to create: topic://ActiveMQ.Advisory.Connection
>
> Here is the CloudFormation declaration I use to create the AmazonMQ broker:
>
> Broker:
> Type: AWS::AmazonMQ::Broker
> DependsOn: [ MasterSecret, AlfrescoUserSecret ]
> Properties:
> BrokerName: !Sub AmazonMQ-${AWS::StackName}
> DeploymentMode: ACTIVE_STANDBY_MULTI_AZ
> EncryptionOptions:
> UseAwsOwnedKey: true
> EngineType: ACTIVEMQ
> EngineVersion: 5.15.10
> HostInstanceType: mq.t2.micro
> SecurityGroups: [ !GetAtt BrokerSecurityGroup.GroupId ]
> SubnetIds: [ !Ref SubnetIdA, !Ref SubnetIdB ]
> PubliclyAccessible: false
> Configuration:
> Id: !Ref BrokerConfig
> Revision: !GetAtt BrokerConfig.Revision
> Users:
> - Username: admin1
> Password: XXXXX
> Groups: [ admin ]
> - Username: alfresco1
> Password: XXXXXX
> Groups: [ alfresco ]
> MaintenanceWindowStartTime:
> DayOfWeek: !Ref MaintenanceDayOfWeek
> TimeOfDay: !Ref MaintenanceTimeOfDay
> TimeZone: UTC
> Logs:
> Audit: false
> General: true
> AutoMinorVersionUpgrade: true
>
> Is there a way to debug things further? Maybe by having a look at the
> ActiveMQ logs, or using some kind of command line tool to try manually
> create the topic?
>
> Thanks a lot for your help!
>
> ________________________________
> From: Tim Bain <tb...@alumni.duke.edu>
> Sent: 10 September 2020 12:50
> To: ActiveMQ Users <us...@activemq.apache.org>
> Subject: Re: Please help me with authorisation configuration
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
> Also, I don't believe that the admin group is created by default either,
> and I don't know what the broker's behavior is when it encounters a
> non-existent group in the config file. Maybe it denies access to even the
> groups that do exist? I don't know, but it's definitely worth trying with
> only valid/existing groups, so only alfresco in this case, just to try to
> get things working.
>
> Tim
>
> On Thu, Sep 10, 2020, 5:44 AM Tim Bain <tb...@alumni.duke.edu> wrote:
>
> > For the all group, I'm not aware of any default group that's created, and
> > all of the examples I've seen had any similar group created explicitly.
> But
> > I never used the authentication features personally, so I'm relying
> heavily
> > on the examples available online, and it's possible that the actual
> > behavior differs from what I've understood. However, the fact that what
> > you've observed matches what I thought I'd understood seems fairly
> > compelling, so I'd suggest you define an 'all' group and explicitly add
> > each user to it, and see if that resolves the issue.
> >
> > For the user/group thing, you're right, I got my wires crossed on the
> > distinction between the two, and you're absolutely right that groups are
> > specified in the config file and as long as the user is a member of the
> > group, it should work as expected. Sorry for the confusion.
> >
> > Tim
> >
> > On Wed, Sep 9, 2020, 5:48 AM Fabrice Triboix <
> fabrice.triboix@armedia.com>
> > wrote:
> >
> >> Hi Tim,
> >>
> >> No, I didn't define an `all` group, I just did a copy/paste from the
> >> ActiveMQ website. I guess from your answer that there is no `all` group
> by
> >> default.
> >>
> >> `alfresco1` is a user and a member of the `alfresco` group. Should I
> >> specify only users `authorizationEntry`?
> >>
> >> Thanks!
> >>
> >> ________________________________
> >> From: Tim Bain <tb...@alumni.duke.edu>
> >> Sent: 09 September 2020 12:41
> >> To: ActiveMQ Users <us...@activemq.apache.org>
> >> Subject: Re: Please help me with authorisation configuration
> >>
> >> CAUTION: This email originated from outside of the organization. Do not
> >> click links or open attachments unless you recognize the sender and know
> >> the content is safe.
> >>
> >>
> >> Also, is 'all' a group you defined, and is alfresco1 in that group?
> >>
> >> Tim
> >>
> >> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu> wrote:
> >>
> >> > Note that the username in the error message is alfresco1, not
> alfresco,
> >> so
> >> > make sure you authorize the right user when you test explicitly
> >> authorizing
> >> > the user.
> >> >
> >> > Tim
> >> >
> >> > On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
> >> wrote:
> >> >
> >> >> OK,
> >> >>
> >> >> That’s weird as the advisory should be created by the broker itself.
> >> >>
> >> >> Can you try to put admin and alfresco roles for admin action ?
> >> >>
> >> >> By the way, are you using Advisory ? If not, you can disable advisory
> >> >> support.
> >> >>
> >> >> Regards
> >> >> JB
> >> >>
> >> >> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <
> >> fabrice.triboix@armedia.com>
> >> >> a écrit :
> >> >> >
> >> >> > I replace ">" with ">" and that didn't make any difference...
> >> >> >
> >> >> > ________________________________
> >> >> > From: Fabrice Triboix <fa...@armedia.com>
> >> >> > Sent: 09 September 2020 10:47
> >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> >> >> > Subject: Re: Please help me with authorisation configuration
> >> >> >
> >> >> > CAUTION: This email originated from outside of the organization. Do
> >> not
> >> >> click links or open attachments unless you recognize the sender and
> >> know
> >> >> the content is safe.
> >> >> >
> >> >> >
> >> >> > Hi Jean-Baptiste,
> >> >> >
> >> >> > I can try with ">", let's see what happens.
> >> >> >
> >> >> > Thanks,
> >> >> >
> >> >> > Fabrice
> >> >> >
> >> >> > ________________________________
> >> >> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
> >> >> > Sent: 09 September 2020 10:43
> >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> >> >> > Subject: Re: Please help me with authorisation configuration
> >> >> >
> >> >> > CAUTION: This email originated from outside of the organization. Do
> >> not
> >> >> click links or open attachments unless you recognize the sender and
> >> know
> >> >> the content is safe.
> >> >> >
> >> >> >
> >> >> > Hi Fabrice,
> >> >> >
> >> >> > Are you sure about Activemq.Advisory setup ? Did you try
> >> >> ActiveMQ.Advisory.> ?
> >> >> >
> >> >> > Regards
> >> >> > JB
> >> >> >
> >> >> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <
> >> fabrice.triboix@armedia.com>
> >> >> a écrit :
> >> >> >>
> >> >> >> Hello,
> >> >> >>
> >> >> >> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I
> am
> >> >> trying to run Alfresco Repository CE (version 6.3), and it needs to
> >> connect
> >> >> to AmazonMQ, but it fails with the following error:
> >> >> >>
> >> >> >> 2020-09-09 09:06:49,222 ERROR
> >> >> [component.jms.DefaultJmsMessageListenerContainer] [Camel
> >> >> (alfrescoCamelContext) thread #2 -
> >> JmsConsumer[acs-repo-rendition-events]]
> >> >> Could not refresh JMS Connection for destination
> >> >> 'acs-repo-rendition-events' - retrying using
> >> FixedBackOff{interval=5000,
> >> >> currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is
> >> not
> >> >> authorized to create: topic://ActiveMQ.Advisory.Connection
> >> >> >>
> >> >> >> Here is the part of the ActiveMQ configuration related to
> >> >> authorization:
> >> >> >>
> >> >> >> <authorizationPlugin>
> >> >> >> <map>
> >> >> >> <authorizationMap>
> >> >> >> <authorizationEntries>
> >> >> >> <authorizationEntry
> >> topic="ActiveMQ.Advisory.>"
> >> >> admin="all" read="all" write="all"/>
> >> >> >> <authorizationEntry queue="alfresco.>"
> >> >> admin="admin" read="admin,alfresco"
> >> >> >> write="admin,alfresco"/>
> >> >> >> <authorizationEntry
> >> >> topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
> >> >> >> write="admin,alfresco"/>
> >> >> >> </authorizationEntries>
> >> >> >> <tempDestinationAuthorizationEntry>
> >> >> >> <tempDestinationAuthorizationEntry
> >> admin="admin"
> >> >> read="admin" write="admin"/>
> >> >> >> </tempDestinationAuthorizationEntry>
> >> >> >> </authorizationMap>
> >> >> >> </map>
> >> >> >> </authorizationPlugin>
> >> >> >>
> >> >> >> Anyone would have any idea on what I am doing wrong?
> >> >> >>
> >> >> >> Many thanks for your help!
> >> >> >>
> >> >> >> Fabrice
> >> >> >>
> >> >> >
> >> >>
> >> >>
> >>
> >
>
Re: Please help me with authorisation configuration
Posted by Tim Bain <tb...@alumni.duke.edu>.
I believe that the authorizationEntry should reference groups rather than
individual users (so alfresco rather than alfresco1). Can you try it with
that configuration?
If that doesn't work, can you try explicitly
authorizing ActiveMQ.Advisory.Connection so we're not dependent on the
wildcard? It shouldn't be necessary, but at this point we want to eliminate
all possible variables.
There's another possibility, which is that maybe Amazon strips out certain
patterns of authorizationEntry from your config file when creating the
broker for you. Are there any members of Amazon's AmazonMQ team monitoring
this forum who could tell us if anything like that is in play?
Tim
On Tue, Sep 22, 2020, 2:50 AM Fabrice Triboix <fa...@armedia.com>
wrote:
> Hello,
>
> Apologies for the late response, I have been sucked up on other pieces of
> work.
