Hello!
We are using ActiveMQ Artemis with versions 2.28.0 - 2.29.0 and we have a lot
of clients which can use some other versions and implementations.
Some clients use ActiveMQ classic client library.
When user tries to connect with OPENWIRE protocol and send a message to the
queue to which it has no permissions, it causes an exception on the server:
2023-08-01 11:01:24,469 WARN
[org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection] Errors
occurred during the buffering operation
org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229032:
User: test does not have permission='CREATE_ADDRESS' on address TEST
at
org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:305)
~[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:227)
~[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:503)
~[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createAddress(ServerSessionImpl.java:972)
~[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createAddress(ServerSessionImpl.java:962)
~[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.checkAutoCreate(ServerSessionImpl.java:1794)
~[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection.addDestination(OpenWireConnection.java:902)
~[artemis-openwire-protocol-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection$CommandProcessor.processAddProducer(OpenWireConnection.java:1237)
~[artemis-openwire-protocol-2.30.0.jar:2.30.0]
at
org.apache.activemq.command.ProducerInfo.visit(ProducerInfo.java:108)
~[activemq-client-5.17.2.jar:5.17.2]
at
org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection.act(OpenWireConnection.java:369)
~[artemis-openwire-protocol-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.utils.actors.ThresholdActor.doTask(ThresholdActor.java:68)
~[artemis-commons-2.30.0.jar:?]
at
org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:68)
~[artemis-commons-2.30.0.jar:?]
at
org.apache.activemq.artemis.utils.actors.OrderedExecutor.doTask(OrderedExecutor.java:57)
~[artemis-commons-2.30.0.jar:?]
at
org.apache.activemq.artemis.utils.actors.OrderedExecutor.doTask(OrderedExecutor.java:32)
~[artemis-commons-2.30.0.jar:?]
at
org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:68)
~[artemis-commons-2.30.0.jar:?]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[?:?]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[?:?]
at
org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
[artemis-commons-2.30.0.jar:?]
Similar error happens when consuming from non-existing queue to which it has no
permissinos to create.
It is easy to reproduce in Artemis 2.28.0 - 2.30.0. I have created Artemis
instance with following settings:
artemis create --user admin --password admin --require-login
path/to/artemis-instance-2.30.0
Then I have created (by editing manually artemis-users.properties and
artemis-roles.properties, but you can use artemis user add command) user "test"
with password "test" and role "test".
I have used A utility (https://github.com/fmtn/a) to send a test message to
non-existing test queue (to which test user has no permissions):
a -b tcp://localhost:61616 -U test -P test -p "test" TEST
(it uses OPENWIRE protocol by default).
We have shared test instance of ActiveMQ Artemis 2.29.0 where lots of
misconfigured clients cause such exceptions at several times per second, and I
have found another exception which looks like previous (but caused by other
client error and has NullPointerException):
2023-08-01 09:45:00,432 WARN
[org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection] Errors
occurred during the buffering operation
java.lang.NullPointerException: null
2023-08-01 09:45:00,432 WARN
[org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection] Errors
occurred during the buffering operation
java.lang.NullPointerException: null
2023-08-01 09:45:00,432 WARN
[org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection] Errors
occurred during the buffering operation
javax.jms.IllegalStateException: Cannot add a consumer to a connection that had
not been registered: ID:srv-12345-1111111111111-11:1
at
org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection.addConsumer(OpenWireConnection.java:950)
~[artemis-openwire-protocol-2.29.0.jar:2.29.0]
at
org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection$CommandProcessor.processAddConsumer(OpenWireConnection.java:1253)
~[artemis-openwire-protocol-2.29.0.jar:2.29.0]
at
org.apache.activemq.command.ConsumerInfo.visit(ConsumerInfo.java:352)
~[activemq-client-5.17.2.jar:5.17.2]
at
org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection.act(OpenWireConnection.java:370)
[artemis-openwire-protocol-2.29.0.jar:2.29.0]
at
org.apache.activemq.artemis.core.protocol.openwire.OpenWireConnection.bufferReceived(OpenWireConnection.java:313)
[artemis-openwire-protocol-2.29.0.jar:2.29.0]
at
org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:698)
[artemis-server-2.29.0.jar:2.29.0]
at
org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
[artemis-core-client-2.29.0.jar:2.29.0]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
[netty-transport-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[netty-transport-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[netty-transport-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346)
[netty-codec-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318)
[netty-codec-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
[netty-transport-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[netty-transport-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
[netty-transport-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
[netty-transport-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
[netty-transport-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
[netty-transport-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
[netty-transport-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:800)
[netty-transport-classes-epoll-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:499)
[netty-transport-classes-epoll-4.1.93.Final.jar:4.1.93.Final]
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:397)
[netty-transport-classes-epoll-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
[netty-common-4.1.93.Final.jar:4.1.93.Final]
at
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
[netty-common-4.1.93.Final.jar:4.1.93.Final]
at
org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
[artemis-commons-2.29.0.jar:?]
I did not try to reproduce this issue because it looks more complicated.
Is it fine that lack of authorization or some other client error causes an
exception? It happens only with OPENWIRE clients.
--
Best regards,
Aleksandr Milovidov
-----------------------------------
This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure. If you are not the intended recipient any
use, distribution, copying or disclosure is strictly prohibited. If you have
received this message in error, please notify the sender immediately either by
telephone or by e-mail and delete this message and any attachment from your
system. Correspondence via e-mail is for information purposes only. AO
Raiffeisenbank neither makes nor accepts legally binding statements by e-mail
unless otherwise agreed.
-----------------------------------
