Hi Alexander, are you verifying those permissions through the console UI? If so, you've likely hit ARTEMIS-5905[1], which is thankfully just a UI bug. Your ACLs should still apply correctly whenever you actually execute a management operation.
Regarding your JMX setup, you can go ahead and drop the -Dcom.sun.management.jmxremote=true option. It isn't required when configuring the JMX exporter as a javaagent. For a practical example, check out the restricted mode in the ArkMQ Broker Operator source[2]. [1] https://issues.apache.org/jira/browse/ARTEMIS-5905 [2] https://github.com/arkmq-org/activemq-artemis-operator/blob/v2.1.4/controllers/activemqartemis_reconciler.go#L2340 Regards, Domenico On Fri, 20 Mar 2026 at 14:46, Vilius Šumskas via users <[email protected]> wrote: > > Sure, as soon as tarball is available on the website. > > -- > Vilius > > >-----Original Message----- > >From: Clebert Suconic <[email protected]> > >Sent: Friday, March 20, 2026 3:39 PM > >To: [email protected] > >Cc: Vilius Šumskas <[email protected]> > >Subject: Re: Possible bug with management ACLs > > > >I'm about to release 2.53.0. Can you try in that version? > > > >On Fri, Mar 20, 2026 at 9:12 AM Vilius Šumskas via users > ><[email protected]> wrote: > >> > >> Hi, > >> > >> > >> > >> I‘m not sure if this is the same bug, but indeed something has changed in > >> recent > >Artemis versions in regards to management.xml ACLs. We encountered this issue > >https://github.com/jolokia/jolokia-integration/issues/5 . It is filled > >against Jolokia, > >but now I’m wondering if these changes are in Artemis itself. > >> > >> > >> > >> -- > >> > >> Vilius > >> > >> > >> > >> From: Alexander Milovidov <[email protected]> > >> Sent: Friday, March 20, 2026 2:25 PM > >> To: [email protected] > >> Subject: Possible bug with management ACLs > >> > >> > >> > >> Hi All! > >> > >> > >> > >> Recently I've discovered a possible bug in Artemis 2.50.0 and later. When I > >configure management ACL for sending messages on a particular address, the > >permissions for sending messages are granted only for the queue on this > >address. I > >checked if the user has permissions on the objects in the Artemis JMX tree. > >> > >> When I tried to reproduce this issue in an isolated environment, it had a > >> different > >effect: when I granted permissions on a particular address, the permissions > >were > >granted on this address and all other addresses and queues. > >> > >> > >> > >> Steps to reproduce on a fresh instance: > >> > >> - create a user "test" with role "test-role" and add test-role to > >> hawtio roles; > >> > >> - create address TEST.IN with TEST.IN queue.\ > >> > >> - add an example management ACL to management.xml role-access section: > >> > >> <match domain="org.apache.activemq.artemis" key="address=TEST.IN"> > >> > >> <access method="send*" roles="amq,test-role"/> > >> <access method="*" roles="amq"/> > >> > >> </match> > >> > >> > >> > >> Also I've mentioned that when I configure JMX exporter as javaagent (which > >requires java option -Dcom.sun.management.jmxremote=true), all ACLs on > >mbeans have no effect. Any operations for all users are available regardless > >of > >configured management ACLs. Anyway I plan to get rid of the JMX exporter. > >> > >> > >> > >> Both problems are reproduced in versions 2.50.0 - 2.52.0 and not > >> reproduced in > >previous versions. > >> > >> I'll later try to configure the same management ACLs using > >> security-settings in > >broker.xml. > >> > >> > >> > >> -- > >> > >> Regards, > >> > >> Alexander > > > > > > > >-- > >Clebert Suconic --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
