Hi Domenico, Following up on this I decided to try adding a readonly console user with the role "amqro" and that is when I discovered that the users in HAWTIO_ROLE have unencumbered access to both the console and the Jolokia REST API.
1/ Even the user with the monitor role can log in to the console and do things like delete queues and connections. 2/ User with monitor role able to invoke other methods than /Active e.g. /AddressMemoryUsage (verified username/password with base64 -d) - $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic xxxxx' ' http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage ' {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200} 3/ management.xml - <management-context xmlns="http://activemq.org/schema"> <!--<connector connector-port="1099"/>--> <authorisation> <whitelist> <entry domain="hawtio"/> </whitelist> <default-access> <access method="list*" roles="amq,amqro"/> <access method="get*" roles="amq,amqro"/> <access method="is*" roles="amq,amqro"/> <access method="set*" roles="amq"/> <access method="*" roles="amq"/> </default-access> <role-access> <match domain="org.apache.activemq.artemis"> <access method="isActive" roles="amq,amqro,monitor"/> <access method="list*" roles="amq,amqro"/> <access method="get*" roles="amq,amqro"/> <access method="is*" roles="amq,amqro"/> <access method="set*" roles="amq"/> <access method="*" roles="amq"/> </match> <!--example of how to configure a specific object--> <!--<match domain="org.apache.activemq.artemis" key="subcomponent=queues"> <access method="list*" roles="view,update,amq"/> <access method="get*" roles="view,update,amq"/> <access method="is*" roles="view,update,amq"/> <access method="set*" roles="update,amq"/> <access method="*" roles="amq"/> </match>--> </role-access> </authorisation> </management-context> 4/ artemis-profile - # Hawtio Properties HAWTIO_ROLE='amq,amqro,monitor' # Java Opts if [ -z "$JAVA_ARGS" ]; then JAVA_ARGS="$BROKER_CONFIGS -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.rmi.port=1098 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dipv4addr=$(hostname -f) -Ddomain=artemis-headless.sis-247.svc.cluster.local -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt -Dpage.size=2097152 -Dpaging.threshold=10485760 -Dmin.large.message.size=204800 -Dsecurity.invalidation.interval=600000 -Dhawtio.authenticationEnabled=true -Djava.net.preferIPv4Addresses=true -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2 -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication -Dhawtio.disableProxy=true -Dhawtio.realm=activemq -Dhawtio.offline=true -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml" fi Do you or anyone in this group have any suggestions on how the monitor (and amqro) roles can be actually restricted? I tried adding -Dhawtio.authenticationEnabled=true but that had no effect. Thanks for your help, Dave On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino < bruscin...@gmail.com> wrote: > Hi Dave, > > you need to add the monitor role to HAWTIO_ROLE in artemis.profile and the > access for the isActive method in management.xml. > > Execute the following steps to get a working example: > > 1) create a new broker instance: > ./bin/artemis create broker --user admin --password admin --require-login > > 2) add test user with monitor role > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/" > ./broker/etc/artemis.profile > > 4) add the access for the isActive method in management.xml > sed -i > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\ > method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml > > 5) run the broker > ./broker/bin/artemis run > > 6) read the Active attribute > curl -H "Origin:http://localhost:8161" -u test:test > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > "0.0.0.0\"/Active > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200} > > Regards, > Domenico > > On Thu, 18 Nov 2021 at 18:16, David Martin <dav...@qoritek.com> wrote: > > > Hi all, > > > > I'm trying to configure role access via the Jolokia REST API for the > single > > attribute "Active" on the "org.apache.activemq.artemis" domain. > > > > I have a user with a role "monitor" and want them to be able to access > > nothing but the above attribute via e.g. > > /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active. The > > manual regarding management.xml is clear about *method *access e.g. > "get*" > > but has no examples for *attribute *access. > > > > Having spent about an hour on it I'm really stuck. Any help would be > > appreciated. > > > > > > Cheers, > > > > Dave > > >