Uploaded image for project: 'ActiveMQ Artemis'
  1. ActiveMQ Artemis
  2. ARTEMIS-990

AMQ119032: User: Customer does not have permission='CREATE_DURABLE_QUEUE' on address $sys.mqtt.queue.qos2

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.3
    • Fix Version/s: 1.5.5, 2.0.0
    • Component/s: MQTT
    • Labels:
      None
    • Environment:

      RHEL 7

      Description

      Hello Guys,

      We are experiencing this issue with MQTT,

      Our issue : AMQ119032: User: Customer does not have permission='CREATE_DURABLE_QUEUE' on address $sys.mqtt.queue.qos2.0a971d7ad7de58aea7c0

      MQTTBasicPubSubExample.java
      package com.mycompany.mqtt;
      
      import java.security.SecureRandom;
      import java.security.cert.CertificateException;
      import java.security.cert.X509Certificate;
      import java.util.concurrent.TimeUnit;
      
      import javax.net.ssl.KeyManager;
      import javax.net.ssl.SSLContext;
      import javax.net.ssl.TrustManager;
      import javax.net.ssl.X509TrustManager;
      
      import org.fusesource.hawtbuf.UTF8Buffer;
      import org.fusesource.mqtt.client.BlockingConnection;
      import org.fusesource.mqtt.client.MQTT;
      import org.fusesource.mqtt.client.Message;
      import org.fusesource.mqtt.client.QoS;
      import org.fusesource.mqtt.client.Topic;
      
      /**
       * A simple MQTT publish and subscribe example.
       */
      public class MQTTBasicPubSubExample {
      
         public static void main(final String[] args) throws Exception {
            // Create a new MQTT connection to the broker.  We are not setting the client ID.  The broker will pick one for us.
            System.out.println("Connecting to Artemis using MQTT");
            MQTT mqtt = new MQTT();
            mqtt.setConnectAttemptsMax(2);
            mqtt.setReconnectAttemptsMax(1);
            
            mqtt.setUserName("Customer");
            mqtt.setPassword("customerpwd");
            
            
            mqtt.setHost("ssl://localhost:1883");
            BlockingConnection connection = mqtt.blockingConnection();
            connection.connect();      
            System.out.println("Connected to Artemis");
      
            // Subscribe to topics
            Topic[] topics = {new Topic("digital/test/data", QoS.AT_LEAST_ONCE)};
            System.out.println("start subscribe");
            connection.subscribe(topics);
            System.out.println("end subscribe");
            
            System.out.println("Subscribed to topics.");
      
            // Publish Messages
            String payload4 = "This is message 4";
      
            
            System.out.println("start publish");
            connection.publish("digital/test/data", payload4.getBytes(), QoS.AT_MOST_ONCE, false);
            System.out.println("end publish");
            System.out.println("Sent messages.");
      
            Message message4 = connection.receive(5, TimeUnit.SECONDS);
            System.out.println("Received messages.");
      
            System.out.println(new String(message4.getPayload()));
            message4.ack();
            connection.disconnect();
         }   
      }
      
      
      broker.xml
      <?xml version='1.0'?>
      <!--
      Licensed to the Apache Software Foundation (ASF) under one
      or more contributor license agreements.  See the NOTICE file
      distributed with this work for additional information
      regarding copyright ownership.  The ASF licenses this file
      to you under the Apache License, Version 2.0 (the
      "License"); you may not use this file except in compliance
      with the License.  You may obtain a copy of the License at
      
        http://www.apache.org/licenses/LICENSE-2.0
      
      Unless required by applicable law or agreed to in writing,
      software distributed under the License is distributed on an
      "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
      KIND, either express or implied.  See the License for the
      specific language governing permissions and limitations
      under the License.
      -->
      
      <configuration xmlns="urn:activemq"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                     xsi:schemaLocation="urn:activemq /schema/artemis-configuration.xsd">
      
         <jms xmlns="urn:activemq:jms">
            <queue name="DLQ"/>
            <queue name="ExpiryQueue"/>
      
