Hi All! Recently I've discovered a possible bug in Artemis 2.50.0 and later. When I configure management ACL for sending messages on a particular address, the permissions for sending messages are granted only for the queue on this address. I checked if the user has permissions on the objects in the Artemis JMX tree. When I tried to reproduce this issue in an isolated environment, it had a different effect: when I granted permissions on a particular address, the permissions were granted on this address and all other addresses and queues.
Steps to reproduce on a fresh instance: - create a user "test" with role "test-role" and add test-role to hawtio roles; - create address TEST.IN with TEST.IN queue.\ - add an example management ACL to management.xml role-access section: <match domain="org.apache.activemq.artemis" key="address=TEST.IN"> <access method="send*" roles="amq,test-role"/> <access method="*" roles="amq"/> </match> Also I've mentioned that when I configure JMX exporter as javaagent (which requires java option -Dcom.sun.management.jmxremote=true), all ACLs on mbeans have no effect. Any operations for all users are available regardless of configured management ACLs. Anyway I plan to get rid of the JMX exporter. Both problems are reproduced in versions 2.50.0 - 2.52.0 and not reproduced in previous versions. I'll later try to configure the same management ACLs using security-settings in broker.xml. -- Regards, Alexander