>
> So I stripped the configuration of all non-existent entities, and it now
> looks like this:
>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry topic="ActiveMQ.Advisory.>"
> admin="alfresco1"
> read="alfresco1" write="alfresco1"/>
> <authorizationEntry queue="alfresco.>" admin="alfresco1"
> read="alfresco1" write="alfresco1"/>
> <authorizationEntry topic="alfresco.Advisory.>"
> admin="alfresco1"
> read="alfresco1" write="alfresco1"/>
> </authorizationEntries>
> <!-- Fabrice: There is no group `admin`, so commenting this out for
> now
> <tempDestinationAuthorizationEntry>
> <tempDestinationAuthorizationEntry admin="admin" read="admin"
> write="admin"/>
> </tempDestinationAuthorizationEntry>
> -->
> </authorizationMap>
> </map>
> </authorizationPlugin>
>
> I still get the same error message from Alfresco:
>
> 2020-09-22 08:25:11,882 ERROR
> [component.jms.DefaultJmsMessageListenerContainer] [Camel
> (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]]
> Could not refresh JMS Connection for destination
> 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000,
> currentAttempts=7, maxAttempts=unlimited}. Cause: User alfresco1 is not
> authorized to create: topic://ActiveMQ.Advisory.Connection
>
> Here is the CloudFormation declaration I use to create the AmazonMQ broker:
>
> Broker:
> Type: AWS::AmazonMQ::Broker
> DependsOn: [ MasterSecret, AlfrescoUserSecret ]
> Properties:
> BrokerName: !Sub AmazonMQ-${AWS::StackName}
> DeploymentMode: ACTIVE_STANDBY_MULTI_AZ
> EncryptionOptions:
> UseAwsOwnedKey: true
> EngineType: ACTIVEMQ
> EngineVersion: 5.15.10
> HostInstanceType: mq.t2.micro
> SecurityGroups: [ !GetAtt BrokerSecurityGroup.GroupId ]
> SubnetIds: [ !Ref SubnetIdA, !Ref SubnetIdB ]
> PubliclyAccessible: false
> Configuration:
> Id: !Ref BrokerConfig
> Revision: !GetAtt BrokerConfig.Revision
> Users:
> - Username: admin1
> Password: XXXXX
> Groups: [ admin ]
> - Username: alfresco1
> Password: XXXXXX
> Groups: [ alfresco ]
> MaintenanceWindowStartTime:
> DayOfWeek: !Ref MaintenanceDayOfWeek
> TimeOfDay: !Ref MaintenanceTimeOfDay
> TimeZone: UTC
> Logs:
> Audit: false
> General: true
> AutoMinorVersionUpgrade: true
>
> Is there a way to debug things further? Maybe by having a look at the
> ActiveMQ logs, or using some kind of command line tool to try manually
> create the topic?
>
> Thanks a lot for your help!
>
> ________________________________
> From: Tim Bain <tb...@alumni.duke.edu>
> Sent: 10 September 2020 12:50
> To: ActiveMQ Users <us...@activemq.apache.org>
> Subject: Re: Please help me with authorisation configuration
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
> Also, I don't believe that the admin group is created by default either,
> and I don't know what the broker's behavior is when it encounters a
> non-existent group in the config file. Maybe it denies access to even the
> groups that do exist? I don't know, but it's definitely worth trying with
> only valid/existing groups, so only alfresco in this case, just to try to
> get things working.
>
> Tim
>
> On Thu, Sep 10, 2020, 5:44 AM Tim Bain <tb...@alumni.duke.edu> wrote:
>
> > For the all group, I'm not aware of any default group that's created, and
> > all of the examples I've seen had any similar group created explicitly.
> But
> > I never used the authentication features personally, so I'm relying
> heavily
> > on the examples available online, and it's possible that the actual
> > behavior differs from what I've understood. However, the fact that what
> > you've observed matches what I thought I'd understood seems fairly
> > compelling, so I'd suggest you define an 'all' group and explicitly add
> > each user to it, and see if that resolves the issue.
> >
> > For the user/group thing, you're right, I got my wires crossed on the
> > distinction between the two, and you're absolutely right that groups are
> > specified in the config file and as long as the user is a member of the
> > group, it should work as expected. Sorry for the confusion.
> >
> > Tim
> >
> > On Wed, Sep 9, 2020, 5:48 AM Fabrice Triboix <
> fabrice.triboix@armedia.com>
> > wrote:
> >
> >> Hi Tim,
> >>
> >> No, I didn't define an `all` group, I just did a copy/paste from the
> >> ActiveMQ website. I guess from your answer that there is no `all` group
> by
> >> default.
> >>
> >> `alfresco1` is a user and a member of the `alfresco` group. Should I
> >> specify only users `authorizationEntry`?
> >>
> >> Thanks!
> >>
> >> ________________________________
> >> From: Tim Bain <tb...@alumni.duke.edu>
> >> Sent: 09 September 2020 12:41
> >> To: ActiveMQ Users <us...@activemq.apache.org>
> >> Subject: Re: Please help me with authorisation configuration
> >>
> >> CAUTION: This email originated from outside of the organization. Do not
> >> click links or open attachments unless you recognize the sender and know
> >> the content is safe.
> >>
> >>
> >> Also, is 'all' a group you defined, and is alfresco1 in that group?
> >>
> >> Tim
> >>
> >> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu> wrote:
> >>
> >> > Note that the username in the error message is alfresco1, not
> alfresco,
> >> so
> >> > make sure you authorize the right user when you test explicitly
> >> authorizing
> >> > the user.
> >> >
> >> > Tim
> >> >
> >> > On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
> >> wrote:
> >> >
> >> >> OK,
> >> >>
> >> >> That’s weird as the advisory should be created by the broker itself.
> >> >>
> >> >> Can you try to put admin and alfresco roles for admin action ?
> >> >>
> >> >> By the way, are you using Advisory ? If not, you can disable advisory
> >> >> support.
> >> >>
> >> >> Regards
> >> >> JB
> >> >>
> >> >> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <
> >> fabrice.triboix@armedia.com>
> >> >> a écrit :
> >> >> >
> >> >> > I replace ">" with ">" and that didn't make any difference...
> >> >> >
> >> >> > ________________________________
> >> >> > From: Fabrice Triboix <fa...@armedia.com>
> >> >> > Sent: 09 September 2020 10:47
> >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> >> >> > Subject: Re: Please help me with authorisation configuration
> >> >> >
> >> >> > CAUTION: This email originated from outside of the organization. Do
> >> not
> >> >> click links or open attachments unless you recognize the sender and
> >> know
> >> >> the content is safe.
> >> >> >
> >> >> >
> >> >> > Hi Jean-Baptiste,
> >> >> >
> >> >> > I can try with ">", let's see what happens.
> >> >> >
> >> >> > Thanks,
> >> >> >
> >> >> > Fabrice
> >> >> >
> >> >> > ________________________________
> >> >> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
> >> >> > Sent: 09 September 2020 10:43
> >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> >> >> > Subject: Re: Please help me with authorisation configuration
> >> >> >
> >> >> > CAUTION: This email originated from outside of the organization. Do
> >> not
> >> >> click links or open attachments unless you recognize the sender and
> >> know
> >> >> the content is safe.
> >> >> >
> >> >> >
> >> >> > Hi Fabrice,
> >> >> >
> >> >> > Are you sure about Activemq.Advisory setup ? Did you try
> >> >> ActiveMQ.Advisory.> ?
> >> >> >
> >> >> > Regards
> >> >> > JB
> >> >> >
> >> >> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <
> >> fabrice.triboix@armedia.com>
> >> >> a écrit :
> >> >> >>
> >> >> >> Hello,
> >> >> >>
> >> >> >> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I
> am
> >> >> trying to run Alfresco Repository CE (version 6.3), and it needs to
> >> connect
> >> >> to AmazonMQ, but it fails with the following error:
> >> >> >>
> >> >> >> 2020-09-09 09:06:49,222 ERROR
> >> >> [component.jms.DefaultJmsMessageListenerContainer] [Camel
> >> >> (alfrescoCamelContext) thread #2 -
> >> JmsConsumer[acs-repo-rendition-events]]
> >> >> Could not refresh JMS Connection for destination
> >> >> 'acs-repo-rendition-events' - retrying using
> >> FixedBackOff{interval=5000,
> >> >> currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is
> >> not
> >> >> authorized to create: topic://ActiveMQ.Advisory.Connection
> >> >> >>
> >> >> >> Here is the part of the ActiveMQ configuration related to
> >> >> authorization:
> >> >> >>
> >> >> >> <authorizationPlugin>
> >> >> >> <map>
> >> >> >> <authorizationMap>
> >> >> >> <authorizationEntries>
> >> >> >> <authorizationEntry
> >> topic="ActiveMQ.Advisory.>"
> >> >> admin="all" read="all" write="all"/>
> >> >> >> <authorizationEntry queue="alfresco.>"
> >> >> admin="admin" read="admin,alfresco"
> >> >> >> write="admin,alfresco"/>
> >> >> >> <authorizationEntry
> >> >> topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
> >> >> >> write="admin,alfresco"/>
> >> >> >> </authorizationEntries>
> >> >> >> <tempDestinationAuthorizationEntry>
> >> >> >> <tempDestinationAuthorizationEntry
> >> admin="admin"
> >> >> read="admin" write="admin"/>
> >> >> >> </tempDestinationAuthorizationEntry>
> >> >> >> </authorizationMap>
> >> >> >> </map>
> >> >> >> </authorizationPlugin>
> >> >> >>
> >> >> >> Anyone would have any idea on what I am doing wrong?
> >> >> >>
> >> >> >> Many thanks for your help!
