'ActiveMQ Artemis address security roles application order
I have some unclear moments with security for addresses. The application order of security roles is not clear for me.
Let's imagine, we add security settings for test_user (via addSecuritySettings) {send, consume, browse, ...} to ADR.TEST.#. From wildcard docs this settings will apply to ADR.TEST.IN. And it's true, if I check via Hawtio getRolesAsJson().
Then I give with same actions same security settings for another_user to ADR.TEST.IN. In result i have 2 users (test_user, another_user) with same permissions for ADR.TEST.IN.
If then I make same step for third user last_user to ADR.TEST.#, last_user would not have any permissions for ADR.TEST.IN, what suits ADR.TEST.#.
Is it bug or feature?
UPD: Code example:
ActiveMQServerControl activeMQServerControl;
...
activeMQServerControl.addSecuritySettings("ADR.TEST.#", "test_user", "test_user", "test_user", "test_user", "test_user", "test_user", "test_user");
activeMQServerControl.addSecuritySettings("ADR.TEST.IN", "another_user,test_user", "another_user,test_user", "another_user,test_user", "another_user,test_user", "another_user,test_user", "another_user,test_user", "another_user,test_user");
activeMQServerControl.addSecuritySettings("ADR.TEST.#", "test_user,last_user", "test_user,last_user", "test_user,last_user", "test_user,last_user", "test_user,last_user", "test_user,last_user", "test_user,last_user");
This is output for activeMQServerControl.getRolesAsJSON("ADR.TEST.IN") after first assignment:
[{"name":"test_user","send":true,"consume":true,"createDurableQueue":true,"deleteDurableQueue":true,"createNonDurableQueue":true,"deleteNonDurableQueue":true,"manage":true,"browse":false,"createAddress":false,"deleteAddress":false}]
After second:
[{"name":"test_user","send":true,"consume":true,"createDurableQueue":true,"deleteDurableQueue":true,"createNonDurableQueue":true,"deleteNonDurableQueue":true,"manage":true,"browse":false,"createAddress":false,"deleteAddress":false},{"name":"another_user","send":true,"consume":true,"createDurableQueue":true,"deleteDurableQueue":true,"createNonDurableQueue":true,"deleteNonDurableQueue":true,"manage":true,"browse":false,"createAddress":false,"deleteAddress":false}]
Same output after third:
[{"name":"test_user","send":true,"consume":true,"createDurableQueue":true,"deleteDurableQueue":true,"createNonDurableQueue":true,"deleteNonDurableQueue":true,"manage":true,"browse":false,"createAddress":false,"deleteAddress":false},{"name":"another_user","send":true,"consume":true,"createDurableQueue":true,"deleteDurableQueue":true,"createNonDurableQueue":true,"deleteNonDurableQueue":true,"manage":true,"browse":false,"createAddress":false,"deleteAddress":false}]
So my question is about last operation. I gave permissions to last_user for ADR.TEST.#, but there is not any permissions for ADR.TEST.IN
Solution 1:[1]
ActiveMQ Artemis select only the security settings with most specific match to get the roles for an address.
In your case the security settings with most specific match are:
activeMQServerControl.addSecuritySettings("ADR.TEST.IN", "another_user,test_user", "another_user,test_user", "another_user,test_user", "another_user,test_user", "another_user,test_user", "another_user,test_user", "another_user,test_user");
To add last_user role you should update the security settings with the match ADR.TEST.IN, i.e.:
activeMQServerControl.addSecuritySettings("ADR.TEST.IN", "another_user,test_user,last_user", "another_user,test_user,last_user", "another_user,test_user,last_user", "another_user,test_user,last_user", "another_user,test_user,last_user", "another_user,test_user,last_user", "another_user,test_user,last_user");
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 |