User: Bob does not have permission='CREATE_DURABLE_QUEUE' for queue bob.test/test/signal/abc on address test/signal/abc

huangapple go评论73阅读模式
英文:

User: Bob does not have permission='CREATE_DURABLE_QUEUE' for queue bob.test/test/signal/abc on address test/signal/abc

问题

I have configured ActiveMQ Artemis broker.xml file in a way so that one user (Alice) will create the address/queue in Artemis with MQTT protocol. Alice's role is configured such that it can create addresses/queues/send/consume.

And the other user (Bob) will only consume/send messages in that queue. Bob's role is configured such that it can only send and consume from topics.

But, I am getting below exceptions while doing the following:

  1. Publishing to a topic using Alice
  2. Subscribing to the same topic using Bob

Also getting the same exception when doing the following:

  1. Subscribing to a topic using Alice
  2. Subscribing to the same topic using Bob

Error processing Control Packet, Disconnecting Client: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229213: User: bob123 does not have permission='CREATE_DURABLE_QUEUE' for queue bob.test/test/signal/abc on address test/signal/abc]

broker.xml:

<security-settings>
   <security-setting match="test/signal/#">
      <permission roles="amq,alice-user" type="createDurableQueue"/>
      <permission roles="amq,alice-user" type="deleteDurableQueue"/>
      <permission roles="amq,alice-user" type="createAddress"/>
      <permission roles="amq,alice-user" type="deleteAddress"/>
      <permission roles="amq,alice-user,bob-user" type="send"/>
      <permission roles="amq,alice-user,bob-user" type="consume"/>
      <permission roles="amq,alice-user,bob-user" type="browse"/>
      <permission type="manage" roles="amq,alice-user,bob-user"/>
   </security-setting>
</security-settings>

<address-settings>
   <address-setting match="test/signal/#">
      <default-exclusive-queue>true</default-exclusive-queue>
      <max-size-bytes>-1</max-size-bytes>
      <page-size-bytes>10485760</page-size-bytes>
      <address-full-policy>BLOCK</address-full-policy>
      <slow-consumer-threshold>1</slow-consumer-threshold>
      <slow-consumer-policy>KILL</slow-consumer-policy>
      <slow-consumer-check-period>5</slow-consumer-check-period>
      <default-purge-on-no-consumers>true</default-purge-on-no-consumers>
      <default-max-consumers>1</default-max-consumers>
      <auto-create-addresses>true</auto-create-addresses>
      <auto-delete-addresses>true</auto-delete-addresses>
      <default-address-routing-type>ANYCAST</default-address-routing-type>
      <auto-create-queues>true</auto-create-queues>
      <auto-delete-queues>true</auto-delete-queues>
   </address-setting>
</address-settings>

(Note: This is a translation of the provided text. If you have any specific questions or need further assistance, please let me know.)

英文:

I have configured ActiveMQ Artemis broker.xml file in a way so that one user (Alice) will create the address/queue in Artemis with MQTT protocol. Alice's role is configured such that it can create addresses/queues/send/consume

And the other user (Bob) will only consume/send messages in that queue. Bob's role is configured such that it can only send and consume from topics.

But, I am getting below exceptions while doing the following:

  1. Publishing to a topic using Alice
  2. Subscribing to the same topic using Bob

Also getting the same exception when doing the following:

  1. Subscribing to a topic using Alice
  2. Subscribing to the same topic using Bob
Error processing Control Packet, Disconnecting Client: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229213: User: bob123 does not have permission=&#39;CREATE_DURABLE_QUEUE&#39; for queue bob.test/test/signal/abc on address test/signal/abc]

broker.xml:

&lt;security-settings&gt;
   &lt;security-setting match=&quot;test/signal/#&quot;&gt;
      &lt;permission roles=&quot;amq,alice-user&quot; type=&quot;createDurableQueue&quot;/&gt;
      &lt;permission roles=&quot;amq,alice-user&quot; type=&quot;deleteDurableQueue&quot;/&gt;
      &lt;permission roles=&quot;amq,alice-user&quot; type=&quot;createAddress&quot;/&gt;
      &lt;permission roles=&quot;amq,alice-user&quot; type=&quot;deleteAddress&quot;/&gt;
      &lt;permission roles=&quot;amq,alice-user,bob-user&quot; type=&quot;send&quot;/&gt;
      &lt;permission roles=&quot;amq,alice-user,bob-user&quot; type=&quot;consume&quot;/&gt;
      &lt;permission roles=&quot;amq,alice-user,bob-user&quot; type=&quot;browse&quot;/&gt;
      &lt;permission type=&quot;manage&quot; roles=&quot;amq,alice-user,bob-user&quot;/&gt;
   &lt;/security-setting&gt;
&lt;/security-settings&gt;

&lt;address-settings&gt;
   &lt;address-setting match=&quot;test/signal/#&quot;&gt;
      &lt;default-exclusive-queue&gt;true&lt;/default-exclusive-queue&gt;
      &lt;max-size-bytes&gt;-1&lt;/max-size-bytes&gt;
      &lt;page-size-bytes&gt;10485760&lt;/page-size-bytes&gt;
      &lt;address-full-policy&gt;BLOCK&lt;/address-full-policy&gt;
      &lt;slow-consumer-threshold&gt;1&lt;/slow-consumer-threshold&gt;
      &lt;slow-consumer-policy&gt;KILL&lt;/slow-consumer-policy&gt;
      &lt;slow-consumer-check-period&gt;5&lt;/slow-consumer-check-period&gt;
      &lt;default-purge-on-no-consumers&gt;true&lt;/default-purge-on-no-consumers&gt;
      &lt;default-max-consumers&gt;1&lt;/default-max-consumers&gt;
      &lt;auto-create-addresses&gt;true&lt;/auto-create-addresses&gt;
      &lt;auto-delete-addresses&gt;true&lt;/auto-delete-addresses&gt;
      &lt;default-address-routing-type&gt;ANYCAST&lt;/default-address-routing-type&gt;
      &lt;auto-create-queues&gt;true&lt;/auto-create-queues&gt;
      &lt;auto-delete-queues&gt;true&lt;/auto-delete-queues&gt;
   &lt;/address-setting&gt;
&lt;/address-settings&gt;

答案1

得分: 2

为了在目标上创建订阅,用户必须具备创建队列的权限。队列 就是 经纪人上的订阅。您没有给 bob123 分配这个权限,所以经纪人不会允许它。

另外,由于您正在使用 MQTT 语法用于目标(其中使用 / 字符),因此您需要配置经纪人以将其用作分隔符字符,以便您的匹配实际上适用于您的 security-settingaddress-setting,例如:

<wildcard-addresses>
   <delimiter>/</delimiter>
</wildcard-addresses>
英文:

In order to create a subscription on the destination the user must have permission to create a queue. The queue is the subscription on the broker. You haven't given bob123 this permission so the broker won't allow it.

Also, since you're using the MQTT syntax for destinations (which uses the / character) then you need to configure the broker to use this as the delimiter character so your matches will actually work for your security-setting and address-setting, e.g.:

&lt;wildcard-addresses&gt;
   &lt;delimiter&gt;/&lt;/delimiter&gt;
&lt;/wildcard-addresses&gt;

huangapple
  • 本文由 发表于 2020年1月7日 01:43:27
  • 转载请务必保留本文链接:https://go.coder-hub.com/59616617.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定