[jira] [Work logged] (AMQ-9472) Wildcard publisher auto-creates wildcard topic and breaks authorization

Mon, 08 Apr 2024 16:10:05 -0700 


     [ 
https://issues.apache.org/jira/browse/AMQ-9472?focusedWorklogId=913536&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913536
 ]

ASF GitHub Bot logged work on AMQ-9472:
---------------------------------------

                Author: ASF GitHub Bot
            Created on: 08/Apr/24 23:09
            Start Date: 08/Apr/24 23:09
    Worklog Time Spent: 10m 
      Work Description: cshannon commented on PR #1198:
URL: https://github.com/apache/activemq/pull/1198#issuecomment-2043790765

   In terms of working around this, the options are pretty much:
   
   1. If you are going to create topics then you need to make sure you have 
proper ACLs set up for those topics (including matching subscriptions on 
wildcards) that consumers might subscribe to. In this case you could add read 
ACLs for A.> for the users group. 
   2. You could always customize the authorization logic by implementing your 
own plugin or overriding/extending the `AuthorizationBroker` and 
`AuthorizationDestinationInterceptor`




Issue Time Tracking
-------------------

    Worklog Id:     (was: 913536)
    Time Spent: 40m  (was: 0.5h)

> Wildcard publisher auto-creates wildcard topic and breaks authorization
> -----------------------------------------------------------------------
>
>                 Key: AMQ-9472
>                 URL: https://issues.apache.org/jira/browse/AMQ-9472
>             Project: ActiveMQ Classic
>          Issue Type: Bug
>          Components: Broker
>            Reporter: Albertas Vyšniauskas
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> Hi,
> after publishing a message to wildcard topic, a wildcard topic is 
> auto-created and interacts poorly with authorization rules.
> Suppose that authorization map contains the following entries:
> <authorizationEntry read="admin" write="admin" admin="admin" topic=">" />
> <authorizationEntry read="user" topic="A.B" />
> Admin creates "A.B" topic and publishes a message to "A.>" causing 
> auto-creation of "A.>" topic.
> User attempts to consume "A.B" topic, but receives "User user is not 
> authorized to read from: topic://A.>" error.
> I asked on user mailing list if wildcard publishing is supposed to work at 
> all, as I could not find any documentation about that. Unfortunately I did 
> not receive any response, so I have to assume that it does.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to