         </jms>
      
         <core xmlns="urn:activemq:core">
      
            <name>localhost</name>
      
            <persistence-enabled>true</persistence-enabled>
      
            <!-- this could be ASYNCIO or NIO
             -->
            <journal-type>ASYNCIO</journal-type>
      
            <paging-directory>/artemis/datas/paging</paging-directory>
      
            <bindings-directory>/artemis/datas/bindings</bindings-directory>
      
            <journal-directory>/artemis/datas/journal</journal-directory>
      
            <large-messages-directory>/artemis/datas/large-messages</large-messages-directory>
      
            <journal-datasync>true</journal-datasync>
      
            <journal-min-files>2</journal-min-files>
      
            <journal-pool-files>-1</journal-pool-files>
      
            <!--
              You can specify the NIC you want to use to verify if the network
               <network-check-NIC>theNickName</network-check-NIC>
              -->
      
            <!--
              Use this to use an HTTP server to validate the network
               <network-check-URL-list>http://www.apache.org</network-check-URL-list> -->
      
            <!-- <network-check-period>10000</network-check-period> -->
            <!-- <network-check-timeout>1000</network-check-timeout> -->
      
            <!-- this is a comma separated list, no spaces, just DNS or IPs
                 it should accept IPV6
      
                 Warning: Make sure you understand your network topology as this is meant to validate if your network is valid.
                          Using IPs that could eventually disappear or be partially visible may defeat the purpose.
                          You can use a list of multiple IPs, and if any successful ping will make the server OK to continue running -->
            <!-- <network-check-list>10.0.0.1</network-check-list> -->
      
            <!-- use this to customize the ping used for ipv4 addresses -->
            <!-- <network-check-ping-command>ping -c 1 -t %d %s</network-check-ping-command> -->
      
            <!-- use this to customize the ping used for ipv6 addresses -->
            <!-- <network-check-ping6-command>ping6 -c 1 %2$s</network-check-ping6-command> -->
            <!--
             This value was determined through a calculation.
             Your system could perform 1 writes per millisecond
             on the current journal configuration.
             That translates as a sync write every 1004000 nanoseconds
            -->
            <journal-buffer-timeout>1004000</journal-buffer-timeout>
      
          <connectors>
              <!-- Connector used to be announced through cluster connections and notifications -->
              <connector name="artemis">tcp://localhost:61616</connector>
          </connectors>
      
          <ha-policy>
            <shared-store>
              <master>
                 <failover-on-shutdown>true</failover-on-shutdown>
              </master>
            </shared-store>
          </ha-policy>
      
            <!-- how often we are looking for how many bytes are being used on the disk in ms -->
            <disk-scan-period>5000</disk-scan-period>
      
            <!-- once the disk hits this limit the system will block, or close the connection in certain protocols
                 that won't support flow control. -->
            <max-disk-usage>90</max-disk-usage>
      
            <!-- the system will enter into page mode once you hit this limit.
                 This is an estimate in bytes of how much the messages are using in memory -->
            <global-max-size>104857600</global-max-size>
      
            <acceptors>
               <!-- Acceptor for every supported protocol -->
               <acceptor name="artemis">tcp://localhost:61616?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE</acceptor>
      
               <!-- AMQP Acceptor.  Listens on default AMQP port for AMQP traffic.-->
               <acceptor name="amqp">tcp://localhost:5672?protocols=AMQP</acceptor>
      
               <!-- STOMP Acceptor. -->
               <acceptor name="stomp">tcp://localhost:61613?protocols=STOMP</acceptor>
      
               <!-- HornetQ Compatibility Acceptor.  Enables HornetQ Core and STOMP for legacy HornetQ clients. -->
               <acceptor name="hornetq">tcp://localhost:5445?protocols=HORNETQ,STOMP</acceptor>
      
               <!-- MQTT Acceptor -->
      		 <acceptor name="mqtt">tcp://localhost:1883?protocols=MQTT;sslEnabled=true;keyStorePath=/artemis/brokers/certificats/keystore.jks;keyStorePassword=artemispwd</acceptor>
            </acceptors>
      
