You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2022/09/08 18:38:00 UTC
[jira] [Commented] (ARTEMIS-3974) Enforce security on temporary queues
[ https://issues.apache.org/jira/browse/ARTEMIS-3974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17601956#comment-17601956 ]
Justin Bertram commented on ARTEMIS-3974:
-----------------------------------------
bq. There is no way to limit clients for creating\reading tmp queues.
There _is_ a way to limit clients for creating/reading temporary queues. However, it requires using the {{#}} match in your {{security-setting}} so it's usefulness is limited. For example, you could use this {{security-setting}} to allow only users in the {{myRole}} role to create & delete temporary queues and consume from them:
{code:xml}
<security-setting match="#">
<permission roles="myRole" type="createNonDurableQueue"/>
<permission roles="myRole" type="deleteNonDurableQueue"/>
<permission roles="myRole" type="consume"/>
</security-setting>{code}
bq. On one hand server has no ability to set limitation per user basis...
Security is enforce based on a user's *role*. You can read more about role-based access control in [the documentation|https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses].
bq. I wonder will it be OK to add configurable tmp queue prefix for the JMS Client?
This would be an adequate solution for the core JMS client. However, the broker supports lots of different protocols and this solution wouldn't apply to those. This problem needs to be addressed in a comprehensive way on the broker which is why ARTEMIS-3692 was opened.
I'm closing this issue as a duplicate of ARTEMIS-3692.
> Enforce security on temporary queues
> ------------------------------------
>
> Key: ARTEMIS-3974
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3974
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Reporter: Vadzim
> Assignee: Justin Bertram
> Priority: Major
>
> Hi, looks like there is serious issue with administrating temporary queues.
> There is no way to limit clients for creating\reading tmp queues.
> On one hand server has no ability to set limitation per user basis,
> On other hand Artemis JMS client create UUID named generic queue.
> I wonder will it be OK to add configurable tmp queue prefix for the JMS Client?
> Will it work on server side?
> Will you accept a code for Artemis JMS Client that handles tmp queue prefix?
> The code to see:
> {code:java}
> org.apache.activemq.artemis.jms.client.ActiveMQSession#createTemporaryQueue()
> org.apache.activemq.artemis.jms.client.ActiveMQDestination#createTemporaryQueue(org.apache.activemq.artemis.jms.client.ActiveMQSession){code}
> {code}
> public static ActiveMQTemporaryQueue createTemporaryQueue(final ActiveMQSession session) {
> String address = UUID.randomUUID().toString();
> // configurable prefix + address here
> return createTemporaryQueue(address, session);
> }{code}
> Thanks for the great product.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)