Disable access to Dead Letter Queue

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Disable access to Dead Letter Queue

cnadukula
Hi,

as part of a security concern that we have, I was wondering if there is any
way that we can disable access to Apache Artemis's Dead Letter queue, all
together. like people cannot retrieve  the message either from hawt or using
curl command either. Please let me know.

Thanks,
Chandra



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: Disable access to Dead Letter Queue

jbertram
> like people cannot retrieve the message either from hawt or using curl
command either.

If you need to secure a particular management operation you can use the
security functionality added in Artemis 2.4.0 via ARTEMIS-1463 [1].
Documentation is available here [2].


Justin

[1] https://issues.apache.org/jira/browse/ARTEMIS-1463
[2] https://activemq.apache.org/artemis/docs/latest/management.html (see
the "Role Based Authentication with JMX" section)

On Tue, Jan 2, 2018 at 1:20 PM, cnadukula <[hidden email]> wrote:

> Hi,
>
> as part of a security concern that we have, I was wondering if there is any
> way that we can disable access to Apache Artemis's Dead Letter queue, all
> together. like people cannot retrieve  the message either from hawt or
> using
> curl command either. Please let me know.
>
> Thanks,
> Chandra
>
>
>
> --
> Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-
> f2341805.html
>
Reply | Threaded
Open this post in threaded view
|

Re: Disable access to Dead Letter Queue

cnadukula
Thanks Justin for the response. But please correct me if i am wrong, I added
the following to management.xml file

<match domain="org.apache.activemq.apache" key="queue=DLQ">
            <access method="*" roles=""/>
</match>

I put in the queue as DLQ and access method as anything and assigned no
roles to it. Is this the right way to do it?

If not could you please guide me the right way.

Also i noticed roles such as "view, update, amq", what is amq in this
context?

Thanks,
Chandra



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: Disable access to Dead Letter Queue

cnadukula
hi guys,

any update for me on this?

Thanks,
CHandra



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: Disable access to Dead Letter Queue

cnadukula
This post was updated on .
hi Justin,

just wanted an insight on what i was doing.

We are trying to disable curl/hawtio access to one of our production artemis
instances and only to dead letter queue. I tried one of the suggestions that
you had put in
http://activemq.2283324.n4.nabble.com/Disable-access-to-Dead-Letter-Queue-td4734679.html#a4734878
but that did not work as expected. so this is what i had done. in the
management.xml file, i added the below entry, under <role-access> element.


<match domain="org.apache.activemq.apache" key="queue=DLQ">
     <access method="*" roles=""/>
</match>

But every once in a while (rarely), is see what i was looking for. which is,
when i access DLQ it say "No operations found for this.......", but after a
push some messages to DLQ and check back again, i am able to see the
messages on the queue via both hawtio browse operation and also via curl.

Am i missing anything here or is this a bug? Please advise.

Thanks,
Chandra.



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: Disable access to Dead Letter Queue

cnadukula
any update for me on this guys?



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: Disable access to Dead Letter Queue

jbertram
Based on my current understanding of the management functionality I would
expect your configuration to reliably secure the DLQ so I would consider
any failure to do so a bug.  Please open a JIRA and include a test-case to
reproduce the issue.


Justin

On Wed, Mar 21, 2018 at 1:29 PM, cnadukula <[hidden email]> wrote:

> any update for me on this guys?
>
>
>
> --
> Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-
> f2341805.html
>