> >> >> >>
> >> >> >> Fabrice
> >> >> >>
> >> >> >
> >> >>
> >> >>
> >>
> >
>
Re: Please help me with authorisation configuration
Posted by Fabrice Triboix <fa...@armedia.com>.
Hello,
Apologies for the late response, I have been sucked up on other pieces of work.
So I stripped the configuration of all non-existent entities, and it now looks like this:
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic="ActiveMQ.Advisory.>" admin="alfresco1"
read="alfresco1" write="alfresco1"/>
<authorizationEntry queue="alfresco.>" admin="alfresco1"
read="alfresco1" write="alfresco1"/>
<authorizationEntry topic="alfresco.Advisory.>" admin="alfresco1"
read="alfresco1" write="alfresco1"/>
</authorizationEntries>
<!-- Fabrice: There is no group `admin`, so commenting this out for now
<tempDestinationAuthorizationEntry>
<tempDestinationAuthorizationEntry admin="admin" read="admin" write="admin"/>
</tempDestinationAuthorizationEntry>
-->
</authorizationMap>
</map>
</authorizationPlugin>
I still get the same error message from Alfresco:
2020-09-22 08:25:11,882 ERROR [component.jms.DefaultJmsMessageListenerContainer] [Camel (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]] Could not refresh JMS Connection for destination 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000, currentAttempts=7, maxAttempts=unlimited}. Cause: User alfresco1 is not authorized to create: topic://ActiveMQ.Advisory.Connection
Here is the CloudFormation declaration I use to create the AmazonMQ broker:
Broker:
Type: AWS::AmazonMQ::Broker
DependsOn: [ MasterSecret, AlfrescoUserSecret ]
Properties:
BrokerName: !Sub AmazonMQ-${AWS::StackName}
DeploymentMode: ACTIVE_STANDBY_MULTI_AZ
EncryptionOptions:
UseAwsOwnedKey: true
EngineType: ACTIVEMQ
EngineVersion: 5.15.10
HostInstanceType: mq.t2.micro
SecurityGroups: [ !GetAtt BrokerSecurityGroup.GroupId ]
SubnetIds: [ !Ref SubnetIdA, !Ref SubnetIdB ]
PubliclyAccessible: false
Configuration:
Id: !Ref BrokerConfig
Revision: !GetAtt BrokerConfig.Revision
Users:
- Username: admin1
Password: XXXXX
Groups: [ admin ]
- Username: alfresco1
Password: XXXXXX
Groups: [ alfresco ]
MaintenanceWindowStartTime:
DayOfWeek: !Ref MaintenanceDayOfWeek
TimeOfDay: !Ref MaintenanceTimeOfDay
TimeZone: UTC
Logs:
Audit: false
General: true
AutoMinorVersionUpgrade: true
Is there a way to debug things further? Maybe by having a look at the ActiveMQ logs, or using some kind of command line tool to try manually create the topic?
Thanks a lot for your help!
________________________________
From: Tim Bain <tb...@alumni.duke.edu>
Sent: 10 September 2020 12:50
To: ActiveMQ Users <us...@activemq.apache.org>
Subject: Re: Please help me with authorisation configuration
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Also, I don't believe that the admin group is created by default either,
and I don't know what the broker's behavior is when it encounters a
non-existent group in the config file. Maybe it denies access to even the
groups that do exist? I don't know, but it's definitely worth trying with
only valid/existing groups, so only alfresco in this case, just to try to
get things working.
Tim
On Thu, Sep 10, 2020, 5:44 AM Tim Bain <tb...@alumni.duke.edu> wrote:
> For the all group, I'm not aware of any default group that's created, and
> all of the examples I've seen had any similar group created explicitly. But
> I never used the authentication features personally, so I'm relying heavily
> on the examples available online, and it's possible that the actual
> behavior differs from what I've understood. However, the fact that what
> you've observed matches what I thought I'd understood seems fairly
> compelling, so I'd suggest you define an 'all' group and explicitly add
> each user to it, and see if that resolves the issue.
>
> For the user/group thing, you're right, I got my wires crossed on the
> distinction between the two, and you're absolutely right that groups are
> specified in the config file and as long as the user is a member of the
> group, it should work as expected. Sorry for the confusion.
>
> Tim
>
> On Wed, Sep 9, 2020, 5:48 AM Fabrice Triboix <fa...@armedia.com>
> wrote:
>
>> Hi Tim,
>>
>> No, I didn't define an `all` group, I just did a copy/paste from the
>> ActiveMQ website. I guess from your answer that there is no `all` group by
>> default.
>>
>> `alfresco1` is a user and a member of the `alfresco` group. Should I
>> specify only users `authorizationEntry`?
>>
>> Thanks!
>>
>> ________________________________
>> From: Tim Bain <tb...@alumni.duke.edu>
>> Sent: 09 September 2020 12:41
>> To: ActiveMQ Users <us...@activemq.apache.org>
>> Subject: Re: Please help me with authorisation configuration
>>
>> CAUTION: This email originated from outside of the organization. Do not
>> click links or open attachments unless you recognize the sender and know
>> the content is safe.
>>
>>
>> Also, is 'all' a group you defined, and is alfresco1 in that group?
>>
>> Tim
>>
>> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu> wrote:
>>
>> > Note that the username in the error message is alfresco1, not alfresco,
>> so
>> > make sure you authorize the right user when you test explicitly
>> authorizing
>> > the user.
>> >
>> > Tim
>> >
>> > On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
>> wrote:
>> >
>> >> OK,
>> >>
>> >> That’s weird as the advisory should be created by the broker itself.
>> >>
>> >> Can you try to put admin and alfresco roles for admin action ?
>> >>
>> >> By the way, are you using Advisory ? If not, you can disable advisory
>> >> support.
>> >>
>> >> Regards
>> >> JB
>> >>
>> >> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <
>> fabrice.triboix@armedia.com>
>> >> a écrit :
>> >> >
>> >> > I replace ">" with ">" and that didn't make any difference...
>> >> >
>> >> > ________________________________
>> >> > From: Fabrice Triboix <fa...@armedia.com>
>> >> > Sent: 09 September 2020 10:47
>> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
>> >> > Subject: Re: Please help me with authorisation configuration
>> >> >
>> >> > CAUTION: This email originated from outside of the organization. Do
>> not
>> >> click links or open attachments unless you recognize the sender and
>> know
>> >> the content is safe.
>> >> >
>> >> >
>> >> > Hi Jean-Baptiste,
>> >> >
>> >> > I can try with ">", let's see what happens.
>> >> >
>> >> > Thanks,
>> >> >
>> >> > Fabrice
>> >> >
>> >> > ________________________________
>> >> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
>> >> > Sent: 09 September 2020 10:43
>> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
>> >> > Subject: Re: Please help me with authorisation configuration
>> >> >
>> >> > CAUTION: This email originated from outside of the organization. Do
>> not
>> >> click links or open attachments unless you recognize the sender and
>> know
>> >> the content is safe.
>> >> >
>> >> >
>> >> > Hi Fabrice,
>> >> >
>> >> > Are you sure about Activemq.Advisory setup ? Did you try
>> >> ActiveMQ.Advisory.> ?
>> >> >
>> >> > Regards
>> >> > JB
>> >> >
>> >> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <
>> fabrice.triboix@armedia.com>
>> >> a écrit :
>> >> >>
>> >> >> Hello,
>> >> >>
>> >> >> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am
>> >> trying to run Alfresco Repository CE (version 6.3), and it needs to
>> connect
>> >> to AmazonMQ, but it fails with the following error:
>> >> >>
>> >> >> 2020-09-09 09:06:49,222 ERROR
>> >> [component.jms.DefaultJmsMessageListenerContainer] [Camel
>> >> (alfrescoCamelContext) thread #2 -
>> JmsConsumer[acs-repo-rendition-events]]
>> >> Could not refresh JMS Connection for destination
>> >> 'acs-repo-rendition-events' - retrying using
>> FixedBackOff{interval=5000,
>> >> currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is
>> not
>> >> authorized to create: topic://ActiveMQ.Advisory.Connection
>> >> >>
>> >> >> Here is the part of the ActiveMQ configuration related to
>> >> authorization:
>> >> >>
>> >> >> <authorizationPlugin>
>> >> >> <map>
>> >> >> <authorizationMap>
>> >> >> <authorizationEntries>
>> >> >> <authorizationEntry
>> topic="ActiveMQ.Advisory.>"
>> >> admin="all" read="all" write="all"/>
>> >> >> <authorizationEntry queue="alfresco.>"
>> >> admin="admin" read="admin,alfresco"
>> >> >> write="admin,alfresco"/>
>> >> >> <authorizationEntry
>> >> topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
>> >> >> write="admin,alfresco"/>
>> >> >> </authorizationEntries>
>> >> >> <tempDestinationAuthorizationEntry>
>> >> >> <tempDestinationAuthorizationEntry
>> admin="admin"
>> >> read="admin" write="admin"/>
>> >> >> </tempDestinationAuthorizationEntry>
>> >> >> </authorizationMap>
>> >> >> </map>
>> >> >> </authorizationPlugin>
>> >> >>
>> >> >> Anyone would have any idea on what I am doing wrong?
>> >> >>
>> >> >> Many thanks for your help!
>> >> >>
>> >> >> Fabrice
>> >> >>
>> >> >
>> >>
>> >>
>>
>
Re: Please help me with authorisation configuration
Posted by Tim Bain <tb...@alumni.duke.edu>.
Also, I don't believe that the admin group is created by default either,
and I don't know what the broker's behavior is when it encounters a
non-existent group in the config file. Maybe it denies access to even the
groups that do exist? I don't know, but it's definitely worth trying with
only valid/existing groups, so only alfresco in this case, just to try to
get things working.
