You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Jean-Baptiste Onofré (Jira)" <ji...@apache.org> on 2023/02/18 06:42:00 UTC
[jira] [Resolved] (AMQ-9190) Write permissions are required for poison ack with RedeliveryPlugin
[ https://issues.apache.org/jira/browse/AMQ-9190?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré resolved AMQ-9190.
---------------------------------------
Resolution: Not A Problem
> Write permissions are required for poison ack with RedeliveryPlugin
> -------------------------------------------------------------------
>
> Key: AMQ-9190
> URL: https://issues.apache.org/jira/browse/AMQ-9190
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.16.5
> Reporter: Bastien Bouclet
> Priority: Major
>
> While investigating a JMS consumer that would not dequeue messages from a queue, we noticed the following exception in the broker logs:
>
> {noformat}
> java.lang.RuntimeException: Failed to schedule redelivery for: ID:pcyfynjk-9001-1671943406093-1:1:507:1:173
> ActiveMQ Transport: ssl:///xxx.xxx.xxx.xxx:20773
> java.lang.SecurityException: User consumer-user is not authorized to write to: queue://test-queue
> at org.apache.activemq.security.AuthorizationBroker.send(AuthorizationBroker.java:221)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.BrokerFilter.send(BrokerFilter.java:154)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.util.RedeliveryPlugin.scheduleRedelivery(RedeliveryPlugin.java:198)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.util.RedeliveryPlugin.sendToDeadLetterQueue(RedeliveryPlugin.java:150)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.BrokerFilter.sendToDeadLetterQueue(BrokerFilter.java:320)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.util.LoggingBrokerPlugin.sendToDeadLetterQueue(LoggingBrokerPlugin.java:507)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.BrokerFilter.sendToDeadLetterQueue(BrokerFilter.java:320)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.BrokerFilter.sendToDeadLetterQueue(BrokerFilter.java:320)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.BrokerFilter.sendToDeadLetterQueue(BrokerFilter.java:320)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.region.PrefetchSubscription.sendToDLQ(PrefetchSubscription.java:483)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.region.PrefetchSubscription.acknowledge(PrefetchSubscription.java:362)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.region.AbstractRegion.acknowledge(AbstractRegion.java:534)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.region.RegionBroker.acknowledge(RegionBroker.java:493)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.BrokerFilter.acknowledge(BrokerFilter.java:89)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.BrokerFilter.acknowledge(BrokerFilter.java:89)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.BrokerFilter.acknowledge(BrokerFilter.java:89)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.TransactionBroker.acknowledge(TransactionBroker.java:278)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.BrokerFilter.acknowledge(BrokerFilter.java:89)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.BrokerFilter.acknowledge(BrokerFilter.java:89)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.util.LoggingBrokerPlugin.acknowledge(LoggingBrokerPlugin.java:163)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.BrokerFilter.acknowledge(BrokerFilter.java:89)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.BrokerFilter.acknowledge(BrokerFilter.java:89)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.BrokerFilter.acknowledge(BrokerFilter.java:89)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.TransportConnection.processMessageAck(TransportConnection.java:589)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.command.MessageAck.visit(MessageAck.java:245)[activemq-client-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:335)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:200)[activemq-broker-5.16.5.jar:5.16.5]
> at org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)[activemq-client-5.16.5.jar:5.16.5]
> at org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:125)[activemq-client-5.16.5.jar:5.16.5]
> at org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:301)[activemq-client-5.16.5.jar:5.16.5]
> at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)[activemq-client-5.16.5.jar:5.16.5]
> at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:172)[activemq-client-5.16.5.jar:5.16.5]
> at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)[activemq-client-5.16.5.jar:5.16.5]
> at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)[activemq-client-5.16.5.jar:5.16.5]
> at java.base/java.lang.Thread.run(Thread.java:834)[:]{noformat}
>
> This seems to happen when:
>
> * The consumer client user has read permissions only for the queue being consumed
> * Broker redelivery using RedeliveryPlugin is enabled
> * The consumer sends an acknowledge with type POISON_ACK_TYPE
> The broker then errors out with the exception:
> {{java.lang.SecurityException: User consumer-user is not authorized to write to: queue://test-queue}}
> The problem can be worked around by granting write permissions to the user. However it seems this behavior is not intended and should be fixed in ActiveMQ.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)