Quantcast

Artemis 2.0 Security settings

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Artemis 2.0 Security settings

abhijith
Hi,

With 1.x we had configured security settings and topic like below

 <jms xmlns="urn:activemq:jms">
       
        <queue name="DLQ"/>
        <queue name="ExpiryQueue"/>
        <queue name="divertQueue1"/>
        <queue name="divertQueue2"/>

       
        <topic name="exampleTopic"/>
        <topic name="divertTopic"/>
    </jms>

<security-settings>
            <security-setting match="jms.queue.#">
                <permission type="createDurableQueue" roles="admin"/>
                <permission type="deleteDurableQueue" roles="admin"/>
                <permission type="createNonDurableQueue" roles="admin"/>
                <permission type="deleteNonDurableQueue" roles="admin"/>
                <permission type="consume" roles="admin"/>
                <permission type="send" roles="admin"/>
            </security-setting>
            <security-setting match="jms.topic.#">
                <permission type="createDurableQueue" roles="admin"/>
                <permission type="deleteDurableQueue" roles="admin"/>
                <permission type="createNonDurableQueue" roles="admin"/>
                <permission type="deleteNonDurableQueue" roles="admin"/>
                <permission type="consume" roles="admin"/>
                <permission type="send" roles="admin"/>
            </security-setting>
        </security-settings>

With move to 2.x, I ran migrate1x command.  That changed my jms declaration like below
<addresses>
            <address name="ExpiryQueue">
                <anycast>
                    <queue name="ExpiryQueue"/>
                </anycast>
            </address>
            <address name="exampleTopic">
                <multicast/>
            </address>
            <address name="DLQ">
                <anycast>
                    <queue name="DLQ"/>
                </anycast>
            </address>
            <address name="divertQueue2">
                <anycast>
                    <queue name="divertQueue2"/>
                </anycast>
            </address>
            <address name="divertTopic">
                <multicast/>
            </address>
            <address name="divertQueue1">
                <anycast>
                    <queue name="divertQueue1"/>
                </anycast>
            </address>
        </addresses>

I see two issues with it.  First is security settings did not change.  If previous convention was to add 'jms.queue' and 'jms.topic' then I think migrate command can take care of it.  
To fix this I updated acceptor to add prefix

<acceptor name="netty-acceptor">tcp://localhost:61616?anycastPrefix=jms.queue.;multicastPrefix=jms.topic.</acceptor>

But still it fails giving below error message.  Notice that it is not giving right address name

Caused by: javax.jms.JMSSecurityException: AMQ119032: User: admin does not have permission='CREATE_DURABLE_QUEUE' on address ykkUjHVg
        at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:412)
        at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:322)
        at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.createQueue(ActiveMQSessionContext.java:635)
        at org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.internalCreateQueue(ClientSessionImpl.java:1836)
        at org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.createQueue(ClientSessionImpl.java:389)
        at org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:670)
        at org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:359)
        at org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:331)
        at org.apache.activemq.artemis.jms.client.ActiveMQJMSContext.createConsumer(ActiveMQJMSContext.java:371)
        ... 29 more
Caused by: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ119032: User: admin does not have permission='CREATE_DURABLE_QUEUE' on address ykkUjHVg]
        ... 38 more

Please let me know if I am doing anything wrong?  Do I need to change my address setting manually?  If I set it to generic '#' then it works fine.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Artemis 2.0 Security settings

clebertsuconic
You could just remove the prefix from the security settings.


I would use Artemis 2.1 already. I'm about to send the release announce

On Mon, May 15, 2017 at 4:51 PM, abhijith <[hidden email]> wrote:

> Hi,
>
> With 1.x we had configured security settings and topic like below
>
>  <jms xmlns="urn:activemq:jms">
>
>         <queue name="DLQ"/>
>         <queue name="ExpiryQueue"/>
>         <queue name="divertQueue1"/>
>         <queue name="divertQueue2"/>
>
>
>         <topic name="exampleTopic"/>
>         <topic name="divertTopic"/>
>     </jms>
>
> <security-settings>
>             <security-setting match="jms.queue.#">
>                 <permission type="createDurableQueue" roles="admin"/>
>                 <permission type="deleteDurableQueue" roles="admin"/>
>                 <permission type="createNonDurableQueue" roles="admin"/>
>                 <permission type="deleteNonDurableQueue" roles="admin"/>
>                 <permission type="consume" roles="admin"/>
>                 <permission type="send" roles="admin"/>
>             </security-setting>
>             <security-setting match="jms.topic.#">
>                 <permission type="createDurableQueue" roles="admin"/>
>                 <permission type="deleteDurableQueue" roles="admin"/>
>                 <permission type="createNonDurableQueue" roles="admin"/>
>                 <permission type="deleteNonDurableQueue" roles="admin"/>
>                 <permission type="consume" roles="admin"/>
>                 <permission type="send" roles="admin"/>
>             </security-setting>
>         </security-settings>
>
> With move to 2.x, I ran migrate1x command.  That changed my jms declaration
> like below
> <addresses>
>             <address name="ExpiryQueue">
>                 <anycast>
>                     <queue name="ExpiryQueue"/>
>                 </anycast>
>             </address>
>             <address name="exampleTopic">
>                 <multicast/>
>             </address>
>             <address name="DLQ">
>                 <anycast>
>                     <queue name="DLQ"/>
>                 </anycast>
>             </address>
>             <address name="divertQueue2">
>                 <anycast>
>                     <queue name="divertQueue2"/>
>                 </anycast>
>             </address>
>             <address name="divertTopic">
>                 <multicast/>
>             </address>
>             <address name="divertQueue1">
>                 <anycast>
>                     <queue name="divertQueue1"/>
>                 </anycast>
>             </address>
>         </addresses>
>
> I see two issues with it.  First is security settings did not change.  If
> previous convention was to add 'jms.queue' and 'jms.topic' then I think
> migrate command can take care of it.
> To fix this I updated acceptor to add prefix
>
> <acceptor
> name="netty-acceptor">tcp://localhost:61616?anycastPrefix=jms.queue.;multicastPrefix=jms.topic.</acceptor>
>
> But still it fails giving below error message.  Notice that it is not giving
> right address name
>
> Caused by: javax.jms.JMSSecurityException: AMQ119032: User: admin does not
> have permission='CREATE_DURABLE_QUEUE' on address ykkUjHVg
>         at
> org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:412)
>         at
> org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:322)
>         at
> org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.createQueue(ActiveMQSessionContext.java:635)
>         at
> org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.internalCreateQueue(ClientSessionImpl.java:1836)
>         at
> org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.createQueue(ClientSessionImpl.java:389)
>         at
> org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:670)
>         at
> org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:359)
>         at
> org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:331)
>         at
> org.apache.activemq.artemis.jms.client.ActiveMQJMSContext.createConsumer(ActiveMQJMSContext.java:371)
>         ... 29 more
> Caused by: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION
> message=AMQ119032: User: admin does not have
> permission='CREATE_DURABLE_QUEUE' on address ykkUjHVg]
>         ... 38 more
>
> Please let me know if I am doing anything wrong?  Do I need to change my
> address setting manually?  If I set it to generic '#' then it works fine.
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/Artemis-2-0-Security-settings-tp4726174.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.



--
Clebert Suconic
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Artemis 2.0 Security settings

abhijith
This post was updated on .
Yes, removing prefix is one option.  My queries are

1.  Shouldn't migrate cover moving security setting and diverts?
2. Is anycastPrefix and multicastPrefix working correctly?  On another post Justin had confirmed that adding them should resolve other things
3. Not sure why random address is printed when permissions are not there?  This would complicate debugging.

I will switch to 2.1.  Will any of the above issues fixed in 2.1?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Artemis 2.0 Security settings

jbertram
I'm not sure what the problem is (if anything).

Can you provide a reproducible test-case (e.g. based on one of the examples shipped with Artemis)?


Justin

----- Original Message -----
From: "abhijith" <[hidden email]>
To: [hidden email]
Sent: Monday, May 15, 2017 8:11:18 PM
Subject: Re: Artemis 2.0 Security settings

Yes, removing prefix is one option.  My queries are

1.  Shouldn't migrate cover moving security setting and diverts?
2. Is anycastPrefix and multicastPrefix working correctly?  On another post
Justin had confirmed that adding them should resolve other things
3. Why does random address is printed when permissions are not there?  This
would complicate debugging.

I will switch to 2.1.  Will any of the above issues fixed in 2.1?




