You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Benny K <Be...@gmx.net> on 2021/06/14 08:58:41 UTC
Artemis: Struggling with setting up a readyonly-user for
web-console
Hi people, hope your doing fine!
I am pretty new to Active MQ.. Never worked with "classic" or artemis before.
I run a simple artemis-2.17.0-Instance and I am really struggling setting up a "read-only-user" for the web-console:
What i did so far:
- As Admin-User I successfully run a "artemis producer" via. cli to create some messages to the TEST-Queue
- If I login to the web-console as Admin I can see all queues and I can browse the queues successfully
For setting up the read-only-user i made the following steps and modifications:
- I added a user "view" with the role "view" via. artemis-cli
- artemis.profile changed to:
HAWTIO_ROLE='amq,view'
- management.xml:
[...]
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="amq,view"/>
<access method="get*" roles="amq,view"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</match>
<match domain="org.apache.activemq.artemis" key="subcomponent=queues">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>
I can login as user "view" and I can see an overview/list of all queues, but I cant browse the queues.
If I change the line in <match domain="org.apache.activemq.artemis" key="subcomponent=queues">
From
<access method="*" roles="amq"/>
to
<access method="*" roles="amq,view"/>
then I can browse the queues, but I am also able to delete messages.
As far as i understand the method "*" is a catch-all for methods other than "list*", "get*", etc.
But I dont know what there are for other methods, I cant find any information in artemis-documentation and google really dont help...
Help me obi wan kenobi you're my only hope!
Thanks and Best Regards
Benjamin
Re: Artemis: Struggling with setting up a readyonly-user for web-console
Posted by Domenico Francesco Bruscino <br...@gmail.com>.
Hi Benjamin,
I see your point, the documentation doesn't include any help to create a
read-only role for management API. Feel free to send a PR[1] to improve the
documentation[2] if you like or to raise a JIRA[3].
[1]
https://github.com/apache/activemq-artemis/blob/main/docs/hacking-guide/en/code.md#typical-development-cycle
[2]
https://github.com/apache/activemq-artemis/blob/main/docs/user-manual/en/management.md#role-based-authorisation-for-jmx
[3] https://issues.apache.org/jira/projects/ARTEMIS/issues
Thanks,
Domenico
On Mon, 14 Jun 2021 at 12:52, Benny K <Be...@gmx.net> wrote:
>
> Hi again,
>
> I think I found the solution on my own - for whom it may itnerest, please
> see my results and my comment:
> I am really not experienced in devopment, etc. I am just a little admin :-)
>
> - I just cloned the artemis-repo from github and did some greps, looking
> for something like "list*", etc...
> - there was a lucky punch looking finally for "access method="list*""
>
> there is a file called
> artemis_github\activemq-artemis\artemis-cli\src\main\resources\org\apache\activemq\artemis\cli\commands\etc\management.xml
>
>
> and within this file there is a little hint:
>
> <!-- Note count and browse are need to access the browse tab in the
> console-->
> <access method="browse*" roles="${role}"/>
> <access method="count*" roles="${role}"/>
>
>
> I just updated my own management.xml like:
>
> <match domain="org.apache.activemq.artemis" key="subcomponent=queues">
> <access method="list*" roles="view,update,amq"/>
> <access method="get*" roles="view,update,amq"/>
> <access method="is*" roles="view,update,amq"/>
> <access method="set*" roles="view,update,amq"/>
> <access method="browse*" roles="view,amq"/>
> <access method="count*" roles="view,amq"/>
> <access method="*" roles="amq"/>
> </match>
>
>
> Now my user "view" is able to browse queues without beeing able to delete
> messages.
>
> Now I would like to ask, why this is not documented in any way? I mean,
> not every active-mq-operator is experienced in figuring out this stuff..
> for me it was just luck this time...
> I think implementing "read-only-users" for the web-ui is a common
> approach/feature in so many different software.
>
> I would like to ask the projects maintainer to update the documentation. I
> mean you are teasing an "view"-role in default-configuration after fresh
> installs but it is not working without further configuration. how should a
> simple user like me to know about other methods like browse* and count* if
> it is not written in the main-documentation?
>
> If I can help in some way please let me know :-) I would like to give
> somthing back to the community.
>
> Wish you a nice week, stay healthy and best regards
> Benjamin
>
>
>
>
>
>
> Gesendet: Montag, 14. Juni 2021 um 10:58 Uhr
> Von: "Benny K" <Be...@gmx.net>
> An: users@activemq.apache.org
> Betreff: Artemis: Struggling with setting up a readyonly-user for
> web-console
> Hi people, hope your doing fine!
> I am pretty new to Active MQ.. Never worked with "classic" or artemis
> before.
