'Re: [artemis] Naming-Pattern for temporary "reply"-queues and exclusive permissions'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       activemq-users
Subject:    Re: [artemis] Naming-Pattern for temporary "reply"-queues and exclusive permissions
From:       Justin Bertram <jbertram () apache ! org>
Date:       2018-03-27 16:02:14
Message-ID: CAF+kE=QBd=SO0xoS_qLiHHc5LHavzpFiZo+FFWQwLe2ipNfVHA () mail ! gmail ! com
[Download RAW message or body]


I don't believe it would be possible to modify the name of a temporary
queue on the broker as the client is expecting the broker to use the name
it supplies. These names come from the various client implementations.  In
the case of the core JMS client the temporary queue name comes from
java.util.UUID#randomUUID.  In the case of the OpenWire JMS client the
temporary queue name comes from
org.apache.activemq.util.LongSequenceGenerator.  In the case of the Qpid
JMS client the temporary queue name comes from a combination of the
connection ID and a sequence number.  Each of these clients expects the
broker to create a queue according to the name it provides.  Modifying the
name on the broker side would break them (and any other client using
temporary queues from a different protocol).

For what it's worth, the temporary queue is the only kind of queue that a
JMS client can explicitly create on the broker physically.  The other
createQueue [1] and createTopic [2] methods simply create an object that
encapsulates the name of a queue. It does not create the physical queue on
the broker.  Therefore, if you turn off auto-creation and you're using JMS
clients then you shouldn't need to worry about clients creating
non-temporary non-durable queues.

Hope that helps.


Justin

[1]
https://docs.oracle.com/javaee/7/api/javax/jms/Session.html#createQueue-java.lang.String-
[2]
https://docs.oracle.com/javaee/7/api/javax/jms/Session.html#createTopic-java.lang.String-

On Tue, Mar 27, 2018 at 3:58 AM, Big Puritz <bigpuritz@gmail.com> wrote:

