You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Doug Whitfield <dw...@perforce.com> on 2022/03/17 17:52:08 UTC
Artemis Configure Management Console to Support Secure Addresses
Hi folks,
I have a few requirements. I’m not sure they can all be accomplished in Artemis by default, but before setting up a separate instance of hawtio or some other reverse proxy, I figured I would ask.
We are using apache-artemis-2.19.1. I have configured a secure address/Queue (Secure.Test) and am trying to configure the management console accordingly. I am trying to make it so that only a user with secure role can access Secure.Test queue (Send / Move / Delete / Browse Messages).
Ideally we would like the address to not even appear in the management console, if the user does not have the secure role. This in particular I am not sure if we are going to get out of the box.
Currently the readonly (viewer role) user can browse messages on all queues including the Secure.Test queue. It is also able to move and delete messages from all queues including the Secure.Test queue. We would prefer to limit the readonly user (viewer role) to only seeing the contents of the Attributes Tab and browse messages on any queue that is not defined “secure”, such as the Secure.Test queue.
Best Regards,
--
Doug Whitfield | Enterprise Architect, OpenLogic
This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.
Re: Artemis Configure Management Console to Support Secure Addresses
Posted by Domenico Francesco Bruscino <br...@gmail.com>.
Hi Doug,
all users with the role defined by the `hawtio.role` property can access
the console and see the full list of the addresses.
The Role Based Authorisation[1] allows to limit access for a specific
queue, i.e. to allow access to `secureQueue` only for users with the
`secure` role, the following `match` element has to be added to the
`management.xml` file:
<match domain="org.apache.activemq.artemis" key="queue=secureQueue">
<access method="list*" roles="secure"/>
<access method="get*" roles="secure"/>
<access method="is*" roles="secure"/>
<access method="set*" roles="secure"/>
<access method="*" roles="secure"/>
</match>
See the following example to define a viewer only role:
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="browse*" roles="view,update,amq"/>
<access method="count*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>
</role-access>
[1]
https://activemq.apache.org/components/artemis/documentation/latest/management.html#role-based-authorisation-for-jmx
Regards,
Domenico
On Thu, 17 Mar 2022 at 18:52, Doug Whitfield <dw...@perforce.com>
wrote:
> Hi folks,
>
> I have a few requirements. I’m not sure they can all be accomplished in
> Artemis by default, but before setting up a separate instance of hawtio or
> some other reverse proxy, I figured I would ask.
>
> We are using apache-artemis-2.19.1. I have configured a secure
> address/Queue (Secure.Test) and am trying to configure the management
> console accordingly. I am trying to make it so that only a user with secure
> role can access Secure.Test queue (Send / Move / Delete / Browse Messages).
>
> Ideally we would like the address to not even appear in the management
> console, if the user does not have the secure role. This in particular I am
> not sure if we are going to get out of the box.
>
> Currently the readonly (viewer role) user can browse messages on all
> queues including the Secure.Test queue. It is also able to move and delete
> messages from all queues including the Secure.Test queue. We would prefer
> to limit the readonly user (viewer role) to only seeing the contents of the
> Attributes Tab and browse messages on any queue that is not defined
> “secure”, such as the Secure.Test queue.
>
> Best Regards,
> --
>
> Doug Whitfield | Enterprise Architect, OpenLogic
>
>
>
>
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>