[jira] [Created] (ARTEMIS-3339) Role Based Authorisation for JMX not working as expected

Wed, 09 Jun 2021 14:43:04 -0700 

Ivan created ARTEMIS-3339:
-----------------------------

             Summary: Role Based Authorisation for JMX not working as expected
                 Key: ARTEMIS-3339
                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3339
             Project: ActiveMQ Artemis
          Issue Type: Bug
          Components: Configuration, JMX, Web Console
    Affects Versions: 2.17.0
            Reporter: Ivan
         Attachments: address-settings.xml, addresses.xml, 
artemis-roles.properties, artemis-users.properties, artemis.profile.cmd, 
broker.xml, image-2021-06-09-23-22-51-886.png, 
image-2021-06-09-23-29-49-670.png, management.xml, security-settings.xml

Hello,

I tried to specify role based authorisation in management.xml for different 
addresses/queues (as instructed 
[here|https://activemq.apache.org/components/artemis/documentation/latest/management.html]):

!image-2021-06-09-23-22-51-886.png!

In Artemis profile config I gave hawtio role to the corresponding users:

_-Dhawtio.role=amq,auser,buser,cuser,duser_

The problem is that the authorisation is not working as expected, and only the 
FIRST "match domain" configuration is working fine.

In my case, I tested with 4 sections as those in the screenshot above:

 _<match domain="org.apache.activemq.artemis" key="address=*a**">..._

 _<match domain="org.apache.activemq.artemis" key="address=*b**">..._

 _<match domain="org.apache.activemq.artemis" key="address=*c**">..._

 _<match domain="org.apache.activemq.artemis" key="address=*d**">..._

When I login using "*auser*" in the web console, I can invoke operations on 
addresses/queues starting with "*a**", and not on the others, as I'd expect.

But when I login using some of the other users, for example, *buser*, I can 
still invoke operations on queues starting with "*a*", but not on the queues 
starting with "*b**", as I'd expect (all operations are disabled, as in the 
screenshot below):

 

!image-2021-06-09-23-29-49-670.png!

 

It is interesting that, if I change the order of the sections in 
management.xml, for example as follows (so address "d*" is first):

_<match domain="org.apache.activemq.artemis" key="address=*d**">..._

 _<match domain="org.apache.activemq.artemis" key="address=a*">..._

 _<match domain="org.apache.activemq.artemis" key="address=b*">..._

 _<match domain="org.apache.activemq.artemis" key="address=c*">..._

Then for "duser" that is authorized to work with "d*" queues it works as 
expected, but when I login with auser, buser or cuser instead, again the same 
problem happens that all those users can invoke operations on "d*" queues, and 
not on the queues that they are expected to be autorized for.

I attach all relevant configuration files for a reference.

 

Regards,

Ivan

 

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to