[
https://issues.apache.org/jira/browse/AMQ-9472?focusedWorklogId=913539&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913539
]
ASF GitHub Bot logged work on AMQ-9472:
---------------------------------------
Author: ASF GitHub Bot
Created on: 08/Apr/24 23:37
Start Date: 08/Apr/24 23:37
Worklog Time Spent: 10m
Work Description: cshannon commented on PR #1198:
URL: https://github.com/apache/activemq/pull/1198#issuecomment-2043856614
The only other thing i can think of is we could technically change the
behavior of the authorization broker plugin because you could make an argument
that any matching wildcard should implicitly be authorized if it matches a
topic. In this case by publishing to a wildcard the intent is anything that
matches gets it so should be authorized.
However, the problem with changing that would be a change in the current
authorization behavior which is not good for existing users not expecting it.
So I think that we'd need to have a config option or an extension to prevent
unintended consequences since it's been like this for a long time.
So I would view any changes here more as an enhancement or improvement. If
we made it configurable I think it would need to be something where the config
would be described as "implicitly grant matching wildcard destinations" or
something like that and probably a new feature and not a bug fix release.
Subscribing to a wildcard destination would also need to be explored as well.
Issue Time Tracking
-------------------
Worklog Id: (was: 913539)
Time Spent: 50m (was: 40m)
> Wildcard publisher auto-creates wildcard topic and breaks authorization
> -----------------------------------------------------------------------
>
> Key: AMQ-9472
> URL: https://issues.apache.org/jira/browse/AMQ-9472
> Project: ActiveMQ Classic
> Issue Type: Bug
> Components: Broker
> Reporter: Albertas Vyšniauskas
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Hi,
> after publishing a message to wildcard topic, a wildcard topic is
> auto-created and interacts poorly with authorization rules.
> Suppose that authorization map contains the following entries:
> <authorizationEntry read="admin" write="admin" admin="admin" topic=">" />
> <authorizationEntry read="user" topic="A.B" />
> Admin creates "A.B" topic and publishes a message to "A.>" causing
> auto-creation of "A.>" topic.
> User attempts to consume "A.B" topic, but receives "User user is not
> authorized to read from: topic://A.>" error.
> I asked on user mailing list if wildcard publishing is supposed to work at
> all, as I could not find any documentation about that. Unfortunately I did
> not receive any response, so I have to assume that it does.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