--
View this message in context: http://activemq.2283324.n4.nabble.com/Artemis-2-0-Security-settings-tp4726174p4726183.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Artemis 2.0 Security settings

jbertram
In reply to this post by abhijith
> First is security settings did not change.  If previous convention was to add 'jms.queue' and 'jms.topic' then I think migrate command can take care of it.

Agreed.

However, using anycastPrefix and multicastPrefix on your acceptor won't fix your security settings. Those should be updated so that they no longer use the prefix since your addresses and queues no long use the prefix. The prefixes are mainly for legacy clients that still use the old conventions.


Justin

----- Original Message -----
From: "abhijith" <[hidden email]>
To: [hidden email]
Sent: Monday, May 15, 2017 3:51:46 PM
Subject: Artemis 2.0 Security settings

Hi,

With 1.x we had configured security settings and topic like below

 <jms xmlns="urn:activemq:jms">
       
        <queue name="DLQ"/>
        <queue name="ExpiryQueue"/>
        <queue name="divertQueue1"/>
        <queue name="divertQueue2"/>

       
        <topic name="exampleTopic"/>
        <topic name="divertTopic"/>
    </jms>

<security-settings>
            <security-setting match="jms.queue.#">
                <permission type="createDurableQueue" roles="admin"/>
                <permission type="deleteDurableQueue" roles="admin"/>
                <permission type="createNonDurableQueue" roles="admin"/>
                <permission type="deleteNonDurableQueue" roles="admin"/>
                <permission type="consume" roles="admin"/>
                <permission type="send" roles="admin"/>
            </security-setting>
            <security-setting match="jms.topic.#">
                <permission type="createDurableQueue" roles="admin"/>
                <permission type="deleteDurableQueue" roles="admin"/>
                <permission type="createNonDurableQueue" roles="admin"/>
                <permission type="deleteNonDurableQueue" roles="admin"/>
                <permission type="consume" roles="admin"/>
                <permission type="send" roles="admin"/>
            </security-setting>
        </security-settings>

With move to 2.x, I ran migrate1x command.  That changed my jms declaration
like below
<addresses>
            <address name="ExpiryQueue">
                <anycast>
                    <queue name="ExpiryQueue"/>
                </anycast>
            </address>
            <address name="exampleTopic">
                <multicast/>
            </address>
            <address name="DLQ">
                <anycast>
                    <queue name="DLQ"/>
                </anycast>
            </address>
            <address name="divertQueue2">
                <anycast>
                    <queue name="divertQueue2"/>
                </anycast>
            </address>
            <address name="divertTopic">
                <multicast/>
            </address>
            <address name="divertQueue1">
                <anycast>
                    <queue name="divertQueue1"/>
                </anycast>
            </address>
        </addresses>

I see two issues with it.  First is security settings did not change.  If
previous convention was to add 'jms.queue' and 'jms.topic' then I think
migrate command can take care of it.  
To fix this I updated acceptor to add prefix

<acceptor
name="netty-acceptor">tcp://localhost:61616?anycastPrefix=jms.queue.;multicastPrefix=jms.topic.</acceptor>

But still it fails giving below error message.  Notice that it is not giving
right address name

Caused by: javax.jms.JMSSecurityException: AMQ119032: User: admin does not
have permission='CREATE_DURABLE_QUEUE' on address ykkUjHVg
        at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:412)
        at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:322)
        at
org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.createQueue(ActiveMQSessionContext.java:635)
        at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.internalCreateQueue(ClientSessionImpl.java:1836)
        at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.createQueue(ClientSessionImpl.java:389)
        at
org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:670)
        at
org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:359)
        at
org.apache.activemq.artemis.jms.client.ActiveMQSession.createConsumer(ActiveMQSession.java:331)
        at
org.apache.activemq.artemis.jms.client.ActiveMQJMSContext.createConsumer(ActiveMQJMSContext.java:371)
        ... 29 more
Caused by: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION
message=AMQ119032: User: admin does not have
permission='CREATE_DURABLE_QUEUE' on address ykkUjHVg]
        ... 38 more

Please let me know if I am doing anything wrong?  Do I need to change my
address setting manually?  If I set it to generic '#' then it works fine.



--
View this message in context: http://activemq.2283324.n4.nabble.com/Artemis-2-0-Security-settings-tp4726174.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Loading...