Specifying a <tempDestinationAuthorizationEntry> with a groupClass properties in the broker's authorizationPlugin configuration does not work
Environment
- Red Hat JBoss A-MQ 6.0
- Red Hat JBoss A-MQ 6.1
Issue
- Running the ActiveMQ broker embedded inside Karaf (as with JBoss A-MQ), I want to set an access control list for temporary queues as well.
- Trying the following configuration:
<authorizationPlugin>
<map>
<authorizationMap groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal">
<authorizationEntries>
<authorizationEntry queue=">" read="admin" write="client,admin" admin="client,admin" />
<authorizationEntry topic=">" read="client,admin" write="admin" admin="admin"/>
<authorizationEntry topic="ActiveMQ.Advisory.>" read="admin,client" write="admin,client" admin="admin"/>
</authorizationEntries>
<tempDestinationAuthorizationEntry>
<tempDestinationAuthorizationEntry read="client,admin" write="client,admin"
admin="admin" groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal"/>
</tempDestinationAuthorizationEntry>
</authorizationMap>
</map>
</authorizationPlugin>
- However the configuration for temp destinations is not applied correctly. Any JMS client of the right 'admin' role fails to create a new temp destination.
-
Can't create temporary queue. The Java code for retrieving the statistics is based on the example at http://activemq.apache.org/statisticsplugin.html.The code basically does a lookup of the ActiveMQ resource adapter, opens a connection and non-transacted/auto-ack session. Then it creates a temporary queue with a consumer, it creates a statistics queue with a producer, send a message on the statistics queue with a replyto for the temporary queue. After that it waits for (max.) a second for a message to be returned on the temporary queue and closes the connection again.
-
The application communicates with Fuse/ActiveMQ via JMS. The application itself runs within Weblogic and we use a resource adapter for communicating with Fuse/ActiveMQ. This mechanism works fine against
Apache ActiveMQ 5.9.0with anactivemq.xmlfile configured for restricting temporary destinations to selected roles (like client or myrole Role). However, when using the same restrictions in theactivemq.xmlconfiguration on JBoss-AMQ, we get an error message that the user is not authorized to create a temp-queue. When the configuration for restricting the temporary queues is removed from theactivemq.xmlfile, the creation of temporary queues is working fine.
Resolution
Upgrade to JBoss Fuse 6.0 - Rollup 2 Patch 2 or later.
As a workaround don't specify an ACL for temp destination. Which implies every authenticated user can create and use temp destinations.
For JBoss Fuse/A-MQ 6.1, the fix for ENTMQ-749 is delivered by "JBoss Fuse/A-MQ 6.1 Rollup 2 Patch 2".
Root Cause
This behavior in JBoss A-MQ 6.0 and 6.1 is a bug.
These bug reports capture the issue: ENTMQ-749 and AMQ-5304.
As per the bug report, the groupClass property is not correctly applied to the tempDestinationAuthorizationEntry.
This bug does not affect the ACL configuration of ordinary queues and topics, it only applies to temporary destinations.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.