Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.17.0
Description
Hello,
I tried to specify role based authorisation in management.xml for different addresses/queues (as instructed here):
In Artemis profile config I gave hawtio role to the corresponding users:
-Dhawtio.role=amq,auser,buser,cuser,duser
The problem is that the authorisation is not working as expected, and only the FIRST "match domain" configuration is working fine.
In my case, I tested with 4 sections as those in the screenshot above:
<match domain="org.apache.activemq.artemis" key="address=a*">...
<match domain="org.apache.activemq.artemis" key="address=b*">...
<match domain="org.apache.activemq.artemis" key="address=c*">...
<match domain="org.apache.activemq.artemis" key="address=d*">...
When I login using "auser" in the web console, I can invoke operations on addresses/queues starting with "a*", and not on the others, as I'd expect.
But when I login using some of the other users, for example, buser, I can still invoke operations on queues starting with "a", but not on the queues starting with "b*", as I'd expect (all operations are disabled, as in the screenshot below):
It is interesting that, if I change the order of the sections in management.xml, for example as follows (so address "d*" is first):
<match domain="org.apache.activemq.artemis" key="address=d*">...
<match domain="org.apache.activemq.artemis" key="address=a*">...
<match domain="org.apache.activemq.artemis" key="address=b*">...
<match domain="org.apache.activemq.artemis" key="address=c*">...
Then for "duser" that is authorized to work with "d*" queues it works as expected, but when I login with auser, buser or cuser instead, again the same problem happens that all those users can invoke operations on "d*" queues, and not on the queues that they are expected to be autorized for.
I attach all relevant configuration files for a reference.
Regards,
Ivan
Attachments
Attachments
Issue Links
- links to
