You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Big Puritz <bi...@gmail.com> on 2018/03/22 16:29:19 UTC
[artemis] Naming-Pattern for temporary "reply"-queues and exclusive permissions
Hello,
as far as i can see, while using the "requst-reply" pattern the broker
creates a temporary "reply"-queue with the name according to the UUID
naming pattern, e.g. ca8f4510-5e58-48e7-a4f0-55abf8a43d8e.
To be able to create this queues the user is required to have an
appropriate CREATE_NON_DURABLE_QUEUE permission.
That can be achieved with the following configuration (please correct me if
i'm wrong):
<address-setting match="#">
...
<auto-create-queues>true</auto-create-queues>
<auto-create-addresses>true</auto-create-addresses>
...
</address-setting>
<security-setting match="#">
...
<permission type="createNonDurableQueue" roles="..."/>
<permission type="deleteNonDurableQueue" roles="..."/>
...
</security-setting>
However this configuration makes creation of every non durable queue
possible, not only the temporary one.
How can I limit the permissions to create temporary queues only? Is there
any possibility to specify the naming-pattern for the temporary queues.
E.g. "temp.<uuid>" or something like this.
Thanks in advance.
Re: [artemis] Naming-Pattern for temporary "reply"-queues and
exclusive permissions
Posted by Justin Bertram <jb...@apache.org>.
I don't believe it would be possible to modify the name of a temporary
queue on the broker as the client is expecting the broker to use the name
it supplies. These names come from the various client implementations. In
the case of the core JMS client the temporary queue name comes from
java.util.UUID#randomUUID. In the case of the OpenWire JMS client the
temporary queue name comes from
org.apache.activemq.util.LongSequenceGenerator. In the case of the Qpid
JMS client the temporary queue name comes from a combination of the
connection ID and a sequence number. Each of these clients expects the
broker to create a queue according to the name it provides. Modifying the
name on the broker side would break them (and any other client using
temporary queues from a different protocol).
For what it's worth, the temporary queue is the only kind of queue that a
JMS client can explicitly create on the broker physically. The other
createQueue [1] and createTopic [2] methods simply create an object that
encapsulates the name of a queue. It does not create the physical queue on
the broker. Therefore, if you turn off auto-creation and you're using JMS
clients then you shouldn't need to worry about clients creating
non-temporary non-durable queues.
Hope that helps.
Justin
[1]
https://docs.oracle.com/javaee/7/api/javax/jms/Session.html#createQueue-java.lang.String-
[2]
https://docs.oracle.com/javaee/7/api/javax/jms/Session.html#createTopic-java.lang.String-
On Tue, Mar 27, 2018 at 3:58 AM, Big Puritz <bi...@gmail.com> wrote:
> Hi Justin,
>
> thank you for your reply.
>
> I am testing with a minimally modified version of the RequestReply example
> from the Artemis Repository. Minimally modified means that I test against a
> standalone, pre-configured Artemis instance (2.5.0).
>
> In the code the "request" message is sent to the *FOOBAR *queue with the
> user *mq_test *(role: *mq_tests*). Here are my settings:
>
> <security-setting match="FOOBAR.#">
> <permission type="createNonDurableQueue" roles="mq_tests" />
> <permission type="deleteNonDurableQueue" roles="mq_tests" />
> <permission type="createDurableQueue" roles="mq_tests" />
> <permission type="deleteDurableQueue" roles="mq_tests" />
> <permission type="createAddress" roles="mq_tests" />
> <permission type="deleteAddress" roles="mq_tests" />
> <permission type="consume" roles="mq_tests" />
> <permission type="browse" roles="mq_tests" />
> <permission type="send" roles="mq_tests" />
> <permission type="manage" roles="mq_tests" />
> </security-setting>
>
> <address-setting match="FOOBAR">
> <dead-letter-address>FOOBAR._DLQ_</dead-letter-address>
> <expiry-address>FOOBAR._EXPQ_</expiry-address>
> <redelivery-delay>0</redelivery-delay>
> <max-delivery-attempts>3</max-delivery-attempts>
> <max-size-bytes>-1</max-size-bytes>
> <message-counter-history-day-limit>10</message-counter-
> history-day-limit>
> <address-full-policy>PAGE</address-full-policy>
> <auto-create-queues>false</auto-create-queues>
> <auto-create-addresses>false</auto-create-addresses>
> <auto-delete-queues>false</auto-delete-queues>
> <auto-delete-addresses>false</auto-delete-addresses>
> </address-setting>
>
> <address name="FOOBAR">
> <anycast>
> <queue name="FOOBAR" />
> </anycast>
> </address>
> <address name="FOOBAR._DLQ_">
> <anycast>
> <queue name="FOOBAR._DLQ_" />
> </anycast>
> </address>
> <address name="FOOBAR._EXPQ_">
> <anycast>
> <queue name="FOOBAR._EXPQ_" />
> </anycast>
> </address>
>
>
> When trying to create a temporary queue, I get the following error message:
> User: mq_test does not have permission='CREATE_NON_DURABLE_QUEUE' for
> queue
> 382aa141-d0b7-4e59-82d4-c9f9f21326ae on address
> 382aa141-d0b7-4e59-82d4-c9f9f21326ae
>
>
> javax.jms.JMSSecurityException: AMQ119213: User: mq_test does not have
> permission='CREATE_NON_DURABLE_QUEUE' for queue
> 382aa141-d0b7-4e59-82d4-c9f9f21326ae on address
> 382aa141-d0b7-4e59-82d4-c9f9f21326ae
> at
> org.apache.activemq.artemis.core.protocol.core.impl.
