[
https://issues.apache.org/jira/browse/ARTEMIS-2861?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17170382#comment-17170382
]
Justin Bertram commented on ARTEMIS-2861:
-----------------------------------------
bq. Which check type is "creating consumers"?
{{org.apache.activemq.artemis.core.security.CheckType#CONSUME}}
You wouldn't see this when the queue was created. You would only see this when
the consumer was created on the queue. Also, in order to see the queue name as
part of {{address}} the initial authorization check on just the address name
(i.e. without the queue name concatenated to it) must fail.
The use-case for ARTEMIS-592 involved statically created durable subscription
queues so there was no explicit check for {{CREATE_DURABLE_QUEUE}} from a
client. Since your use-case is different it may be necessary to enhance the
broker to concatenate the queue name for {{CREATE_DURABLE_QUEUE}} checks as
well.
> Add queue name as a parameter to ActiveMQSecurityManager
> ---------------------------------------------------------
>
> Key: ARTEMIS-2861
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2861
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Affects Versions: 2.14.0
> Reporter: Luís Alves
> Priority: Major
>
> Currently I was trying to integrate Artemis with OpenId Connect (Oauth2.0)
> and User Managed Access 2.0 (UMA 2.0) using Keycloak implementation. I want
> to have fine grained access control over operations over addresses and queues
> (subscriptions) like described on
> https://issues.apache.org/jira/browse/ARTEMIS-592. I've investigated as
> proposed in
> https://medium.com/@joelicious/extending-artemis-security-with-oauth2-7fd9b3dffe3
> and it solves the authN part. For the authZ part I've already had some
> feedback here
> https://stackoverflow.com/questions/63191001/activemq-artemis-activemqsecuritymanager4-verify-clientid-subscription,
> but I think org.apache.activemq.artemis.core.server.SecuritySettingPlugin
> will not give the needed control. So I'm proposing that
> ActiveMQSecurityManager latest implementation adds the queue name as the
> calling method:
> {code:java}
> @Override
> public void check(final SimpleString address,
> final SimpleString queue,
> final CheckType checkType,
> final SecurityAuth session) throws Exception {
> {code}
> already has this information.
> Using UMA 2.0 each address can be a resource and we can have:
> SEND,CONSUME,CREATE_ADDRESS,DELETE_ADDRESS,CREATE_DURABLE_QUEUE,DELETE_DURABLE_QUEUE,CREATE_NON_DURABLE_QUEUE,DELETE_NON_DURABLE_QUEUE,MANAGE,BROWSE
> as scopes, which I think are quite fine grained. Depending on the use case a
> subscription also can be a resource.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
