Re: [artemis] Naming-Pattern for temporary "reply"-queues and exclusive permissions

Tue, 27 Mar 2018 01:59:21 -0700 

Hi Justin,

thank you for your reply.

I am testing with a minimally modified version of the RequestReply example
from the Artemis Repository. Minimally modified means that I test against a
standalone, pre-configured Artemis instance (2.5.0).

In the code the "request" message is sent to the *FOOBAR *queue with the
user *mq_test *(role: *mq_tests*). Here are my settings:

<security-setting match="FOOBAR.#">
    <permission type="createNonDurableQueue" roles="mq_tests" />
    <permission type="deleteNonDurableQueue" roles="mq_tests" />
    <permission type="createDurableQueue" roles="mq_tests" />
    <permission type="deleteDurableQueue" roles="mq_tests" />
    <permission type="createAddress" roles="mq_tests" />
    <permission type="deleteAddress" roles="mq_tests" />
    <permission type="consume" roles="mq_tests" />
    <permission type="browse" roles="mq_tests" />
    <permission type="send" roles="mq_tests" />
    <permission type="manage" roles="mq_tests" />
</security-setting>

<address-setting match="FOOBAR">
    <dead-letter-address>FOOBAR._DLQ_</dead-letter-address>
    <expiry-address>FOOBAR._EXPQ_</expiry-address>
    <redelivery-delay>0</redelivery-delay>
    <max-delivery-attempts>3</max-delivery-attempts>
    <max-size-bytes>-1</max-size-bytes>
    <message-counter-history-day-limit>10</message-counter-history-day-limit>
    <address-full-policy>PAGE</address-full-policy>
    <auto-create-queues>false</auto-create-queues>
    <auto-create-addresses>false</auto-create-addresses>
    <auto-delete-queues>false</auto-delete-queues>
    <auto-delete-addresses>false</auto-delete-addresses>
</address-setting>

<address name="FOOBAR">
    <anycast>
        <queue name="FOOBAR" />
    </anycast>
</address>
<address name="FOOBAR._DLQ_">
    <anycast>
        <queue name="FOOBAR._DLQ_" />
    </anycast>
</address>
<address name="FOOBAR._EXPQ_">
    <anycast>
        <queue name="FOOBAR._EXPQ_" />
    </anycast>
</address>


When trying to create a temporary queue, I get the following error message:
User: mq_test does not have permission='CREATE_NON_DURABLE_QUEUE' for queue
382aa141-d0b7-4e59-82d4-c9f9f21326ae on address
382aa141-d0b7-4e59-82d4-c9f9f21326ae


javax.jms.JMSSecurityException: AMQ119213: User: mq_test does not have
permission='CREATE_NON_DURABLE_QUEUE' for queue
382aa141-d0b7-4e59-82d4-c9f9f21326ae on address
382aa141-d0b7-4e59-82d4-c9f9f21326ae
    at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:409)
    at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:319)
    at
org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.createQueue(ActiveMQSessionContext.java:624)
    at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.internalCreateQueue(ClientSessionImpl.java:1841)
    at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.createTemporaryQueue(ClientSessionImpl.java:429)
    at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.createTemporaryQueue(ClientSessionImpl.java:416)
    at
org.apache.activemq.artemis.jms.client.ActiveMQSession.createTemporaryQueue(ActiveMQSession.java:877)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at
org.springframework.jms.connection.CachingConnectionFactory$CachedSessionInvocationHandler.invoke(CachingConnectionFactory.java:389)
    at com.sun.proxy.$Proxy18.createTemporaryQueue(Unknown Source)
    at
de.finkonsens.geco.mila.nadien.client.test.RequestReplyExample.lambda$send$0(RequestReplyExample.java:65)
    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION
message=AMQ119213: User: mq_test does not have
permission='CREATE_NON_DURABLE_QUEUE' for queue
382aa141-d0b7-4e59-82d4-c9f9f21326ae on address
382aa141-d0b7-4e59-82d4-c9f9f21326ae]
    ... 17 more



The example works only after i modify the security settings configuration
like this:

<security-setting match="#">
    <permission type="createNonDurableQueue" roles="mq_tests" />
    <permission type="deleteNonDurableQueue" roles="mq_tests" />
    <permission type="createDurableQueue" roles="mq_tests" />
    <permission type="deleteDurableQueue" roles="mq_tests" />
    <permission type="createAddress" roles="mq_tests" />
    <permission type="deleteAddress" roles="mq_tests" />
    <permission type="consume" roles="mq_tests" />
    <permission type="browse" roles="mq_tests" />
    <permission type="send" roles="mq_tests" />
    <permission type="manage" roles="mq_tests" />
</security-setting>





On Mon, Mar 26, 2018 at 8:51 PM, Justin Bertram <jbert...@apache.org> wrote:

> What protocol or API are you using for your request-reply work?  Off the
> top of my head I wouldn't expect the auto-create attributes would need to
> be true in order to create temporary queues.
>
>
> Justin
>
> On Thu, Mar 22, 2018 at 11:29 AM, Big Puritz <bigpur...@gmail.com> wrote:
>
> > Hello,
> >
> > as far as i can see, while using the "requst-reply" pattern the broker
> > creates a temporary "reply"-queue with the name according to the UUID
> > naming pattern, e.g. ca8f4510-5e58-48e7-a4f0-55abf8a43d8e.
> >
> > To be able to create this queues the user is required to have an
> > appropriate  CREATE_NON_DURABLE_QUEUE permission.
> >
> > That can be achieved with the following configuration (please correct me
> if
> > i'm wrong):
> >
> > <address-setting match="#">
> > ...
> > <auto-create-queues>true</auto-create-queues>
> >   <auto-create-addresses>true</auto-create-addresses>
> > ...
> > </address-setting>
> >
> > <security-setting match="#">
> >    ...
> >    <permission type="createNonDurableQueue" roles="..."/>
> >    <permission type="deleteNonDurableQueue" roles="..."/>
> >    ...
> > </security-setting>
> >
> >
> > However this configuration makes creation of every non durable queue
> > possible, not only the temporary one.
> >
> > How can I limit the permissions to create temporary queues only? Is there
> > any possibility to specify the naming-pattern for the temporary queues.
> > E.g. "temp.<uuid>" or something like this.
> >
> > Thanks in advance.
> >
>

Reply via email to