> Hi Justin,
>
> thank you for your reply.
>
> I am testing with a minimally modified version of the RequestReply example
> from the Artemis Repository. Minimally modified means that I test against a
> standalone, pre-configured Artemis instance (2.5.0).
>
> In the code the "request" message is sent to the *FOOBAR *queue with the
> user *mq_test *(role: *mq_tests*). Here are my settings:
>
> <security-setting match="FOOBAR.#">
>     <permission type="createNonDurableQueue" roles="mq_tests" />
>     <permission type="deleteNonDurableQueue" roles="mq_tests" />
>     <permission type="createDurableQueue" roles="mq_tests" />
>     <permission type="deleteDurableQueue" roles="mq_tests" />
>     <permission type="createAddress" roles="mq_tests" />
>     <permission type="deleteAddress" roles="mq_tests" />
>     <permission type="consume" roles="mq_tests" />
>     <permission type="browse" roles="mq_tests" />
>     <permission type="send" roles="mq_tests" />
>     <permission type="manage" roles="mq_tests" />
> </security-setting>
>
> <address-setting match="FOOBAR">
>     <dead-letter-address>FOOBAR._DLQ_</dead-letter-address>
>     <expiry-address>FOOBAR._EXPQ_</expiry-address>
>     <redelivery-delay>0</redelivery-delay>
>     <max-delivery-attempts>3</max-delivery-attempts>
>     <max-size-bytes>-1</max-size-bytes>
>     <message-counter-history-day-limit>10</message-counter-
> history-day-limit>
>     <address-full-policy>PAGE</address-full-policy>
>     <auto-create-queues>false</auto-create-queues>
>     <auto-create-addresses>false</auto-create-addresses>
>     <auto-delete-queues>false</auto-delete-queues>
>     <auto-delete-addresses>false</auto-delete-addresses>
> </address-setting>
>
> <address name="FOOBAR">
>     <anycast>
>         <queue name="FOOBAR" />
>     </anycast>
> </address>
> <address name="FOOBAR._DLQ_">
>     <anycast>
>         <queue name="FOOBAR._DLQ_" />
>     </anycast>
> </address>
> <address name="FOOBAR._EXPQ_">
>     <anycast>
>         <queue name="FOOBAR._EXPQ_" />
>     </anycast>
> </address>
>
>
> When trying to create a temporary queue, I get the following error message:
> User: mq_test does not have permission='CREATE_NON_DURABLE_QUEUE' for
> queue
> 382aa141-d0b7-4e59-82d4-c9f9f21326ae on address
> 382aa141-d0b7-4e59-82d4-c9f9f21326ae
>
>
> javax.jms.JMSSecurityException: AMQ119213: User: mq_test does not have
> permission='CREATE_NON_DURABLE_QUEUE' for queue
> 382aa141-d0b7-4e59-82d4-c9f9f21326ae on address
> 382aa141-d0b7-4e59-82d4-c9f9f21326ae
>     at
> org.apache.activemq.artemis.core.protocol.core.impl.
> ChannelImpl.sendBlocking(ChannelImpl.java:409)
>     at
> org.apache.activemq.artemis.core.protocol.core.impl.
> ChannelImpl.sendBlocking(ChannelImpl.java:319)
>     at
> org.apache.activemq.artemis.core.protocol.core.impl.
> ActiveMQSessionContext.createQueue(ActiveMQSessionContext.java:624)
>     at
> org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.
> internalCreateQueue(ClientSessionImpl.java:1841)
>     at
> org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.
> createTemporaryQueue(ClientSessionImpl.java:429)
>     at
> org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.
> createTemporaryQueue(ClientSessionImpl.java:416)
>     at
> org.apache.activemq.artemis.jms.client.ActiveMQSession.
> createTemporaryQueue(ActiveMQSession.java:877)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
> 62)
>     at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>     at java.lang.reflect.Method.invoke(Method.java:498)
>     at
> org.springframework.jms.connection.CachingConnectionFactory$
> CachedSessionInvocationHandler.invoke(CachingConnectionFactory.java:389)
>     at com.sun.proxy.$Proxy18.createTemporaryQueue(Unknown Source)
>     at
> de.finkonsens.geco.mila.nadien.client.test.RequestReplyExample.lambda$
> send$0(RequestReplyExample.java:65)
>     at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1149)
>     at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:624)
>     at java.lang.Thread.run(Thread.java:748)
> Caused by: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION
> message=AMQ119213: User: mq_test does not have
> permission='CREATE_NON_DURABLE_QUEUE' for queue
> 382aa141-d0b7-4e59-82d4-c9f9f21326ae on address
> 382aa141-d0b7-4e59-82d4-c9f9f21326ae]
>     ... 17 more
>
>
>
> The example works only after i modify the security settings configuration
> like this:
>
> <security-setting match="#">
>     <permission type="createNonDurableQueue" roles="mq_tests" />
>     <permission type="deleteNonDurableQueue" roles="mq_tests" />
>     <permission type="createDurableQueue" roles="mq_tests" />
>     <permission type="deleteDurableQueue" roles="mq_tests" />
>     <permission type="createAddress" roles="mq_tests" />
>     <permission type="deleteAddress" roles="mq_tests" />
>     <permission type="consume" roles="mq_tests" />
>     <permission type="browse" roles="mq_tests" />
>     <permission type="send" roles="mq_tests" />
>     <permission type="manage" roles="mq_tests" />
> </security-setting>
>
>
>
>
>
> On Mon, Mar 26, 2018 at 8:51 PM, Justin Bertram <jbertram@apache.org>
> wrote:
>
> > What protocol or API are you using for your request-reply work?  Off the
> > top of my head I wouldn't expect the auto-create attributes would need to
> > be true in order to create temporary queues.
> >
> >
> > Justin
> >
> > On Thu, Mar 22, 2018 at 11:29 AM, Big Puritz <bigpuritz@gmail.com>
> wrote:
> >
> > > Hello,
> > >
> > > as far as i can see, while using the "requst-reply" pattern the broker
> > > creates a temporary "reply"-queue with the name according to the UUID
> > > naming pattern, e.g. ca8f4510-5e58-48e7-a4f0-55abf8a43d8e.
> > >
> > > To be able to create this queues the user is required to have an
> > > appropriate  CREATE_NON_DURABLE_QUEUE permission.
> > >
> > > That can be achieved with the following configuration (please correct
> me
> > if
> > > i'm wrong):
> > >
> > > <address-setting match="#">
> > > ...
> > > <auto-create-queues>true</auto-create-queues>
> > >   <auto-create-addresses>true</auto-create-addresses>
> > > ...
> > > </address-setting>
> > >
> > > <security-setting match="#">
> > >    ...
> > >    <permission type="createNonDurableQueue" roles="..."/>
> > >    <permission type="deleteNonDurableQueue" roles="..."/>
> > >    ...
> > > </security-setting>
> > >
> > >
> > > However this configuration makes creation of every non durable queue
> > > possible, not only the temporary one.
> > >
> > > How can I limit the permissions to create temporary queues only? Is
> there
> > > any possibility to specify the naming-pattern for the temporary queues.
> > > E.g. "temp.<uuid>" or something like this.
> > >
> > > Thanks in advance.
> > >
> >
>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic