[jira] [Commented] (ARTEMIS-2861) Add queue name as a parameter to ActiveMQSecurityManager

Wed, 05 Aug 2020 00:51:38 -0700 


    [ 
https://issues.apache.org/jira/browse/ARTEMIS-2861?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17171318#comment-17171318
 ] 

Luís Alves commented on ARTEMIS-2861:
-------------------------------------

I would say that DELETE_DURABLE_QUEUE & DELETE_NON_DURABLE_QUEUE should also be 
included, so only the subscriber (owner) can cancel subscription. And they can 
for sure be deleted administratively (to old subscriptions without interaction 
or by the address owner that don't want the subscriber to receive updates 
anymore). 

Regarding :: seems a great idea :), as that way it's easy to know how to break 
and as you said aligns with the FQQN.

> Add queue name as a parameter to ActiveMQSecurityManager 
> ---------------------------------------------------------
>
>                 Key: ARTEMIS-2861
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-2861
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>    Affects Versions: 2.14.0
>            Reporter: Luís Alves
>            Priority: Major
>
> Currently I was trying to integrate Artemis with OpenId Connect (Oauth2.0) 
> and User Managed Access 2.0 (UMA 2.0) using Keycloak implementation. I want 
> to have fine grained access control over operations over addresses and queues 
> (subscriptions) like described on 
> https://issues.apache.org/jira/browse/ARTEMIS-592. I've investigated as 
> proposed in 
> https://medium.com/@joelicious/extending-artemis-security-with-oauth2-7fd9b3dffe3
>  and it solves the authN part. For the authZ part I've already had some 
> feedback here 
> https://stackoverflow.com/questions/63191001/activemq-artemis-activemqsecuritymanager4-verify-clientid-subscription,
>  but I think org.apache.activemq.artemis.core.server.SecuritySettingPlugin 
> will not give the needed control. So I'm proposing that 
> ActiveMQSecurityManager latest implementation adds the queue name as the 
> calling method:
> {code:java}
>  @Override
>    public void check(final SimpleString address,
>                      final SimpleString queue,
>                      final CheckType checkType,
>                      final SecurityAuth session) throws Exception {
> {code}
> already has this information. 
> Using UMA 2.0 each address can be a resource and we can have: 
> SEND,CONSUME,CREATE_ADDRESS,DELETE_ADDRESS,CREATE_DURABLE_QUEUE,DELETE_DURABLE_QUEUE,CREATE_NON_DURABLE_QUEUE,DELETE_NON_DURABLE_QUEUE,MANAGE,BROWSE
>  as scopes, which I think are quite fine grained. Depending on the use case a 
> subscription also can be a resource.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to