[AMQ-5151] Incorrect authorization on virtual destination (wildcard) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Not A Problem
Affects Version/s: 5.9.0, 5.9.1
Fix Version/s: None
Component/s: Broker
Labels:

Description

I'm trying to use authorizationPlugin with virtual destinations:

testTopic.group1
testTopic.group2

This is my authorizationEntries definition:

<authorizationEntry topic="testTopic.group1.>" write="admins" read="group1" admin="admins" />
<authorizationEntry topic="testTopic.group2.>" write="admins" read="group2" admin="admins" />
<authorizationEntry topic=">" write="admins" read="admins" admin="admins" />

When group1 tries to subscribe to testTopic.group2, I get an access denied: "User is not authorized to read from..."
Same when group2 access group1
However, if group1 subscribes to testTopic.> it will have access to everything

I tracked the issue down to DefaultAuthorizationMap, getReadACLs(ActiveMQDestination destination)

This method will combine the read ACL from the 2 sub-topic authorization entries and give access to destination "testTopic.>" to anyone in group1 or group2.

Am I doing something wrong?
Is this scenario supported by authorizationPlugin?

Thanks,
Alex

Attachments

Activity

People

Assignee:: Matt Pavlovich

Reporter:: Alexandre Pauzies

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 16/Apr/14 19:02

Updated:: 16/Feb/21 20:38

Resolved:: 16/Feb/21 20:38