Tim
On Thu, Sep 10, 2020, 5:44 AM Tim Bain <tb...@alumni.duke.edu> wrote:
> For the all group, I'm not aware of any default group that's created, and
> all of the examples I've seen had any similar group created explicitly. But
> I never used the authentication features personally, so I'm relying heavily
> on the examples available online, and it's possible that the actual
> behavior differs from what I've understood. However, the fact that what
> you've observed matches what I thought I'd understood seems fairly
> compelling, so I'd suggest you define an 'all' group and explicitly add
> each user to it, and see if that resolves the issue.
>
> For the user/group thing, you're right, I got my wires crossed on the
> distinction between the two, and you're absolutely right that groups are
> specified in the config file and as long as the user is a member of the
> group, it should work as expected. Sorry for the confusion.
>
> Tim
>
> On Wed, Sep 9, 2020, 5:48 AM Fabrice Triboix <fa...@armedia.com>
> wrote:
>
>> Hi Tim,
>>
>> No, I didn't define an `all` group, I just did a copy/paste from the
>> ActiveMQ website. I guess from your answer that there is no `all` group by
>> default.
>>
>> `alfresco1` is a user and a member of the `alfresco` group. Should I
>> specify only users `authorizationEntry`?
>>
>> Thanks!
>>
>> ________________________________
>> From: Tim Bain <tb...@alumni.duke.edu>
>> Sent: 09 September 2020 12:41
>> To: ActiveMQ Users <us...@activemq.apache.org>
>> Subject: Re: Please help me with authorisation configuration
>>
>> CAUTION: This email originated from outside of the organization. Do not
>> click links or open attachments unless you recognize the sender and know
>> the content is safe.
>>
>>
>> Also, is 'all' a group you defined, and is alfresco1 in that group?
>>
>> Tim
>>
>> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu> wrote:
>>
>> > Note that the username in the error message is alfresco1, not alfresco,
>> so
>> > make sure you authorize the right user when you test explicitly
>> authorizing
>> > the user.
>> >
>> > Tim
>> >
>> > On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
>> wrote:
>> >
>> >> OK,
>> >>
>> >> That’s weird as the advisory should be created by the broker itself.
>> >>
>> >> Can you try to put admin and alfresco roles for admin action ?
>> >>
>> >> By the way, are you using Advisory ? If not, you can disable advisory
>> >> support.
>> >>
>> >> Regards
>> >> JB
>> >>
>> >> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <
>> fabrice.triboix@armedia.com>
>> >> a écrit :
>> >> >
>> >> > I replace ">" with ">" and that didn't make any difference...
>> >> >
>> >> > ________________________________
>> >> > From: Fabrice Triboix <fa...@armedia.com>
>> >> > Sent: 09 September 2020 10:47
>> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
>> >> > Subject: Re: Please help me with authorisation configuration
>> >> >
>> >> > CAUTION: This email originated from outside of the organization. Do
>> not
>> >> click links or open attachments unless you recognize the sender and
>> know
>> >> the content is safe.
>> >> >
>> >> >
>> >> > Hi Jean-Baptiste,
>> >> >
>> >> > I can try with ">", let's see what happens.
>> >> >
>> >> > Thanks,
>> >> >
>> >> > Fabrice
>> >> >
>> >> > ________________________________
>> >> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
>> >> > Sent: 09 September 2020 10:43
>> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
>> >> > Subject: Re: Please help me with authorisation configuration
>> >> >
>> >> > CAUTION: This email originated from outside of the organization. Do
>> not
>> >> click links or open attachments unless you recognize the sender and
>> know
>> >> the content is safe.
>> >> >
>> >> >
>> >> > Hi Fabrice,
>> >> >
>> >> > Are you sure about Activemq.Advisory setup ? Did you try
>> >> ActiveMQ.Advisory.> ?
>> >> >
>> >> > Regards
>> >> > JB
>> >> >
>> >> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <
>> fabrice.triboix@armedia.com>
>> >> a écrit :
>> >> >>
>> >> >> Hello,
>> >> >>
>> >> >> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am
>> >> trying to run Alfresco Repository CE (version 6.3), and it needs to
>> connect
>> >> to AmazonMQ, but it fails with the following error:
>> >> >>
>> >> >> 2020-09-09 09:06:49,222 ERROR
>> >> [component.jms.DefaultJmsMessageListenerContainer] [Camel
>> >> (alfrescoCamelContext) thread #2 -
>> JmsConsumer[acs-repo-rendition-events]]
>> >> Could not refresh JMS Connection for destination
>> >> 'acs-repo-rendition-events' - retrying using
>> FixedBackOff{interval=5000,
>> >> currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is
>> not
>> >> authorized to create: topic://ActiveMQ.Advisory.Connection
>> >> >>
>> >> >> Here is the part of the ActiveMQ configuration related to
>> >> authorization:
>> >> >>
>> >> >> <authorizationPlugin>
>> >> >> <map>
>> >> >> <authorizationMap>
>> >> >> <authorizationEntries>
>> >> >> <authorizationEntry
>> topic="ActiveMQ.Advisory.>"
>> >> admin="all" read="all" write="all"/>
>> >> >> <authorizationEntry queue="alfresco.>"
>> >> admin="admin" read="admin,alfresco"
>> >> >> write="admin,alfresco"/>
>> >> >> <authorizationEntry
>> >> topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
>> >> >> write="admin,alfresco"/>
>> >> >> </authorizationEntries>
>> >> >> <tempDestinationAuthorizationEntry>
>> >> >> <tempDestinationAuthorizationEntry
>> admin="admin"
>> >> read="admin" write="admin"/>
>> >> >> </tempDestinationAuthorizationEntry>
>> >> >> </authorizationMap>
>> >> >> </map>
>> >> >> </authorizationPlugin>
>> >> >>
>> >> >> Anyone would have any idea on what I am doing wrong?
>> >> >>
>> >> >> Many thanks for your help!
>> >> >>
>> >> >> Fabrice
>> >> >>
>> >> >
>> >>
>> >>
>>
>
Re: Please help me with authorisation configuration
Posted by Tim Bain <tb...@alumni.duke.edu>.
For the all group, I'm not aware of any default group that's created, and
all of the examples I've seen had any similar group created explicitly. But
I never used the authentication features personally, so I'm relying heavily
on the examples available online, and it's possible that the actual
behavior differs from what I've understood. However, the fact that what
you've observed matches what I thought I'd understood seems fairly
compelling, so I'd suggest you define an 'all' group and explicitly add
each user to it, and see if that resolves the issue.
For the user/group thing, you're right, I got my wires crossed on the
distinction between the two, and you're absolutely right that groups are
specified in the config file and as long as the user is a member of the
group, it should work as expected. Sorry for the confusion.
Tim
On Wed, Sep 9, 2020, 5:48 AM Fabrice Triboix <fa...@armedia.com>
wrote:
> Hi Tim,
>
> No, I didn't define an `all` group, I just did a copy/paste from the
> ActiveMQ website. I guess from your answer that there is no `all` group by
> default.
>
> `alfresco1` is a user and a member of the `alfresco` group. Should I
> specify only users `authorizationEntry`?
>
> Thanks!
>
> ________________________________
> From: Tim Bain <tb...@alumni.duke.edu>
> Sent: 09 September 2020 12:41
> To: ActiveMQ Users <us...@activemq.apache.org>
> Subject: Re: Please help me with authorisation configuration
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
> Also, is 'all' a group you defined, and is alfresco1 in that group?
>
> Tim
>
> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu> wrote:
>
> > Note that the username in the error message is alfresco1, not alfresco,
> so
> > make sure you authorize the right user when you test explicitly
> authorizing
> > the user.
> >
> > Tim
> >
> > On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
> wrote:
> >
> >> OK,
> >>
> >> That’s weird as the advisory should be created by the broker itself.
> >>
> >> Can you try to put admin and alfresco roles for admin action ?
> >>
> >> By the way, are you using Advisory ? If not, you can disable advisory
> >> support.
> >>
> >> Regards
> >> JB
> >>
> >> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <fabrice.triboix@armedia.com
> >
> >> a écrit :
> >> >
> >> > I replace ">" with ">" and that didn't make any difference...
> >> >
> >> > ________________________________
> >> > From: Fabrice Triboix <fa...@armedia.com>
> >> > Sent: 09 September 2020 10:47
> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> >> > Subject: Re: Please help me with authorisation configuration
> >> >
> >> > CAUTION: This email originated from outside of the organization. Do
> not
> >> click links or open attachments unless you recognize the sender and know
> >> the content is safe.
> >> >
> >> >
> >> > Hi Jean-Baptiste,
> >> >
> >> > I can try with ">", let's see what happens.
> >> >
> >> > Thanks,
> >> >
> >> > Fabrice
> >> >
> >> > ________________________________
> >> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
> >> > Sent: 09 September 2020 10:43
> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> >> > Subject: Re: Please help me with authorisation configuration
> >> >
> >> > CAUTION: This email originated from outside of the organization. Do
> not
> >> click links or open attachments unless you recognize the sender and know
> >> the content is safe.
> >> >
> >> >
> >> > Hi Fabrice,
> >> >
> >> > Are you sure about Activemq.Advisory setup ? Did you try
> >> ActiveMQ.Advisory.> ?
