[jira] [Resolved] (ARTEMIS-4137) MQTT subscription queue clean-up can fail due to security

Thu, 26 Jan 2023 11:39:07 -0800 


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-4137?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Justin Bertram resolved ARTEMIS-4137.
-------------------------------------
    Fix Version/s: 2.28.0
       Resolution: Fixed

> MQTT subscription queue clean-up can fail due to security
> ---------------------------------------------------------
>
>                 Key: ARTEMIS-4137
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4137
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>            Reporter: Justin Bertram
>            Assignee: Justin Bertram
>            Priority: Major
>             Fix For: 2.28.0
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> When an MQTT subscriber disconnects the automated queue clean-up can fail if 
> the subscriber didn't have authorization to delete the queue, e.g.:
> {noformat}
> ERROR [org.apache.activemq.artemis.core.protocol.mqtt] AMQ834000: Error 
> removing subscription.
> org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229213: 
> User: noDelete does not have permission='DELETE_DURABLE_QUEUE' for queue foo 
> on address foo
>       at 
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:307)
>  ~[classes/:?]
>       at 
> org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.destroyQueue(ActiveMQServerImpl.java:2448)
>  ~[classes/:?]
>       at 
> org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.destroyQueue(ActiveMQServerImpl.java:2421)
>  ~[classes/:?]
>       at 
> org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.deleteQueue(ServerSessionImpl.java:1186)
>  ~[classes/:?]
>       at 
> org.apache.activemq.artemis.core.protocol.mqtt.MQTTSubscriptionManager.removeSubscription(MQTTSubscriptionManager.java:297)
>  ~[classes/:?]
>       at 
> org.apache.activemq.artemis.core.protocol.mqtt.MQTTSubscriptionManager.clean(MQTTSubscriptionManager.java:376)
>  ~[classes/:?]
>       at 
> org.apache.activemq.artemis.core.protocol.mqtt.MQTTSession.clean(MQTTSession.java:226)
>  ~[classes/:?]
>       at 
> org.apache.activemq.artemis.core.protocol.mqtt.MQTTSession.stop(MQTTSession.java:135)
>  ~[classes/:?]
>       at 
> org.apache.activemq.artemis.core.protocol.mqtt.MQTTConnectionManager.disconnect(MQTTConnectionManager.java:185)
>  ~[classes/:?]
>       at 
> org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.disconnect(MQTTProtocolHandler.java:278)
>  ~[classes/:?]
>       at 
> org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.act(MQTTProtocolHandler.java:182)
>  ~[classes/:?]
>       at org.apache.activemq.artemis.utils.actors.Actor.doTask(Actor.java:32) 
> ~[classes/:?]
>       at 
> org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:68)
>  ~[classes/:?]
>       at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>  ~[?:?]
>       at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>  ~[?:?]
>       at 
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
>  ~[classes/:?]{noformat}
> This can lead to unwanted message accumulation and impact broker performance. 
> The broker should delete the queue without regard to security authorization 
> in this case.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to