You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by hobojoe <go...@leidos.com> on 2019/07/02 19:56:58 UTC

Minimum security settings to consume

I recently tried to setup security following the artemis security example. I
would like to have a read-only Topic like,

<addresses>
       <address name="some.topic.name">
               <multicast/>
       </address>
</addresses>

With consume only permissions like,

<security-settings>
       <security-setting match="some.topic.name">
               <permission roles="user" type="consume"/>
       </security-setting>
</security-setting>

When I try to connect to the broker I get the error:
Setup of JMS message listener invoker failed for destination
'some.topic.name' - trying to recover. Cause: AMQ119213: User: someUser does
not have permission='CREATE_NON_DURABLE_QUEUE' for queue.

If I change security to,
<security-settings>
       <security-setting match="some.topic.name">
               <permission roles="user" type="consume"/>
               *<permission roles="user" type="createNonDurableQueue"/>*
       </security-setting>
</security-setting>

It works? Does this indicate that I setup the Topic incorrectly? Why would I
need to have createNonDurableQueue permissions just to consume?

Any help is appreciated.



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html

Re: Minimum security settings to consume

Posted by Justin Bertram <jb...@apache.org>.

> It works?

Yes, it should work.

> Does this indicate that I setup the Topic incorrectly?

No.

> Why would I need to have createNonDurableQueue permissions just to
consume?

JMS ideas are mapped onto concrete implementations in the broker. In your
case, a JMS "topic" is mapped onto the core implementation of an address
which supports multicast routing. When your JMS client wants to consume
from a topic it creates a "subscription" and then receives messages from
that subscription. This JMS "subscription" is mapped onto the core
implementation of a queue on the aforementioned multicast address. In the
case of a non-durable JMS subscriber the client creates a non-durable core
queue and therefore requires the "createNonDurableQueue" permission.

This is discussed in the documentation [1].

Justin

[1]
http://activemq.apache.org/components/artemis/documentation/latest/jms-core-mapping.html

On Tue, Jul 2, 2019 at 2:57 PM hobojoe <go...@leidos.com> wrote:

> I recently tried to setup security following the artemis security example.
> I
> would like to have a read-only Topic like,
>
> <addresses>
>        <address name="some.topic.name">
>                <multicast/>
>        </address>
> </addresses>
>
> With consume only permissions like,
>
> <security-settings>
>        <security-setting match="some.topic.name">
>                <permission roles="user" type="consume"/>
>        </security-setting>
> </security-setting>
>
> When I try to connect to the broker I get the error:
> Setup of JMS message listener invoker failed for destination
> 'some.topic.name' - trying to recover. Cause: AMQ119213: User: someUser
> does
> not have permission='CREATE_NON_DURABLE_QUEUE' for queue.
>
> If I change security to,
> <security-settings>
>        <security-setting match="some.topic.name">
>                <permission roles="user" type="consume"/>
>                *<permission roles="user" type="createNonDurableQueue"/>*
>        </security-setting>
> </security-setting>
>
> It works? Does this indicate that I setup the Topic incorrectly? Why would
> I
> need to have createNonDurableQueue permissions just to consume?
>
> Any help is appreciated.
>
>
>
> --
> Sent from:
> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>