Hi Dave, I'm not able to reproduce your issue executing the following steps:
1) create a new broker instance: ./bin/artemis create broker --user admin --password admin --require-login 2) add test user with monitor role echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties 3) add rtest user with amqro role echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties 4) add the monitor role to HAWTIO_ROLE in artemis.profile sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/" ./broker/etc/artemis.profile 5) add the access for the isActive method in management.xml sed -i 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\ method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml 6) add the access for amqro in management.xml sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm 5) run the broker ./broker/bin/artemis run 6) read the Active attribute with test user (monitor role) curl -H "Origin:http://localhost:8161"; -u test:test http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ "0.0.0.0\"/Active {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200} 7) read the AddressMemoryUsage attribute with test user (monitor role) curl -H "Origin:http://localhost:8161"; -u test:test http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ "0.0.0.0\"/AddressMemoryUsage {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception : User not authorized to access attribute: AddressMemoryUsage","status":403} 7) read the AddressMemoryUsage attribute with rtest user (amqro role) curl -H "Origin:http://localhost:8161"; -u rtest:rtest http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ "0.0.0.0\"/AddressMemoryUsage {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200} Could you add the steps to reproduce your issue? Regards, Domenico On Thu, 2 Dec 2021 at 13:43, David Martin <dav...@qoritek.com> wrote: > Hi Domenico, > > Following up on this I decided to try adding a readonly console user with > the role "amqro" and that is when I discovered that the users in > HAWTIO_ROLE have unencumbered access to both the console and the Jolokia > REST API. > > 1/ Even the user with the monitor role can log in to the console and do > things like delete queues and connections. > > 2/ User with monitor role able to invoke other methods than /Active e.g. > /AddressMemoryUsage (verified username/password with base64 -d) - > > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic xxxxx' ' > > http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage > ' > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200} > > 3/ management.xml - > > <management-context xmlns="http://activemq.org/schema";> > <!--<connector connector-port="1099"/>--> > <authorisation> > <whitelist> > <entry domain="hawtio"/> > </whitelist> > <default-access> > <access method="list*" roles="amq,amqro"/> > <access method="get*" roles="amq,amqro"/> > <access method="is*" roles="amq,amqro"/> > <access method="set*" roles="amq"/> > <access method="*" roles="amq"/> > </default-access> > <role-access> > <match domain="org.apache.activemq.artemis"> > <access method="isActive" roles="amq,amqro,monitor"/> > <access method="list*" roles="amq,amqro"/> > <access method="get*" roles="amq,amqro"/> > <access method="is*" roles="amq,amqro"/> > <access method="set*" roles="amq"/> > <access method="*" roles="amq"/> > </match> > <!--example of how to configure a specific object--> > <!--<match domain="org.apache.activemq.artemis" > key="subcomponent=queues"> > <access method="list*" roles="view,update,amq"/> > <access method="get*" roles="view,update,amq"/> > <access method="is*" roles="view,update,amq"/> > <access method="set*" roles="update,amq"/> > <access method="*" roles="amq"/> > </match>--> > </role-access> > </authorisation> > </management-context> > > 4/ artemis-profile - > > # Hawtio Properties > HAWTIO_ROLE='amq,amqro,monitor' > > # Java Opts > if [ -z "$JAVA_ARGS" ]; then > JAVA_ARGS="$BROKER_CONFIGS > > -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml > -Dcom.sun.management.jmxremote=true > -Dcom.sun.management.jmxremote.port=1099 > -Dcom.sun.management.jmxremote.rmi.port=1098 > -Dcom.sun.management.jmxremote.ssl=false > -Dcom.sun.management.jmxremote.authenticate=false -Dipv4addr=$(hostname -f) > -Ddomain=artemis-headless.sis-247.svc.cluster.local > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt > -Dpage.size=2097152 -Dpaging.threshold=10485760 > -Dmin.large.message.size=204800 -Dsecurity.invalidation.interval=600000 > -Dhawtio.authenticationEnabled=true -Djava.net.preferIPv4Addresses=true > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2 > -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq -Dhawtio.offline=true > > -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal > -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml" > fi > > Do you or anyone in this group have any suggestions on how the monitor (and > amqro) roles can be actually restricted? I tried adding > -Dhawtio.authenticationEnabled=true but that had no effect. > > > Thanks for your help, > > > Dave > > > > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino < > bruscin...@gmail.com> wrote: > > > Hi Dave, > > > > you need to add the monitor role to HAWTIO_ROLE in artemis.profile and > the > > access for the isActive method in management.xml. > > > > Execute the following steps to get a working example: > > > > 1) create a new broker instance: > > ./bin/artemis create broker --user admin --password admin --require-login > > > > 2) add test user with monitor role > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties > > > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/" > > ./broker/etc/artemis.profile > > > > 4) add the access for the isActive method in management.xml > > sed -i > > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\ > > method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml > > > > 5) run the broker > > ./broker/bin/artemis run > > > > 6) read the Active attribute > > curl -H "Origin:http://localhost:8161"; -u test:test > > > > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > > "0.0.0.0\"/Active > > > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200} > > > > Regards, > > Domenico > > > > On Thu, 18 Nov 2021 at 18:16, David Martin <dav...@qoritek.com> wrote: > > > > > Hi all, > > > > > > I'm trying to configure role access via the Jolokia REST API for the > > single > > > attribute "Active" on the "org.apache.activemq.artemis" domain. > > > > > > I have a user with a role "monitor" and want them to be able to access > > > nothing but the above attribute via e.g. > > > /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active. The > > > manual regarding management.xml is clear about *method *access e.g. > > "get*" > > > but has no examples for *attribute *access. > > > > > > Having spent about an hour on it I'm really stuck. Any help would be > > > appreciated. > > > > > > > > > Cheers, > > > > > > Dave > > > > > >