            <cluster-user>AdminCluster</cluster-user>
      
            <cluster-password>AdminCluster</cluster-password>
      
            <broadcast-groups>
               <broadcast-group name="bg-group1">
                  <group-address>231.7.7.7</group-address>
                  <group-port>9876</group-port>
                  <broadcast-period>5000</broadcast-period>
                  <connector-ref>artemis</connector-ref>
               </broadcast-group>
            </broadcast-groups>
      
            <discovery-groups>
               <discovery-group name="dg-group1">
                  <group-address>231.7.7.7</group-address>
                  <group-port>9876</group-port>
                  <refresh-timeout>10000</refresh-timeout>
               </discovery-group>
            </discovery-groups>
      
            <cluster-connections>
               <cluster-connection name="my-cluster">
                  <address>jms</address>
                  <connector-ref>artemis</connector-ref>
                  <message-load-balancing>ON_DEMAND</message-load-balancing>
                  <max-hops>0</max-hops>
                  <discovery-group-ref discovery-group-name="dg-group1"/>
               </cluster-connection>
            </cluster-connections>
      
            <security-enabled>true</security-enabled>
      
            <security-settings>
               <security-setting match="#">
                  <permission type="createNonDurableQueue" roles="Digital"/>
                  <permission type="deleteNonDurableQueue" roles="Digital"/>
                  <permission type="createDurableQueue" roles="Digital"/>
                  <permission type="deleteDurableQueue" roles="Digital"/>
                  <permission type="consume" roles="Digital"/>
                  <permission type="browse" roles="Digital"/>
                  <permission type="send" roles="Digital"/-->
                  <!-- we need this otherwise ./artemis data imp wouldn't work -->
                  <permission type="manage" roles="Digital"/>
               </security-setting-->
      	 <security-setting match="digital.test.#">
                  <!-- permission type="createNonDurableQueue" roles="Commerce"/-->
                  <!--permission type="deleteNonDurableQueue" roles="digital,Commerce"/-->
                  <!--permission type="createDurableQueue" roles="Commerce"/-->
                  <!--permission type="deleteDurableQueue" roles="digital,Commerce"/-->
      			<!-- permission type="consume" roles="Commerce"/-->
                  <!-- permission type="browse" roles="Commerce"/-->
                  <permission type="send" roles="Client"/>
                  <!-- permission type="manage" roles="Commerce" /-->
               </security-setting>
            </security-settings>
      
      
      <queues>
         <queue name="digital.test.data">
            <durable>true</durable>
          </queue>
      </queues>
      
      
            <address-settings>
               <!--default for catch all-->
               <address-setting match="#">
                  <dead-letter-address>jms.queue.DLQ</dead-letter-address>
                  <expiry-address>jms.queue.ExpiryQueue</expiry-address>
                  <redelivery-delay>0</redelivery-delay>
                  <!-- with -1 only the global-max-size is in use for limiting -->
                  <max-size-bytes>-1</max-size-bytes>
                  <message-counter-history-day-limit>1</message-counter-history-day-limit>
                  <address-full-policy>PAGE</address-full-policy>
                  <expiry-delay>10</expiry-delay>
               </address-setting>
            </address-settings>
         </core>
      </configuration>
      
      Issue en client side
      Exception in thread "main" java.io.EOFException: Peer disconnected
      	at org.fusesource.hawtdispatch.transport.AbstractProtocolCodec.read(AbstractProtocolCodec.java:331)
      	at org.fusesource.hawtdispatch.transport.TcpTransport.drainInbound(TcpTransport.java:710)
      	at org.fusesource.hawtdispatch.transport.TcpTransport$6.run(TcpTransport.java:592)
      	at org.fusesource.hawtdispatch.internal.NioDispatchSource$3.run(NioDispatchSource.java:209)
      	at org.fusesource.hawtdispatch.internal.SerialDispatchQueue.run(SerialDispatchQueue.java:100)
      	at org.fusesource.hawtdispatch.internal.pool.SimpleThread.run(SimpleThread.java:77)
      