> ChannelImpl.sendBlocking(ChannelImpl.java:409)
> at
> org.apache.activemq.artemis.core.protocol.core.impl.
> ChannelImpl.sendBlocking(ChannelImpl.java:319)
> at
> org.apache.activemq.artemis.core.protocol.core.impl.
> ActiveMQSessionContext.createQueue(ActiveMQSessionContext.java:624)
> at
> org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.
> internalCreateQueue(ClientSessionImpl.java:1841)
> at
> org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.
> createTemporaryQueue(ClientSessionImpl.java:429)
> at
> org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.
> createTemporaryQueue(ClientSessionImpl.java:416)
> at
> org.apache.activemq.artemis.jms.client.ActiveMQSession.
> createTemporaryQueue(ActiveMQSession.java:877)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
> 62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.springframework.jms.connection.CachingConnectionFactory$
> CachedSessionInvocationHandler.invoke(CachingConnectionFactory.java:389)
> at com.sun.proxy.$Proxy18.createTemporaryQueue(Unknown Source)
> at
> de.finkonsens.geco.mila.nadien.client.test.RequestReplyExample.lambda$
> send$0(RequestReplyExample.java:65)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION
> message=AMQ119213: User: mq_test does not have
> permission='CREATE_NON_DURABLE_QUEUE' for queue
> 382aa141-d0b7-4e59-82d4-c9f9f21326ae on address
> 382aa141-d0b7-4e59-82d4-c9f9f21326ae]
> ... 17 more
>
>
>
> The example works only after i modify the security settings configuration
> like this:
>
> <security-setting match="#">
> <permission type="createNonDurableQueue" roles="mq_tests" />
> <permission type="deleteNonDurableQueue" roles="mq_tests" />
> <permission type="createDurableQueue" roles="mq_tests" />
> <permission type="deleteDurableQueue" roles="mq_tests" />
> <permission type="createAddress" roles="mq_tests" />
> <permission type="deleteAddress" roles="mq_tests" />
> <permission type="consume" roles="mq_tests" />
> <permission type="browse" roles="mq_tests" />
> <permission type="send" roles="mq_tests" />
> <permission type="manage" roles="mq_tests" />
> </security-setting>
>
>
>
>
>
> On Mon, Mar 26, 2018 at 8:51 PM, Justin Bertram <jb...@apache.org>
> wrote:
>
> > What protocol or API are you using for your request-reply work? Off the
> > top of my head I wouldn't expect the auto-create attributes would need to
> > be true in order to create temporary queues.
> >
> >
> > Justin
> >
> > On Thu, Mar 22, 2018 at 11:29 AM, Big Puritz <bi...@gmail.com>
> wrote:
> >
> > > Hello,
> > >
> > > as far as i can see, while using the "requst-reply" pattern the broker
> > > creates a temporary "reply"-queue with the name according to the UUID
> > > naming pattern, e.g. ca8f4510-5e58-48e7-a4f0-55abf8a43d8e.
> > >
> > > To be able to create this queues the user is required to have an
> > > appropriate CREATE_NON_DURABLE_QUEUE permission.
