英文:
User: Bob does not have permission='CREATE_DURABLE_QUEUE' for queue bob.test/test/signal/abc on address test/signal/abc
问题
I have configured ActiveMQ Artemis broker.xml file in a way so that one user (Alice) will create the address/queue in Artemis with MQTT protocol. Alice's role is configured such that it can create addresses/queues/send/consume.
And the other user (Bob) will only consume/send messages in that queue. Bob's role is configured such that it can only send and consume from topics.
But, I am getting below exceptions while doing the following:
- Publishing to a topic using Alice
- Subscribing to the same topic using Bob
Also getting the same exception when doing the following:
- Subscribing to a topic using Alice
- Subscribing to the same topic using Bob
Error processing Control Packet, Disconnecting Client: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229213: User: bob123 does not have permission='CREATE_DURABLE_QUEUE' for queue bob.test/test/signal/abc on address test/signal/abc]
broker.xml:
<security-settings>
<security-setting match="test/signal/#">
<permission roles="amq,alice-user" type="createDurableQueue"/>
<permission roles="amq,alice-user" type="deleteDurableQueue"/>
<permission roles="amq,alice-user" type="createAddress"/>
<permission roles="amq,alice-user" type="deleteAddress"/>
<permission roles="amq,alice-user,bob-user" type="send"/>
<permission roles="amq,alice-user,bob-user" type="consume"/>
<permission roles="amq,alice-user,bob-user" type="browse"/>
<permission type="manage" roles="amq,alice-user,bob-user"/>
</security-setting>
</security-settings>
<address-settings>
<address-setting match="test/signal/#">
<default-exclusive-queue>true</default-exclusive-queue>
<max-size-bytes>-1</max-size-bytes>
<page-size-bytes>10485760</page-size-bytes>
<address-full-policy>BLOCK</address-full-policy>
<slow-consumer-threshold>1</slow-consumer-threshold>
<slow-consumer-policy>KILL</slow-consumer-policy>
<slow-consumer-check-period>5</slow-consumer-check-period>
<default-purge-on-no-consumers>true</default-purge-on-no-consumers>
<default-max-consumers>1</default-max-consumers>
<auto-create-addresses>true</auto-create-addresses>
<auto-delete-addresses>true</auto-delete-addresses>
<default-address-routing-type>ANYCAST</default-address-routing-type>
<auto-create-queues>true</auto-create-queues>
<auto-delete-queues>true</auto-delete-queues>
</address-setting>
</address-settings>
(Note: This is a translation of the provided text. If you have any specific questions or need further assistance, please let me know.)
英文:
I have configured ActiveMQ Artemis broker.xml file in a way so that one user (Alice) will create the address/queue in Artemis with MQTT protocol. Alice's role is configured such that it can create addresses/queues/send/consume
And the other user (Bob) will only consume/send messages in that queue. Bob's role is configured such that it can only send and consume from topics.
But, I am getting below exceptions while doing the following:
- Publishing to a topic using Alice
- Subscribing to the same topic using Bob
Also getting the same exception when doing the following:
- Subscribing to a topic using Alice
- Subscribing to the same topic using Bob
Error processing Control Packet, Disconnecting Client: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229213: User: bob123 does not have permission='CREATE_DURABLE_QUEUE' for queue bob.test/test/signal/abc on address test/signal/abc]
broker.xml:
<security-settings>
<security-setting match="test/signal/#">
<permission roles="amq,alice-user" type="createDurableQueue"/>
<permission roles="amq,alice-user" type="deleteDurableQueue"/>
<permission roles="amq,alice-user" type="createAddress"/>
<permission roles="amq,alice-user" type="deleteAddress"/>
<permission roles="amq,alice-user,bob-user" type="send"/>
<permission roles="amq,alice-user,bob-user" type="consume"/>
<permission roles="amq,alice-user,bob-user" type="browse"/>
<permission type="manage" roles="amq,alice-user,bob-user"/>
</security-setting>
</security-settings>
<address-settings>
<address-setting match="test/signal/#">
<default-exclusive-queue>true</default-exclusive-queue>
<max-size-bytes>-1</max-size-bytes>
<page-size-bytes>10485760</page-size-bytes>
<address-full-policy>BLOCK</address-full-policy>
<slow-consumer-threshold>1</slow-consumer-threshold>
<slow-consumer-policy>KILL</slow-consumer-policy>
<slow-consumer-check-period>5</slow-consumer-check-period>
<default-purge-on-no-consumers>true</default-purge-on-no-consumers>
<default-max-consumers>1</default-max-consumers>
<auto-create-addresses>true</auto-create-addresses>
<auto-delete-addresses>true</auto-delete-addresses>
<default-address-routing-type>ANYCAST</default-address-routing-type>
<auto-create-queues>true</auto-create-queues>
<auto-delete-queues>true</auto-delete-queues>
</address-setting>
</address-settings>
答案1
得分: 2
为了在目标上创建订阅,用户必须具备创建队列的权限。队列 就是 经纪人上的订阅。您没有给 bob123 分配这个权限,所以经纪人不会允许它。
另外,由于您正在使用 MQTT 语法用于目标(其中使用 / 字符),因此您需要配置经纪人以将其用作分隔符字符,以便您的匹配实际上适用于您的 security-setting 和 address-setting,例如:
<wildcard-addresses>
<delimiter>/</delimiter>
</wildcard-addresses>
英文:
In order to create a subscription on the destination the user must have permission to create a queue. The queue is the subscription on the broker. You haven't given bob123 this permission so the broker won't allow it.
Also, since you're using the MQTT syntax for destinations (which uses the / character) then you need to configure the broker to use this as the delimiter character so your matches will actually work for your security-setting and address-setting, e.g.:
<wildcard-addresses>
<delimiter>/</delimiter>
</wildcard-addresses>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论