> >> >
> >> > Regards
> >> > JB
> >> >
> >> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <
> fabrice.triboix@armedia.com>
> >> a écrit :
> >> >>
> >> >> Hello,
> >> >>
> >> >> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am
> >> trying to run Alfresco Repository CE (version 6.3), and it needs to
> connect
> >> to AmazonMQ, but it fails with the following error:
> >> >>
> >> >> 2020-09-09 09:06:49,222 ERROR
> >> [component.jms.DefaultJmsMessageListenerContainer] [Camel
> >> (alfrescoCamelContext) thread #2 -
> JmsConsumer[acs-repo-rendition-events]]
> >> Could not refresh JMS Connection for destination
> >> 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000,
> >> currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is
> not
> >> authorized to create: topic://ActiveMQ.Advisory.Connection
> >> >>
> >> >> Here is the part of the ActiveMQ configuration related to
> >> authorization:
> >> >>
> >> >> <authorizationPlugin>
> >> >> <map>
> >> >> <authorizationMap>
> >> >> <authorizationEntries>
> >> >> <authorizationEntry topic="ActiveMQ.Advisory.>"
> >> admin="all" read="all" write="all"/>
> >> >> <authorizationEntry queue="alfresco.>"
> >> admin="admin" read="admin,alfresco"
> >> >> write="admin,alfresco"/>
> >> >> <authorizationEntry
> >> topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
> >> >> write="admin,alfresco"/>
> >> >> </authorizationEntries>
> >> >> <tempDestinationAuthorizationEntry>
> >> >> <tempDestinationAuthorizationEntry
> admin="admin"
> >> read="admin" write="admin"/>
> >> >> </tempDestinationAuthorizationEntry>
> >> >> </authorizationMap>
> >> >> </map>
> >> >> </authorizationPlugin>
> >> >>
> >> >> Anyone would have any idea on what I am doing wrong?
> >> >>
> >> >> Many thanks for your help!
> >> >>
> >> >> Fabrice
> >> >>
> >> >
> >>
> >>
>
Re: Please help me with authorisation configuration
Posted by Jean-Baptiste Onofre <jb...@nanthrax.net>.
My point was: are you sure alfresco1 user is in the correct groups/roles ?
Regards
JB
> Le 9 sept. 2020 à 21:37, Fabrice Triboix <fa...@armedia.com> a écrit :
>
> Hi Jean-Baptiste,
>
> Apologies, I didn't understand... I changed it to
>
> <authorizationEntry topic="ActiveMQ.Advisory.>" admin="admin,alfresco" read="admin,alfresco" write="admin,alfresco"/>
>
> But still same error message:
>
> 2020-09-09 19:30:14,313 ERROR [component.jms.DefaultJmsMessageListenerContainer] [Camel (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]] Could not refresh JMS Connection for destination 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000, currentAttempts=7942, maxAttempts=unlimited}. Cause: User alfresco1 is not authorized to create: topic://ActiveMQ.Advisory.Connection
>
> Any idea?
>
>
> ________________________________
> From: Jean-Baptiste Onofre <jb...@nanthrax.net>
> Sent: 09 September 2020 13:06
> To: users@activemq.apache.org <us...@activemq.apache.org>
> Subject: Re: Please help me with authorisation configuration
>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> It’s what I proposed in my previous email: can you use alfresco role/group in advisory admin entry (all doesn’t exist by default) ?
>
> Regards
> JB
>
>> Le 9 sept. 2020 à 13:48, Fabrice Triboix <fa...@armedia.com> a écrit :
>>
>> Hi Tim,
>>
>> No, I didn't define an `all` group, I just did a copy/paste from the ActiveMQ website. I guess from your answer that there is no `all` group by default.
>>
>> `alfresco1` is a user and a member of the `alfresco` group. Should I specify only users `authorizationEntry`?
>>
>> Thanks!
>>
>> ________________________________
>> From: Tim Bain <tb...@alumni.duke.edu>
>> Sent: 09 September 2020 12:41
>> To: ActiveMQ Users <us...@activemq.apache.org>
>> Subject: Re: Please help me with authorisation configuration
>>
>> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>>
>> Also, is 'all' a group you defined, and is alfresco1 in that group?
>>
>> Tim
>>
>> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu> wrote:
>>
>>> Note that the username in the error message is alfresco1, not alfresco, so
>>> make sure you authorize the right user when you test explicitly authorizing
>>> the user.
>>>
>>> Tim
>>>
>>> On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <jb...@nanthrax.net> wrote:
>>>
>>>> OK,
>>>>
>>>> That’s weird as the advisory should be created by the broker itself.
>>>>
>>>> Can you try to put admin and alfresco roles for admin action ?
>>>>
>>>> By the way, are you using Advisory ? If not, you can disable advisory
>>>> support.
>>>>
>>>> Regards
>>>> JB
>>>>
>>>>> Le 9 sept. 2020 à 12:12, Fabrice Triboix <fa...@armedia.com>
>>>> a écrit :
>>>>>
>>>>> I replace ">" with ">" and that didn't make any difference...
>>>>>
>>>>> ________________________________
>>>>> From: Fabrice Triboix <fa...@armedia.com>
>>>>> Sent: 09 September 2020 10:47
>>>>> To: users@activemq.apache.org <us...@activemq.apache.org>
>>>>> Subject: Re: Please help me with authorisation configuration
>>>>>
>>>>> CAUTION: This email originated from outside of the organization. Do not
>>>> click links or open attachments unless you recognize the sender and know
>>>> the content is safe.
>>>>>
>>>>>
>>>>> Hi Jean-Baptiste,
>>>>>
>>>>> I can try with ">", let's see what happens.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Fabrice
>>>>>
>>>>> ________________________________
>>>>> From: Jean-Baptiste Onofre <jb...@nanthrax.net>
>>>>> Sent: 09 September 2020 10:43
>>>>> To: users@activemq.apache.org <us...@activemq.apache.org>
>>>>> Subject: Re: Please help me with authorisation configuration
>>>>>
>>>>> CAUTION: This email originated from outside of the organization. Do not
>>>> click links or open attachments unless you recognize the sender and know
>>>> the content is safe.
>>>>>
>>>>>
>>>>> Hi Fabrice,
>>>>>
>>>>> Are you sure about Activemq.Advisory setup ? Did you try
>>>> ActiveMQ.Advisory.> ?
>>>>>
>>>>> Regards
>>>>> JB
>>>>>
>>>>>> Le 9 sept. 2020 à 11:31, Fabrice Triboix <fa...@armedia.com>
>>>> a écrit :
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am
>>>> trying to run Alfresco Repository CE (version 6.3), and it needs to connect
>>>> to AmazonMQ, but it fails with the following error:
>>>>>>
>>>>>> 2020-09-09 09:06:49,222 ERROR
>>>> [component.jms.DefaultJmsMessageListenerContainer] [Camel
>>>> (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]]
>>>> Could not refresh JMS Connection for destination
>>>> 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000,
>>>> currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is not
>>>> authorized to create: topic://ActiveMQ.Advisory.Connection
>>>>>>
>>>>>> Here is the part of the ActiveMQ configuration related to
>>>> authorization:
>>>>>>
>>>>>> <authorizationPlugin>
>>>>>> <map>
>>>>>> <authorizationMap>
>>>>>> <authorizationEntries>
>>>>>> <authorizationEntry topic="ActiveMQ.Advisory.>"
>>>> admin="all" read="all" write="all"/>
>>>>>> <authorizationEntry queue="alfresco.>"
>>>> admin="admin" read="admin,alfresco"
>>>>>> write="admin,alfresco"/>
>>>>>> <authorizationEntry
>>>> topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
>>>>>> write="admin,alfresco"/>
>>>>>> </authorizationEntries>
>>>>>> <tempDestinationAuthorizationEntry>
>>>>>> <tempDestinationAuthorizationEntry admin="admin"
>>>> read="admin" write="admin"/>
>>>>>> </tempDestinationAuthorizationEntry>
>>>>>> </authorizationMap>
>>>>>> </map>
>>>>>> </authorizationPlugin>
>>>>>>
>>>>>> Anyone would have any idea on what I am doing wrong?
>>>>>>
>>>>>> Many thanks for your help!
>>>>>>
>>>>>> Fabrice
>>>>>>
>>>>>
>>>>
>>>>
>
Re: Please help me with authorisation configuration
Posted by Fabrice Triboix <fa...@armedia.com>.
Hi Jean-Baptiste,
Apologies, I didn't understand... I changed it to
<authorizationEntry topic="ActiveMQ.Advisory.>" admin="admin,alfresco" read="admin,alfresco" write="admin,alfresco"/>
But still same error message:
2020-09-09 19:30:14,313 ERROR [component.jms.DefaultJmsMessageListenerContainer] [Camel (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]] Could not refresh JMS Connection for destination 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000, currentAttempts=7942, maxAttempts=unlimited}. Cause: User alfresco1 is not authorized to create: topic://ActiveMQ.Advisory.Connection
Any idea?
________________________________
From: Jean-Baptiste Onofre <jb...@nanthrax.net>
Sent: 09 September 2020 13:06
To: users@activemq.apache.org <us...@activemq.apache.org>
Subject: Re: Please help me with authorisation configuration
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
It’s what I proposed in my previous email: can you use alfresco role/group in advisory admin entry (all doesn’t exist by default) ?
Regards
JB
> Le 9 sept. 2020 à 13:48, Fabrice Triboix <fa...@armedia.com> a écrit :
>
> Hi Tim,
>
> No, I didn't define an `all` group, I just did a copy/paste from the ActiveMQ website. I guess from your answer that there is no `all` group by default.
>
> `alfresco1` is a user and a member of the `alfresco` group. Should I specify only users `authorizationEntry`?
>
> Thanks!
