[
https://issues.apache.org/jira/browse/ARTEMIS-3339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Bertram resolved ARTEMIS-3339.
-------------------------------------
Fix Version/s: 2.18.0
Resolution: Fixed
> Role Based Authorisation for JMX not working as expected
> --------------------------------------------------------
>
> Key: ARTEMIS-3339
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3339
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: Configuration, JMX, Web Console
> Affects Versions: 2.17.0
> Reporter: Ivan
> Assignee: Domenico Francesco Bruscino
> Priority: Major
> Labels: JMX, console, rbac, security
> Fix For: 2.18.0
>
> Attachments: address-settings.xml, addresses.xml,
> artemis-roles.properties, artemis-users.properties, artemis.profile.cmd,
> broker.xml, image-2021-06-09-23-22-51-886.png,
> image-2021-06-09-23-29-49-670.png, management.xml, security-settings.xml
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Hello,
> I tried to specify role based authorisation in management.xml for different
> addresses/queues (as instructed
> [here|https://activemq.apache.org/components/artemis/documentation/latest/management.html]):
> !image-2021-06-09-23-22-51-886.png!
> In Artemis profile config I gave hawtio role to the corresponding users:
> _-Dhawtio.role=amq,auser,buser,cuser,duser_
> The problem is that the authorisation is not working as expected, and only
> the FIRST "match domain" configuration is working fine.
> In my case, I tested with 4 sections as those in the screenshot above:
> _<match domain="org.apache.activemq.artemis" key="address=*a**">..._
> _<match domain="org.apache.activemq.artemis" key="address=*b**">..._
> _<match domain="org.apache.activemq.artemis" key="address=*c**">..._
> _<match domain="org.apache.activemq.artemis" key="address=*d**">..._
> When I login using "*auser*" in the web console, I can invoke operations on
> addresses/queues starting with "*a**", and not on the others, as I'd expect.
> But when I login using some of the other users, for example, *buser*, I can
> still invoke operations on queues starting with "*a*", but not on the queues
> starting with "*b**", as I'd expect (all operations are disabled, as in the
> screenshot below):
>
> !image-2021-06-09-23-29-49-670.png!
>
> It is interesting that, if I change the order of the sections in
> management.xml, for example as follows (so address "d*" is first):
> _<match domain="org.apache.activemq.artemis" key="address=*d**">..._
> _<match domain="org.apache.activemq.artemis" key="address=a*">..._
> _<match domain="org.apache.activemq.artemis" key="address=b*">..._
> _<match domain="org.apache.activemq.artemis" key="address=c*">..._
> Then for "duser" that is authorized to work with "d*" queues it works as
> expected, but when I login with auser, buser or cuser instead, again the same
> problem happens that all those users can invoke operations on "d*" queues,
> and not on the queues that they are expected to be autorized for.
> I attach all relevant configuration files for a reference.
>
> Regards,
> Ivan
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