> > >
> > > That can be achieved with the following configuration (please correct
> me
> > if
> > > i'm wrong):
> > >
> > > <address-setting match="#">
> > > ...
> > > <auto-create-queues>true</auto-create-queues>
> > > <auto-create-addresses>true</auto-create-addresses>
> > > ...
> > > </address-setting>
> > >
> > > <security-setting match="#">
> > > ...
> > > <permission type="createNonDurableQueue" roles="..."/>
> > > <permission type="deleteNonDurableQueue" roles="..."/>
> > > ...
> > > </security-setting>
> > >
> > >
> > > However this configuration makes creation of every non durable queue
> > > possible, not only the temporary one.
> > >
> > > How can I limit the permissions to create temporary queues only? Is
> there
> > > any possibility to specify the naming-pattern for the temporary queues.
> > > E.g. "temp.<uuid>" or something like this.
> > >
> > > Thanks in advance.
> > >
> >
>
Re: [artemis] Naming-Pattern for temporary "reply"-queues and
exclusive permissions
Posted by Big Puritz <bi...@gmail.com>.
Hi Justin,
thank you for your reply.
I am testing with a minimally modified version of the RequestReply example
from the Artemis Repository. Minimally modified means that I test against a
standalone, pre-configured Artemis instance (2.5.0).
In the code the "request" message is sent to the *FOOBAR *queue with the
user *mq_test *(role: *mq_tests*). Here are my settings:
<security-setting match="FOOBAR.#">
<permission type="createNonDurableQueue" roles="mq_tests" />
<permission type="deleteNonDurableQueue" roles="mq_tests" />
<permission type="createDurableQueue" roles="mq_tests" />
<permission type="deleteDurableQueue" roles="mq_tests" />
<permission type="createAddress" roles="mq_tests" />
<permission type="deleteAddress" roles="mq_tests" />
<permission type="consume" roles="mq_tests" />
<permission type="browse" roles="mq_tests" />
<permission type="send" roles="mq_tests" />
<permission type="manage" roles="mq_tests" />
</security-setting>
<address-setting match="FOOBAR">
<dead-letter-address>FOOBAR._DLQ_</dead-letter-address>
<expiry-address>FOOBAR._EXPQ_</expiry-address>
<redelivery-delay>0</redelivery-delay>
<max-delivery-attempts>3</max-delivery-attempts>
<max-size-bytes>-1</max-size-bytes>
<message-counter-history-day-limit>10</message-counter-history-day-limit>
<address-full-policy>PAGE</address-full-policy>
<auto-create-queues>false</auto-create-queues>
<auto-create-addresses>false</auto-create-addresses>
<auto-delete-queues>false</auto-delete-queues>
<auto-delete-addresses>false</auto-delete-addresses>
</address-setting>
<address name="FOOBAR">
<anycast>
<queue name="FOOBAR" />
</anycast>
</address>
<address name="FOOBAR._DLQ_">
<anycast>
<queue name="FOOBAR._DLQ_" />
</anycast>
</address>
<address name="FOOBAR._EXPQ_">
<anycast>
<queue name="FOOBAR._EXPQ_" />
</anycast>
</address>
When trying to create a temporary queue, I get the following error message:
User: mq_test does not have permission='CREATE_NON_DURABLE_QUEUE' for queue
382aa141-d0b7-4e59-82d4-c9f9f21326ae on address
382aa141-d0b7-4e59-82d4-c9f9f21326ae
javax.jms.JMSSecurityException: AMQ119213: User: mq_test does not have
permission='CREATE_NON_DURABLE_QUEUE' for queue
382aa141-d0b7-4e59-82d4-c9f9f21326ae on address
382aa141-d0b7-4e59-82d4-c9f9f21326ae
at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:409)
at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:319)
at
org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.createQueue(ActiveMQSessionContext.java:624)
at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.internalCreateQueue(ClientSessionImpl.java:1841)
at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.createTemporaryQueue(ClientSessionImpl.java:429)
at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.createTemporaryQueue(ClientSessionImpl.java:416)
at
org.apache.activemq.artemis.jms.client.ActiveMQSession.createTemporaryQueue(ActiveMQSession.java:877)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.springframework.jms.connection.CachingConnectionFactory$CachedSessionInvocationHandler.invoke(CachingConnectionFactory.java:389)
