I'm about to release 2.53.0. Can you try in that version? On Fri, Mar 20, 2026 at 9:12 AM Vilius Šumskas via users <[email protected]> wrote: > > Hi, > > > > I‘m not sure if this is the same bug, but indeed something has changed in > recent Artemis versions in regards to management.xml ACLs. We encountered > this issue https://github.com/jolokia/jolokia-integration/issues/5 . It is > filled against Jolokia, but now I’m wondering if these changes are in Artemis > itself. > > > > -- > > Vilius > > > > From: Alexander Milovidov <[email protected]> > Sent: Friday, March 20, 2026 2:25 PM > To: [email protected] > Subject: Possible bug with management ACLs > > > > Hi All! > > > > Recently I've discovered a possible bug in Artemis 2.50.0 and later. When I > configure management ACL for sending messages on a particular address, the > permissions for sending messages are granted only for the queue on this > address. I checked if the user has permissions on the objects in the Artemis > JMX tree. > > When I tried to reproduce this issue in an isolated environment, it had a > different effect: when I granted permissions on a particular address, the > permissions were granted on this address and all other addresses and queues. > > > > Steps to reproduce on a fresh instance: > > - create a user "test" with role "test-role" and add test-role to hawtio > roles; > > - create address TEST.IN with TEST.IN queue.\ > > - add an example management ACL to management.xml role-access section: > > <match domain="org.apache.activemq.artemis" key="address=TEST.IN"> > > <access method="send*" roles="amq,test-role"/> > <access method="*" roles="amq"/> > > </match> > > > > Also I've mentioned that when I configure JMX exporter as javaagent (which > requires java option -Dcom.sun.management.jmxremote=true), all ACLs on mbeans > have no effect. Any operations for all users are available regardless of > configured management ACLs. Anyway I plan to get rid of the JMX exporter. > > > > Both problems are reproduced in versions 2.50.0 - 2.52.0 and not reproduced > in previous versions. > > I'll later try to configure the same management ACLs using security-settings > in broker.xml. > > > > -- > > Regards, > > Alexander
-- Clebert Suconic --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
