RE: regex key support in management.xml

Thu, 24 Apr 2025 05:03:04 -0700 

I've actually tried with regex before but still could call destroyQueue() on 
those queues, hence my previous assumption that regexes doesn't work. I have 
now tried with simple purge() command and I can confirm that regex in keys work.

It looks like destroyQueue (and destroyAddress) are not bound to the queue and 
only can be called using org.apache.activemq.artemis:broker="brokername" MBean, 
so naturally the following match doesn't prevent destroyQueue usage:

         <match domain="org.apache.activemq.artemis">
            <access method="list*" roles="developer,amq"/>
            <access method="get*" roles="developer,amq"/>
            <access method="is*" roles="developer,amq"/>
            <access method="set*" roles="amq"/>
            <!-- Note count and browse are need to access the browse tab in the 
console -->
            <access method="browse*" roles="developer,amq"/>
            <access method="count*" roles="developer,amq"/>
            <access method="destroyQueue" roles="developer,amq"/>
            <access method="*" roles="amq"/>
         </match>
         <match domain="org.apache.activemq.artemis" 
key="queue=(DLQ|ExpireQueue)">
            <access method="list*" roles="developer,amq"/>
            <access method="get*" roles="developer,amq"/>
            <access method="is*" roles="developer,amq"/>
            <access method="browse*" roles="developer,amq"/>
            <access method="count*" roles="developer,amq"/>
            <access method="*" roles="amq"/>
         </match>

I have also tried with negative regex and moving destroyQueue method to the 
key'ed match. Still doesn't work.

Are there any other methods how to limit destroyQueue functionality just on 
particular set of queues?

-- 
    Vilius

-----Original Message-----
From: Justin Bertram <[email protected]> 
Sent: Wednesday, April 23, 2025 10:25 PM
To: [email protected]
Subject: Re: regex key support in management.xml

The underlying code uses regular expressions so doing so in management.xml 
should also work. That said, I'd recommend using this key instead of what you 
originally proposed:

    key="queue=(DLQ|ExpireQueue)"


Justin

On Tue, Apr 22, 2025 at 4:39 AM Vilius Šumskas 
<[email protected]> wrote:

> Hello,
>
> as an additional measure to lockdown our environments I want some 
> roles to be able to create/delete queues and addresses, but limit what 
> they can do with system addresses/queues, like DLQ, ExpireQueue, 
> activemq.notifications, etc.
>
> Is there a way to define these objects in management.xml using regular 
> expressions? I went through 
> https://activemq.apache.org/components/artemis/documentation/latest/ma
> nagement.html#role-based-authorisation-for-jmx
> but I found only examples with basic wildcard support. Is it possible 
> to have a match for <match domain="org.apache.activemq.artemis"
> key="queue=DLQ|queue=ExpireQueue"> ? Are there any other methods how 
> to apply the same management policy to all system queues?
>
> --
>    Best Regards,
>
>     Vilius Šumskas
>     Rivile
>     IT manager
>
>

Reply via email to