Hi,
I‘m not sure if this is the same bug, but indeed something has changed in
recent Artemis versions in regards to management.xml ACLs. We encountered this
issue https://github.com/jolokia/jolokia-integration/issues/5 . It is filled
against Jolokia, but now I’m wondering if these changes are in Artemis itself.
--
Vilius
From: Alexander Milovidov <[email protected]>
Sent: Friday, March 20, 2026 2:25 PM
To: [email protected]
Subject: Possible bug with management ACLs
Hi All!
Recently I've discovered a possible bug in Artemis 2.50.0 and later. When I
configure management ACL for sending messages on a particular address, the
permissions for sending messages are granted only for the queue on this
address. I checked if the user has permissions on the objects in the Artemis
JMX tree.
When I tried to reproduce this issue in an isolated environment, it had a
different effect: when I granted permissions on a particular address, the
permissions were granted on this address and all other addresses and queues.
Steps to reproduce on a fresh instance:
- create a user "test" with role "test-role" and add test-role to hawtio roles;
- create address TEST.IN<http://TEST.IN> with TEST.IN<http://TEST.IN> queue.\
- add an example management ACL to management.xml role-access section:
<match domain="org.apache.activemq.artemis"
key="address=TEST.IN<http://TEST.IN>">
<access method="send*" roles="amq,test-role"/>
<access method="*" roles="amq"/>
</match>
Also I've mentioned that when I configure JMX exporter as javaagent (which
requires java option -Dcom.sun.management.jmxremote=true), all ACLs on mbeans
have no effect. Any operations for all users are available regardless of
configured management ACLs. Anyway I plan to get rid of the JMX exporter.
Both problems are reproduced in versions 2.50.0 - 2.52.0 and not reproduced in
previous versions.
I'll later try to configure the same management ACLs using security-settings in
broker.xml.
--
Regards,
Alexander