>
> ________________________________
> From: Tim Bain <tb...@alumni.duke.edu>
> Sent: 09 September 2020 12:41
> To: ActiveMQ Users <us...@activemq.apache.org>
> Subject: Re: Please help me with authorisation configuration
>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> Also, is 'all' a group you defined, and is alfresco1 in that group?
>
> Tim
>
> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu> wrote:
>
>> Note that the username in the error message is alfresco1, not alfresco, so
>> make sure you authorize the right user when you test explicitly authorizing
>> the user.
>>
>> Tim
>>
>> On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <jb...@nanthrax.net> wrote:
>>
>>> OK,
>>>
>>> That’s weird as the advisory should be created by the broker itself.
>>>
>>> Can you try to put admin and alfresco roles for admin action ?
>>>
>>> By the way, are you using Advisory ? If not, you can disable advisory
>>> support.
>>>
>>> Regards
>>> JB
>>>
>>>> Le 9 sept. 2020 à 12:12, Fabrice Triboix <fa...@armedia.com>
>>> a écrit :
>>>>
>>>> I replace ">" with ">" and that didn't make any difference...
>>>>
>>>> ________________________________
>>>> From: Fabrice Triboix <fa...@armedia.com>
>>>> Sent: 09 September 2020 10:47
>>>> To: users@activemq.apache.org <us...@activemq.apache.org>
>>>> Subject: Re: Please help me with authorisation configuration
>>>>
>>>> CAUTION: This email originated from outside of the organization. Do not
>>> click links or open attachments unless you recognize the sender and know
>>> the content is safe.
>>>>
>>>>
>>>> Hi Jean-Baptiste,
>>>>
>>>> I can try with ">", let's see what happens.
>>>>
>>>> Thanks,
>>>>
>>>> Fabrice
>>>>
>>>> ________________________________
>>>> From: Jean-Baptiste Onofre <jb...@nanthrax.net>
>>>> Sent: 09 September 2020 10:43
>>>> To: users@activemq.apache.org <us...@activemq.apache.org>
>>>> Subject: Re: Please help me with authorisation configuration
>>>>
>>>> CAUTION: This email originated from outside of the organization. Do not
>>> click links or open attachments unless you recognize the sender and know
>>> the content is safe.
>>>>
>>>>
>>>> Hi Fabrice,
>>>>
>>>> Are you sure about Activemq.Advisory setup ? Did you try
>>> ActiveMQ.Advisory.> ?
>>>>
>>>> Regards
>>>> JB
>>>>
>>>>> Le 9 sept. 2020 à 11:31, Fabrice Triboix <fa...@armedia.com>
>>> a écrit :
>>>>>
>>>>> Hello,
>>>>>
>>>>> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am
>>> trying to run Alfresco Repository CE (version 6.3), and it needs to connect
>>> to AmazonMQ, but it fails with the following error:
>>>>>
>>>>> 2020-09-09 09:06:49,222 ERROR
>>> [component.jms.DefaultJmsMessageListenerContainer] [Camel
>>> (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]]
>>> Could not refresh JMS Connection for destination
>>> 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000,
>>> currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is not
>>> authorized to create: topic://ActiveMQ.Advisory.Connection
>>>>>
>>>>> Here is the part of the ActiveMQ configuration related to
>>> authorization:
>>>>>
>>>>> <authorizationPlugin>
>>>>> <map>
>>>>> <authorizationMap>
>>>>> <authorizationEntries>
>>>>> <authorizationEntry topic="ActiveMQ.Advisory.>"
>>> admin="all" read="all" write="all"/>
>>>>> <authorizationEntry queue="alfresco.>"
>>> admin="admin" read="admin,alfresco"
>>>>> write="admin,alfresco"/>
>>>>> <authorizationEntry
>>> topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
>>>>> write="admin,alfresco"/>
>>>>> </authorizationEntries>
>>>>> <tempDestinationAuthorizationEntry>
>>>>> <tempDestinationAuthorizationEntry admin="admin"
>>> read="admin" write="admin"/>
>>>>> </tempDestinationAuthorizationEntry>
>>>>> </authorizationMap>
>>>>> </map>
>>>>> </authorizationPlugin>
>>>>>
>>>>> Anyone would have any idea on what I am doing wrong?
>>>>>
>>>>> Many thanks for your help!
>>>>>
>>>>> Fabrice
>>>>>
>>>>
>>>
>>>
Re: Please help me with authorisation configuration
Posted by Jean-Baptiste Onofre <jb...@nanthrax.net>.
It’s what I proposed in my previous email: can you use alfresco role/group in advisory admin entry (all doesn’t exist by default) ?
Regards
JB
> Le 9 sept. 2020 à 13:48, Fabrice Triboix <fa...@armedia.com> a écrit :
>
> Hi Tim,
>
> No, I didn't define an `all` group, I just did a copy/paste from the ActiveMQ website. I guess from your answer that there is no `all` group by default.
>
> `alfresco1` is a user and a member of the `alfresco` group. Should I specify only users `authorizationEntry`?
>
> Thanks!
>
> ________________________________
> From: Tim Bain <tb...@alumni.duke.edu>
> Sent: 09 September 2020 12:41
> To: ActiveMQ Users <us...@activemq.apache.org>
> Subject: Re: Please help me with authorisation configuration
>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> Also, is 'all' a group you defined, and is alfresco1 in that group?
>
> Tim
>
> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu> wrote:
>
>> Note that the username in the error message is alfresco1, not alfresco, so
>> make sure you authorize the right user when you test explicitly authorizing
>> the user.
>>
>> Tim
>>
>> On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <jb...@nanthrax.net> wrote:
>>
>>> OK,
>>>
>>> That’s weird as the advisory should be created by the broker itself.
>>>
>>> Can you try to put admin and alfresco roles for admin action ?
>>>
>>> By the way, are you using Advisory ? If not, you can disable advisory
>>> support.
>>>
>>> Regards
>>> JB
>>>
>>>> Le 9 sept. 2020 à 12:12, Fabrice Triboix <fa...@armedia.com>
>>> a écrit :
>>>>
>>>> I replace ">" with ">" and that didn't make any difference...
>>>>
>>>> ________________________________
>>>> From: Fabrice Triboix <fa...@armedia.com>
>>>> Sent: 09 September 2020 10:47
>>>> To: users@activemq.apache.org <us...@activemq.apache.org>
>>>> Subject: Re: Please help me with authorisation configuration
>>>>
>>>> CAUTION: This email originated from outside of the organization. Do not
>>> click links or open attachments unless you recognize the sender and know
>>> the content is safe.
>>>>
>>>>
>>>> Hi Jean-Baptiste,
>>>>
>>>> I can try with ">", let's see what happens.
>>>>
>>>> Thanks,
>>>>
>>>> Fabrice
>>>>
>>>> ________________________________
>>>> From: Jean-Baptiste Onofre <jb...@nanthrax.net>
>>>> Sent: 09 September 2020 10:43
>>>> To: users@activemq.apache.org <us...@activemq.apache.org>
>>>> Subject: Re: Please help me with authorisation configuration
>>>>
>>>> CAUTION: This email originated from outside of the organization. Do not
>>> click links or open attachments unless you recognize the sender and know
>>> the content is safe.
>>>>
>>>>
>>>> Hi Fabrice,
>>>>
>>>> Are you sure about Activemq.Advisory setup ? Did you try
>>> ActiveMQ.Advisory.> ?
>>>>
>>>> Regards
>>>> JB
>>>>
>>>>> Le 9 sept. 2020 à 11:31, Fabrice Triboix <fa...@armedia.com>
>>> a écrit :
>>>>>
>>>>> Hello,
>>>>>
>>>>> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am
>>> trying to run Alfresco Repository CE (version 6.3), and it needs to connect
>>> to AmazonMQ, but it fails with the following error:
>>>>>
>>>>> 2020-09-09 09:06:49,222 ERROR
>>> [component.jms.DefaultJmsMessageListenerContainer] [Camel
>>> (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]]
>>> Could not refresh JMS Connection for destination
>>> 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000,
>>> currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is not
>>> authorized to create: topic://ActiveMQ.Advisory.Connection
>>>>>
>>>>> Here is the part of the ActiveMQ configuration related to
>>> authorization:
>>>>>
>>>>> <authorizationPlugin>
>>>>> <map>
>>>>> <authorizationMap>
>>>>> <authorizationEntries>
>>>>> <authorizationEntry topic="ActiveMQ.Advisory.>"
>>> admin="all" read="all" write="all"/>
>>>>> <authorizationEntry queue="alfresco.>"
>>> admin="admin" read="admin,alfresco"
>>>>> write="admin,alfresco"/>
>>>>> <authorizationEntry
>>> topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
>>>>> write="admin,alfresco"/>
>>>>> </authorizationEntries>
>>>>> <tempDestinationAuthorizationEntry>
>>>>> <tempDestinationAuthorizationEntry admin="admin"
>>> read="admin" write="admin"/>
>>>>> </tempDestinationAuthorizationEntry>
>>>>> </authorizationMap>
>>>>> </map>
>>>>> </authorizationPlugin>
>>>>>
>>>>> Anyone would have any idea on what I am doing wrong?
>>>>>
>>>>> Many thanks for your help!
>>>>>
>>>>> Fabrice
>>>>>
>>>>
>>>
>>>
Re: Please help me with authorisation configuration
Posted by Fabrice Triboix <fa...@armedia.com>.
Hi Tim,
No, I didn't define an `all` group, I just did a copy/paste from the ActiveMQ website. I guess from your answer that there is no `all` group by default.
`alfresco1` is a user and a member of the `alfresco` group. Should I specify only users `authorizationEntry`?