>
> I run a simple artemis-2.17.0-Instance and I am really struggling setting
> up a "read-only-user" for the web-console:
>
> What i did so far:
>
> - As Admin-User I successfully run a "artemis producer" via. cli to create
> some messages to the TEST-Queue
> - If I login to the web-console as Admin I can see all queues and I can
> browse the queues successfully
>
> For setting up the read-only-user i made the following steps and
> modifications:
>
> - I added a user "view" with the role "view" via. artemis-cli
>
> - artemis.profile changed to:
> HAWTIO_ROLE='amq,view'
>
>
> - management.xml:
> [...]
> <role-access>
> <match domain="org.apache.activemq.artemis">
> <access method="list*" roles="amq,view"/>
> <access method="get*" roles="amq,view"/>
> <access method="is*" roles="amq"/>
> <access method="set*" roles="amq"/>
> <access method="*" roles="amq"/>
> </match>
> <match domain="org.apache.activemq.artemis" key="subcomponent=queues">
> <access method="list*" roles="view,update,amq"/>
> <access method="get*" roles="view,update,amq"/>
> <access method="is*" roles="view,update,amq"/>
> <access method="set*" roles="update,amq"/>
> <access method="*" roles="amq"/>
> </match>
>
>
>
> I can login as user "view" and I can see an overview/list of all queues,
> but I cant browse the queues.
> If I change the line in <match domain="org.apache.activemq.artemis"
> key="subcomponent=queues">
> From
> <access method="*" roles="amq"/>
> to
> <access method="*" roles="amq,view"/>
> then I can browse the queues, but I am also able to delete messages.
>
> As far as i understand the method "*" is a catch-all for methods other
> than "list*", "get*", etc.
> But I dont know what there are for other methods, I cant find any
> information in artemis-documentation and google really dont help...
>
> Help me obi wan kenobi you're my only hope!
>
> Thanks and Best Regards
> Benjamin
>
>
>
>
Aw: Artemis: Struggling with setting up a readyonly-user for
web-console
Posted by Benny K <Be...@gmx.net>.
Hi again,
I think I found the solution on my own - for whom it may itnerest, please see my results and my comment:
I am really not experienced in devopment, etc. I am just a little admin :-)
- I just cloned the artemis-repo from github and did some greps, looking for something like "list*", etc...
- there was a lucky punch looking finally for "access method="list*""
there is a file called artemis_github\activemq-artemis\artemis-cli\src\main\resources\org\apache\activemq\artemis\cli\commands\etc\management.xml
and within this file there is a little hint:
<!-- Note count and browse are need to access the browse tab in the console-->
<access method="browse*" roles="${role}"/>
<access method="count*" roles="${role}"/>
I just updated my own management.xml like:
<match domain="org.apache.activemq.artemis" key="subcomponent=queues">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="view,update,amq"/>
<access method="browse*" roles="view,amq"/>
<access method="count*" roles="view,amq"/>
<access method="*" roles="amq"/>
</match>
Now my user "view" is able to browse queues without beeing able to delete messages.
Now I would like to ask, why this is not documented in any way? I mean, not every active-mq-operator is experienced in figuring out this stuff.. for me it was just luck this time...
I think implementing "read-only-users" for the web-ui is a common approach/feature in so many different software.
I would like to ask the projects maintainer to update the documentation. I mean you are teasing an "view"-role in default-configuration after fresh installs but it is not working without further configuration. how should a simple user like me to know about other methods like browse* and count* if it is not written in the main-documentation?
If I can help in some way please let me know :-) I would like to give somthing back to the community.
Wish you a nice week, stay healthy and best regards
Benjamin
Gesendet: Montag, 14. Juni 2021 um 10:58 Uhr
Von: "Benny K" <Be...@gmx.net>
An: users@activemq.apache.org
Betreff: Artemis: Struggling with setting up a readyonly-user for web-console
Hi people, hope your doing fine!
I am pretty new to Active MQ.. Never worked with "classic" or artemis before.
I run a simple artemis-2.17.0-Instance and I am really struggling setting up a "read-only-user" for the web-console:
What i did so far:
- As Admin-User I successfully run a "artemis producer" via. cli to create some messages to the TEST-Queue
- If I login to the web-console as Admin I can see all queues and I can browse the queues successfully
For setting up the read-only-user i made the following steps and modifications:
- I added a user "view" with the role "view" via. artemis-cli
- artemis.profile changed to:
HAWTIO_ROLE='amq,view'
- management.xml:
[...]
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="amq,view"/>
<access method="get*" roles="amq,view"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</match>
<match domain="org.apache.activemq.artemis" key="subcomponent=queues">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>
I can login as user "view" and I can see an overview/list of all queues, but I cant browse the queues.
If I change the line in <match domain="org.apache.activemq.artemis" key="subcomponent=queues">
From
<access method="*" roles="amq"/>
to
<access method="*" roles="amq,view"/>
then I can browse the queues, but I am also able to delete messages.
As far as i understand the method "*" is a catch-all for methods other than "list*", "get*", etc.
But I dont know what there are for other methods, I cant find any information in artemis-documentation and google really dont help...
Help me obi wan kenobi you're my only hope!
Thanks and Best Regards
Benjamin