Hi Team,
As part of our project requirement we need to restrict non-amq user (LDAP
users) for performing write & execute operation inside jolokia console
(connection, session, consumer, producer)
And, we need to grant them only send message permission. We able to achieved it
in version 2.18 by removing non-amq role (LDAP users role) from <role-access>
block in below management.xml & by giving only send message permission in
broker.xml files & which is working fine as per expectation. However, when we
do same configurations in 2.23.1 it is not working. It allows non-amq user to
perform any write/execute operation which we do not want. So here I am looking
for your suggestion on how we can achieve the same in Apache Artemis 2.23.1
version. Please let us know if you need more details. Thank you
2.18 management.xml file –
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</role-access>
2.18.1 broker.xml file – In this file we are giving only send message
permission to our LDAP users role.
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="browse" roles="amq"/>
<permission type="send" roles="amq,EAI_Administrator_G"/>
</security-settings>
With above changes when we login in 2.18 jolokia console using non-amq role
user (LDAP user) and navigate to any tab like connection, session, consumer,
producers we get below restriction message which is correct as per the above
changes & that is what our requirement is. Please suggest how we can achieve
the same in 2.23.1 version. Thank you.
Below Snapshot are from 2.18.
[cid:image003.png@01D923DB.762D23A0]
We just need grant send message permission to any Non-amq role user like below.
[cid:image002.png@01D923DC.C858CB60]
Thank you,
Nilesh
CONFIDENTIALITY NOTICE: The information contained in this email and attached
document(s) may contain confidential information that is intended only for the
addressee(s). If you are not the intended recipient, you are hereby advised
that any disclosure, copying, distribution or the taking of any action in
reliance upon the information is prohibited. If you have received this email in
error, please immediately notify the sender and delete it from your system.