at com.sun.proxy.$Proxy18.createTemporaryQueue(Unknown Source)
at
de.finkonsens.geco.mila.nadien.client.test.RequestReplyExample.lambda$send$0(RequestReplyExample.java:65)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION
message=AMQ119213: User: mq_test does not have
permission='CREATE_NON_DURABLE_QUEUE' for queue
382aa141-d0b7-4e59-82d4-c9f9f21326ae on address
382aa141-d0b7-4e59-82d4-c9f9f21326ae]
... 17 more
The example works only after i modify the security settings configuration
like this:
<security-setting match="#">
<permission type="createNonDurableQueue" roles="mq_tests" />
<permission type="deleteNonDurableQueue" roles="mq_tests" />
<permission type="createDurableQueue" roles="mq_tests" />
<permission type="deleteDurableQueue" roles="mq_tests" />
<permission type="createAddress" roles="mq_tests" />
<permission type="deleteAddress" roles="mq_tests" />
<permission type="consume" roles="mq_tests" />
<permission type="browse" roles="mq_tests" />
<permission type="send" roles="mq_tests" />
<permission type="manage" roles="mq_tests" />
</security-setting>
On Mon, Mar 26, 2018 at 8:51 PM, Justin Bertram <jb...@apache.org> wrote:
> What protocol or API are you using for your request-reply work? Off the
> top of my head I wouldn't expect the auto-create attributes would need to
> be true in order to create temporary queues.
>
>
> Justin
>
> On Thu, Mar 22, 2018 at 11:29 AM, Big Puritz <bi...@gmail.com> wrote:
>
> > Hello,
> >
> > as far as i can see, while using the "requst-reply" pattern the broker
> > creates a temporary "reply"-queue with the name according to the UUID
> > naming pattern, e.g. ca8f4510-5e58-48e7-a4f0-55abf8a43d8e.
> >
> > To be able to create this queues the user is required to have an
> > appropriate CREATE_NON_DURABLE_QUEUE permission.
> >
> > That can be achieved with the following configuration (please correct me
> if
> > i'm wrong):
> >
> > <address-setting match="#">
> > ...
> > <auto-create-queues>true</auto-create-queues>
> > <auto-create-addresses>true</auto-create-addresses>
> > ...
> > </address-setting>
> >
> > <security-setting match="#">
> > ...
> > <permission type="createNonDurableQueue" roles="..."/>
> > <permission type="deleteNonDurableQueue" roles="..."/>
> > ...
> > </security-setting>
> >
> >
> > However this configuration makes creation of every non durable queue
> > possible, not only the temporary one.
> >
> > How can I limit the permissions to create temporary queues only? Is there
> > any possibility to specify the naming-pattern for the temporary queues.
> > E.g. "temp.<uuid>" or something like this.
> >
> > Thanks in advance.
> >
>
Re: [artemis] Naming-Pattern for temporary "reply"-queues and
exclusive permissions
Posted by Justin Bertram <jb...@apache.org>.
What protocol or API are you using for your request-reply work? Off the
top of my head I wouldn't expect the auto-create attributes would need to
be true in order to create temporary queues.
Justin
On Thu, Mar 22, 2018 at 11:29 AM, Big Puritz <bi...@gmail.com> wrote:
> Hello,
>
> as far as i can see, while using the "requst-reply" pattern the broker
> creates a temporary "reply"-queue with the name according to the UUID
> naming pattern, e.g. ca8f4510-5e58-48e7-a4f0-55abf8a43d8e.
>
> To be able to create this queues the user is required to have an
> appropriate CREATE_NON_DURABLE_QUEUE permission.
>
> That can be achieved with the following configuration (please correct me if
> i'm wrong):
>
> <address-setting match="#">
> ...
> <auto-create-queues>true</auto-create-queues>
> <auto-create-addresses>true</auto-create-addresses>
> ...
> </address-setting>
>
> <security-setting match="#">
> ...
> <permission type="createNonDurableQueue" roles="..."/>
> <permission type="deleteNonDurableQueue" roles="..."/>
> ...
> </security-setting>
>
>
> However this configuration makes creation of every non durable queue
> possible, not only the temporary one.
>
> How can I limit the permissions to create temporary queues only? Is there
> any possibility to specify the naming-pattern for the temporary queues.
> E.g. "temp.<uuid>" or something like this.
>
> Thanks in advance.
>