Thanks!
________________________________
From: Tim Bain <tb...@alumni.duke.edu>
Sent: 09 September 2020 12:41
To: ActiveMQ Users <us...@activemq.apache.org>
Subject: Re: Please help me with authorisation configuration
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Also, is 'all' a group you defined, and is alfresco1 in that group?
Tim
On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu> wrote:
> Note that the username in the error message is alfresco1, not alfresco, so
> make sure you authorize the right user when you test explicitly authorizing
> the user.
>
> Tim
>
> On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <jb...@nanthrax.net> wrote:
>
>> OK,
>>
>> That’s weird as the advisory should be created by the broker itself.
>>
>> Can you try to put admin and alfresco roles for admin action ?
>>
>> By the way, are you using Advisory ? If not, you can disable advisory
>> support.
>>
>> Regards
>> JB
>>
>> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <fa...@armedia.com>
>> a écrit :
>> >
>> > I replace ">" with ">" and that didn't make any difference...
>> >
>> > ________________________________
>> > From: Fabrice Triboix <fa...@armedia.com>
>> > Sent: 09 September 2020 10:47
>> > To: users@activemq.apache.org <us...@activemq.apache.org>
>> > Subject: Re: Please help me with authorisation configuration
>> >
>> > CAUTION: This email originated from outside of the organization. Do not
>> click links or open attachments unless you recognize the sender and know
>> the content is safe.
>> >
>> >
>> > Hi Jean-Baptiste,
>> >
>> > I can try with ">", let's see what happens.
>> >
>> > Thanks,
>> >
>> > Fabrice
>> >
>> > ________________________________
>> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
>> > Sent: 09 September 2020 10:43
>> > To: users@activemq.apache.org <us...@activemq.apache.org>
>> > Subject: Re: Please help me with authorisation configuration
>> >
>> > CAUTION: This email originated from outside of the organization. Do not
>> click links or open attachments unless you recognize the sender and know
>> the content is safe.
>> >
>> >
>> > Hi Fabrice,
>> >
>> > Are you sure about Activemq.Advisory setup ? Did you try
>> ActiveMQ.Advisory.> ?
>> >
>> > Regards
>> > JB
>> >
>> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <fa...@armedia.com>
>> a écrit :
>> >>
>> >> Hello,
>> >>
>> >> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am
>> trying to run Alfresco Repository CE (version 6.3), and it needs to connect
>> to AmazonMQ, but it fails with the following error:
>> >>
>> >> 2020-09-09 09:06:49,222 ERROR
>> [component.jms.DefaultJmsMessageListenerContainer] [Camel
>> (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]]
>> Could not refresh JMS Connection for destination
>> 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000,
>> currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is not
>> authorized to create: topic://ActiveMQ.Advisory.Connection
>> >>
>> >> Here is the part of the ActiveMQ configuration related to
>> authorization:
>> >>
>> >> <authorizationPlugin>
>> >> <map>
>> >> <authorizationMap>
>> >> <authorizationEntries>
>> >> <authorizationEntry topic="ActiveMQ.Advisory.>"
>> admin="all" read="all" write="all"/>
>> >> <authorizationEntry queue="alfresco.>"
>> admin="admin" read="admin,alfresco"
>> >> write="admin,alfresco"/>
>> >> <authorizationEntry
>> topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
>> >> write="admin,alfresco"/>
>> >> </authorizationEntries>
>> >> <tempDestinationAuthorizationEntry>
>> >> <tempDestinationAuthorizationEntry admin="admin"
>> read="admin" write="admin"/>
>> >> </tempDestinationAuthorizationEntry>
>> >> </authorizationMap>
>> >> </map>
>> >> </authorizationPlugin>
>> >>
>> >> Anyone would have any idea on what I am doing wrong?
>> >>
>> >> Many thanks for your help!
>> >>
>> >> Fabrice
>> >>
>> >
>>
>>
Re: Please help me with authorisation configuration
Posted by Tim Bain <tb...@alumni.duke.edu>.
Also, is 'all' a group you defined, and is alfresco1 in that group?
Tim
On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu> wrote:
> Note that the username in the error message is alfresco1, not alfresco, so
> make sure you authorize the right user when you test explicitly authorizing
> the user.
>
> Tim
>
> On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <jb...@nanthrax.net> wrote:
>
>> OK,
>>
>> That’s weird as the advisory should be created by the broker itself.
>>
>> Can you try to put admin and alfresco roles for admin action ?
>>
>> By the way, are you using Advisory ? If not, you can disable advisory
>> support.
>>
>> Regards
>> JB
>>
>> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <fa...@armedia.com>
>> a écrit :
>> >
>> > I replace ">" with ">" and that didn't make any difference...
>> >
>> > ________________________________
>> > From: Fabrice Triboix <fa...@armedia.com>
>> > Sent: 09 September 2020 10:47
>> > To: users@activemq.apache.org <us...@activemq.apache.org>
>> > Subject: Re: Please help me with authorisation configuration
>> >
>> > CAUTION: This email originated from outside of the organization. Do not
>> click links or open attachments unless you recognize the sender and know
>> the content is safe.
>> >
>> >
>> > Hi Jean-Baptiste,
>> >
>> > I can try with ">", let's see what happens.
>> >
>> > Thanks,
>> >
>> > Fabrice
>> >
>> > ________________________________
>> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
>> > Sent: 09 September 2020 10:43
>> > To: users@activemq.apache.org <us...@activemq.apache.org>
>> > Subject: Re: Please help me with authorisation configuration
>> >
>> > CAUTION: This email originated from outside of the organization. Do not
>> click links or open attachments unless you recognize the sender and know
>> the content is safe.
>> >
>> >
>> > Hi Fabrice,
>> >
>> > Are you sure about Activemq.Advisory setup ? Did you try
>> ActiveMQ.Advisory.> ?
>> >
>> > Regards
>> > JB
>> >
>> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <fa...@armedia.com>
>> a écrit :
>> >>
>> >> Hello,
>> >>
>> >> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am
>> trying to run Alfresco Repository CE (version 6.3), and it needs to connect
>> to AmazonMQ, but it fails with the following error:
>> >>
>> >> 2020-09-09 09:06:49,222 ERROR
>> [component.jms.DefaultJmsMessageListenerContainer] [Camel
>> (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]]
>> Could not refresh JMS Connection for destination
>> 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000,
>> currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is not
>> authorized to create: topic://ActiveMQ.Advisory.Connection
>> >>
>> >> Here is the part of the ActiveMQ configuration related to
>> authorization:
>> >>
>> >> <authorizationPlugin>
>> >> <map>
>> >> <authorizationMap>
>> >> <authorizationEntries>
>> >> <authorizationEntry topic="ActiveMQ.Advisory.>"
>> admin="all" read="all" write="all"/>
>> >> <authorizationEntry queue="alfresco.>"
>> admin="admin" read="admin,alfresco"
>> >> write="admin,alfresco"/>
>> >> <authorizationEntry
>> topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
>> >> write="admin,alfresco"/>
>> >> </authorizationEntries>
>> >> <tempDestinationAuthorizationEntry>
>> >> <tempDestinationAuthorizationEntry admin="admin"
>> read="admin" write="admin"/>
>> >> </tempDestinationAuthorizationEntry>
>> >> </authorizationMap>
>> >> </map>
>> >> </authorizationPlugin>
>> >>
>> >> Anyone would have any idea on what I am doing wrong?
>> >>
>> >> Many thanks for your help!
>> >>
>> >> Fabrice
>> >>
>> >
>>
>>
Re: Please help me with authorisation configuration
Posted by Tim Bain <tb...@alumni.duke.edu>.
Note that the username in the error message is alfresco1, not alfresco, so
make sure you authorize the right user when you test explicitly authorizing
the user.
Tim
On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <jb...@nanthrax.net> wrote:
> OK,
>
> That’s weird as the advisory should be created by the broker itself.
>
> Can you try to put admin and alfresco roles for admin action ?
>
> By the way, are you using Advisory ? If not, you can disable advisory
> support.
>
> Regards
> JB
>
> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <fa...@armedia.com>
> a écrit :
> >
> > I replace ">" with ">" and that didn't make any difference...
> >
> > ________________________________
> > From: Fabrice Triboix <fa...@armedia.com>
> > Sent: 09 September 2020 10:47
> > To: users@activemq.apache.org <us...@activemq.apache.org>
> > Subject: Re: Please help me with authorisation configuration
> >
> > CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
> >
> >
> > Hi Jean-Baptiste,
> >
> > I can try with ">", let's see what happens.
> >
> > Thanks,
> >
> > Fabrice
> >
> > ________________________________
> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
> > Sent: 09 September 2020 10:43
> > To: users@activemq.apache.org <us...@activemq.apache.org>
> > Subject: Re: Please help me with authorisation configuration
> >
> > CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
> >
> >
> > Hi Fabrice,
> >
> > Are you sure about Activemq.Advisory setup ? Did you try
> ActiveMQ.Advisory.> ?
