You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Vilius Šumskas <vi...@rivile.lt> on 2022/04/01 10:31:45 UTC
Is Artemis manage role global?
Hi,
I‘m trying to understand how exactly Artemis roles work and I have a simple question: is “manage” role global? For example, if I use addSecuritySettings(), match the address to “somequeue.input.#” and add the role of the user to manageRoles attribute will the user then be able to send management messages to “activemq.management” queue too?
If yes, what other roles need to be not set if I want to confine the user only in his own address space?
--
Vilius
Re: Is Artemis manage role global?
Posted by Justin Bertram <jb...@apache.org>.
No.
Justin
On Mon, Apr 4, 2022 at 1:47 PM Vilius Šumskas <vi...@rivile.lt>
wrote:
> OK, so does the user have permissions to manage management address if this
> role is set on "anyotherqueue.#" but not on "activemq.management"?
>
> --
> Vilius
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Monday, April 4, 2022 7:11 PM
> To: users@activemq.apache.org
> Subject: Re: Is Artemis manage role global?
>
> Technically speaking you can grant the "manage" role on any address, but
> it is really only applicable for the management address. A user with the
> "manage" role on the management address can send any management message it
> wants (e.g. stop an acceptor, delete messages from a queue, create an
> address, etc.).
>
> Hope that helps!
>
>
> Justin
>
> On Fri, Apr 1, 2022 at 5:32 AM Vilius Šumskas <vi...@rivile.lt>
> wrote:
>
> > Hi,
> >
> > I‘m trying to understand how exactly Artemis roles work and I have a
> > simple question: is “manage” role global? For example, if I use
> > addSecuritySettings(), match the address to “somequeue.input.#” and
> > add the role of the user to manageRoles attribute will the user then
> > be able to send management messages to “activemq.management” queue too?
> >
> > If yes, what other roles need to be not set if I want to confine the
> > user only in his own address space?
> >
> > --
> > Vilius
> >
> >
>
RE: Is Artemis manage role global?
Posted by Vilius Šumskas <vi...@rivile.lt>.
OK, so does the user have permissions to manage management address if this role is set on "anyotherqueue.#" but not on "activemq.management"?
--
Vilius
-----Original Message-----
From: Justin Bertram <jb...@apache.org>
Sent: Monday, April 4, 2022 7:11 PM
To: users@activemq.apache.org
Subject: Re: Is Artemis manage role global?
Technically speaking you can grant the "manage" role on any address, but it is really only applicable for the management address. A user with the "manage" role on the management address can send any management message it wants (e.g. stop an acceptor, delete messages from a queue, create an address, etc.).
Hope that helps!
Justin
On Fri, Apr 1, 2022 at 5:32 AM Vilius Šumskas <vi...@rivile.lt>
wrote:
> Hi,
>
> I‘m trying to understand how exactly Artemis roles work and I have a
> simple question: is “manage” role global? For example, if I use
> addSecuritySettings(), match the address to “somequeue.input.#” and
> add the role of the user to manageRoles attribute will the user then
> be able to send management messages to “activemq.management” queue too?
>
> If yes, what other roles need to be not set if I want to confine the
> user only in his own address space?
>
> --
> Vilius
>
>
Re: Is Artemis manage role global?
Posted by Justin Bertram <jb...@apache.org>.
Technically speaking you can grant the "manage" role on any address, but it
is really only applicable for the management address. A user with the
"manage" role on the management address can send any management message it
wants (e.g. stop an acceptor, delete messages from a queue, create an
address, etc.).
Hope that helps!
Justin
On Fri, Apr 1, 2022 at 5:32 AM Vilius Šumskas <vi...@rivile.lt>
wrote:
> Hi,
>
> I‘m trying to understand how exactly Artemis roles work and I have a
> simple question: is “manage” role global? For example, if I use
> addSecuritySettings(), match the address to “somequeue.input.#” and add the
> role of the user to manageRoles attribute will the user then be able to
> send management messages to “activemq.management” queue too?
>
> If yes, what other roles need to be not set if I want to confine the user
> only in his own address space?
>
> --
> Vilius
>
>