> >
> > Regards
> > JB
> >
> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <fa...@armedia.com>
> a écrit :
> >>
> >> Hello,
> >>
> >> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am
> trying to run Alfresco Repository CE (version 6.3), and it needs to connect
> to AmazonMQ, but it fails with the following error:
> >>
> >> 2020-09-09 09:06:49,222 ERROR
> [component.jms.DefaultJmsMessageListenerContainer] [Camel
> (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]]
> Could not refresh JMS Connection for destination
> 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000,
> currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is not
> authorized to create: topic://ActiveMQ.Advisory.Connection
> >>
> >> Here is the part of the ActiveMQ configuration related to authorization:
> >>
> >> <authorizationPlugin>
> >> <map>
> >> <authorizationMap>
> >> <authorizationEntries>
> >> <authorizationEntry topic="ActiveMQ.Advisory.>"
> admin="all" read="all" write="all"/>
> >> <authorizationEntry queue="alfresco.>"
> admin="admin" read="admin,alfresco"
> >> write="admin,alfresco"/>
> >> <authorizationEntry
> topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
> >> write="admin,alfresco"/>
> >> </authorizationEntries>
> >> <tempDestinationAuthorizationEntry>
> >> <tempDestinationAuthorizationEntry admin="admin"
> read="admin" write="admin"/>
> >> </tempDestinationAuthorizationEntry>
> >> </authorizationMap>
> >> </map>
> >> </authorizationPlugin>
> >>
> >> Anyone would have any idea on what I am doing wrong?
> >>
> >> Many thanks for your help!
> >>
> >> Fabrice
> >>
> >
>
>
Re: Please help me with authorisation configuration
Posted by Jean-Baptiste Onofre <jb...@nanthrax.net>.
OK,
That’s weird as the advisory should be created by the broker itself.
Can you try to put admin and alfresco roles for admin action ?
By the way, are you using Advisory ? If not, you can disable advisory support.
Regards
JB
> Le 9 sept. 2020 à 12:12, Fabrice Triboix <fa...@armedia.com> a écrit :
>
> I replace ">" with ">" and that didn't make any difference...
>
> ________________________________
> From: Fabrice Triboix <fa...@armedia.com>
> Sent: 09 September 2020 10:47
> To: users@activemq.apache.org <us...@activemq.apache.org>
> Subject: Re: Please help me with authorisation configuration
>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> Hi Jean-Baptiste,
>
> I can try with ">", let's see what happens.
>
> Thanks,
>
> Fabrice
>
> ________________________________
> From: Jean-Baptiste Onofre <jb...@nanthrax.net>
> Sent: 09 September 2020 10:43
> To: users@activemq.apache.org <us...@activemq.apache.org>
> Subject: Re: Please help me with authorisation configuration
>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> Hi Fabrice,
>
> Are you sure about Activemq.Advisory setup ? Did you try ActiveMQ.Advisory.> ?
>
> Regards
> JB
>
>> Le 9 sept. 2020 à 11:31, Fabrice Triboix <fa...@armedia.com> a écrit :
>>
>> Hello,
>>
>> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am trying to run Alfresco Repository CE (version 6.3), and it needs to connect to AmazonMQ, but it fails with the following error:
>>
>> 2020-09-09 09:06:49,222 ERROR [component.jms.DefaultJmsMessageListenerContainer] [Camel (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]] Could not refresh JMS Connection for destination 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000, currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is not authorized to create: topic://ActiveMQ.Advisory.Connection
>>
>> Here is the part of the ActiveMQ configuration related to authorization:
>>
>> <authorizationPlugin>
>> <map>
>> <authorizationMap>
>> <authorizationEntries>
>> <authorizationEntry topic="ActiveMQ.Advisory.>" admin="all" read="all" write="all"/>
>> <authorizationEntry queue="alfresco.>" admin="admin" read="admin,alfresco"
>> write="admin,alfresco"/>
>> <authorizationEntry topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
>> write="admin,alfresco"/>
>> </authorizationEntries>
>> <tempDestinationAuthorizationEntry>
>> <tempDestinationAuthorizationEntry admin="admin" read="admin" write="admin"/>
>> </tempDestinationAuthorizationEntry>
>> </authorizationMap>
>> </map>
>> </authorizationPlugin>
>>
>> Anyone would have any idea on what I am doing wrong?
>>
>> Many thanks for your help!
>>
>> Fabrice
>>
>
Re: Please help me with authorisation configuration
Posted by Fabrice Triboix <fa...@armedia.com>.
I replace ">" with ">" and that didn't make any difference...
________________________________
From: Fabrice Triboix <fa...@armedia.com>
Sent: 09 September 2020 10:47
To: users@activemq.apache.org <us...@activemq.apache.org>
Subject: Re: Please help me with authorisation configuration
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi Jean-Baptiste,
I can try with ">", let's see what happens.
Thanks,
Fabrice
________________________________
From: Jean-Baptiste Onofre <jb...@nanthrax.net>
Sent: 09 September 2020 10:43
To: users@activemq.apache.org <us...@activemq.apache.org>
Subject: Re: Please help me with authorisation configuration
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi Fabrice,
Are you sure about Activemq.Advisory setup ? Did you try ActiveMQ.Advisory.> ?
Regards
JB
> Le 9 sept. 2020 à 11:31, Fabrice Triboix <fa...@armedia.com> a écrit :
>
> Hello,
>
> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am trying to run Alfresco Repository CE (version 6.3), and it needs to connect to AmazonMQ, but it fails with the following error:
>
> 2020-09-09 09:06:49,222 ERROR [component.jms.DefaultJmsMessageListenerContainer] [Camel (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]] Could not refresh JMS Connection for destination 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000, currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is not authorized to create: topic://ActiveMQ.Advisory.Connection
>
> Here is the part of the ActiveMQ configuration related to authorization:
>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry topic="ActiveMQ.Advisory.>" admin="all" read="all" write="all"/>
> <authorizationEntry queue="alfresco.>" admin="admin" read="admin,alfresco"
> write="admin,alfresco"/>
> <authorizationEntry topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
> write="admin,alfresco"/>
> </authorizationEntries>
> <tempDestinationAuthorizationEntry>
> <tempDestinationAuthorizationEntry admin="admin" read="admin" write="admin"/>
> </tempDestinationAuthorizationEntry>
> </authorizationMap>
> </map>
> </authorizationPlugin>
>
> Anyone would have any idea on what I am doing wrong?
>
> Many thanks for your help!
>
> Fabrice
>
Re: Please help me with authorisation configuration
Posted by Fabrice Triboix <fa...@armedia.com>.
Hi Jean-Baptiste,
I can try with ">", let's see what happens.
Thanks,
Fabrice
________________________________
From: Jean-Baptiste Onofre <jb...@nanthrax.net>
Sent: 09 September 2020 10:43
To: users@activemq.apache.org <us...@activemq.apache.org>
Subject: Re: Please help me with authorisation configuration
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi Fabrice,
Are you sure about Activemq.Advisory setup ? Did you try ActiveMQ.Advisory.> ?
Regards
JB
> Le 9 sept. 2020 à 11:31, Fabrice Triboix <fa...@armedia.com> a écrit :
>
> Hello,
>
> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am trying to run Alfresco Repository CE (version 6.3), and it needs to connect to AmazonMQ, but it fails with the following error:
>
> 2020-09-09 09:06:49,222 ERROR [component.jms.DefaultJmsMessageListenerContainer] [Camel (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]] Could not refresh JMS Connection for destination 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000, currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is not authorized to create: topic://ActiveMQ.Advisory.Connection
>
> Here is the part of the ActiveMQ configuration related to authorization:
>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry topic="ActiveMQ.Advisory.>" admin="all" read="all" write="all"/>
> <authorizationEntry queue="alfresco.>" admin="admin" read="admin,alfresco"
> write="admin,alfresco"/>
> <authorizationEntry topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
> write="admin,alfresco"/>
> </authorizationEntries>
> <tempDestinationAuthorizationEntry>
> <tempDestinationAuthorizationEntry admin="admin" read="admin" write="admin"/>
> </tempDestinationAuthorizationEntry>
> </authorizationMap>
> </map>
> </authorizationPlugin>
>
> Anyone would have any idea on what I am doing wrong?
>
> Many thanks for your help!
>
> Fabrice
>
Re: Please help me with authorisation configuration
Posted by Jean-Baptiste Onofre <jb...@nanthrax.net>.
Hi Fabrice,
Are you sure about Activemq.Advisory setup ? Did you try ActiveMQ.Advisory.> ?
Regards
JB
> Le 9 sept. 2020 à 11:31, Fabrice Triboix <fa...@armedia.com> a écrit :
>
> Hello,
>
> I am using AmazonMQ, which is running ActiveMQ version 5.15.12. I am trying to run Alfresco Repository CE (version 6.3), and it needs to connect to AmazonMQ, but it fails with the following error:
>
> 2020-09-09 09:06:49,222 ERROR [component.jms.DefaultJmsMessageListenerContainer] [Camel (alfrescoCamelContext) thread #2 - JmsConsumer[acs-repo-rendition-events]] Could not refresh JMS Connection for destination 'acs-repo-rendition-events' - retrying using FixedBackOff{interval=5000, currentAttempts=652, maxAttempts=unlimited}. Cause: User alfresco1 is not authorized to create: topic://ActiveMQ.Advisory.Connection
>
> Here is the part of the ActiveMQ configuration related to authorization:
>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry topic="ActiveMQ.Advisory.>" admin="all" read="all" write="all"/>
> <authorizationEntry queue="alfresco.>" admin="admin" read="admin,alfresco"
> write="admin,alfresco"/>
> <authorizationEntry topic="alfresco.Advisory.>" admin="admin" read="admin,alfresco"
> write="admin,alfresco"/>
> </authorizationEntries>
> <tempDestinationAuthorizationEntry>
> <tempDestinationAuthorizationEntry admin="admin" read="admin" write="admin"/>
> </tempDestinationAuthorizationEntry>
> </authorizationMap>
> </map>
> </authorizationPlugin>
>
> Anyone would have any idea on what I am doing wrong?
>
> Many thanks for your help!
>
> Fabrice
>