      artemis log file extract
      10:13:37,116 DEBUG [org.apache.activemq.artemis.core.postoffice.impl.PostOfficeImpl] Couldn't find any bindings for address=activemq.notifications on message=ServerMessage[messageID=234572,durable=true,userID=null,priority=0, bodySize=512, timestamp=0,expiration=Thu Feb 23 10:13:37 CET 2017, durable=true, address=activemq.notifications,properties=TypedProperties[_AMQ_User=Customer,_AMQ_Address=$sys.mqtt.queue.qos2.0a971d7ad7de58aea7c0,_AMQ_NotifType=SECURITY_PERMISSION_VIOLATION,_AMQ_NotifTimestamp=1487841217116,_AMQ_CheckType=CREATE_DURABLE_QUEUE]]@1241929264
      10:13:37,116 DEBUG [org.apache.activemq.artemis.core.postoffice.impl.PostOfficeImpl] Message ServerMessage[messageID=234572,durable=true,userID=null,priority=0, bodySize=512, timestamp=0,expiration=Thu Feb 23 10:13:37 CET 2017, durable=true, address=activemq.notifications,properties=TypedProperties[_AMQ_User=Customer,_AMQ_Address=$sys.mqtt.queue.qos2.0a971d7ad7de58aea7c0,_AMQ_NotifType=SECURITY_PERMISSION_VIOLATION,_AMQ_NotifTimestamp=1487841217116,_AMQ_CheckType=CREATE_DURABLE_QUEUE]]@1241929264 is not going anywhere as it didn't have a binding on address:activemq.notifications
      10:13:37,116 DEBUG [org.apache.activemq.artemis.core.protocol.mqtt] Error processing Control Packet, Disconnecting Client: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ119032: User: Customer does not have permission='CREATE_DURABLE_QUEUE' on address $sys.mqtt.queue.qos2.0a971d7ad7de58aea7c0]
              at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:201) [artemis-server-1.5.2.jar:1.5.2]
              at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:401) [artemis-server-1.5.2.jar:1.5.2]
              at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createQueue(ServerSessionImpl.java:506) [artemis-server-1.5.2.jar:1.5.2]
              at org.apache.activemq.artemis.core.protocol.mqtt.MQTTPublishManager.createManagementQueue(MQTTPublishManager.java:92) [artemis-mqtt-protocol-1.5.2.jar:]
              at org.apache.activemq.artemis.core.protocol.mqtt.MQTTPublishManager.start(MQTTPublishManager.java:65) [artemis-mqtt-protocol-1.5.2.jar:]
              at org.apache.activemq.artemis.core.protocol.mqtt.MQTTSession.start(MQTTSession.java:71) [artemis-mqtt-protocol-1.5.2.jar:]
              at org.apache.activemq.artemis.core.protocol.mqtt.MQTTConnectionManager.connect(MQTTConnectionManager.java:83) [artemis-mqtt-protocol-1.5.2.jar:]
              at org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.handleConnect(MQTTProtocolHandler.java:163) [artemis-mqtt-protocol-1.5.2.jar:]
              at org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.channelRead(MQTTProtocolHandler.java:103) [artemis-mqtt-protocol-1.5.2.jar:]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.handler.codec.ByteToMessageDecoder.handlerRemoved(ByteToMessageDecoder.java:219) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.DefaultChannelPipeline.callHandlerRemoved0(DefaultChannelPipeline.java:631) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.DefaultChannelPipeline.remove(DefaultChannelPipeline.java:468) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.DefaultChannelPipeline.remove(DefaultChannelPipeline.java:428) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at org.apache.activemq.artemis.core.protocol.ProtocolHandler$ProtocolDecoder.decode(ProtocolHandler.java:186) [artemis-server-1.5.2.jar:1.5.2]
              at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at org.apache.activemq.artemis.core.protocol.ProtocolHandler$ProtocolDecoder.channelRead(ProtocolHandler.java:129) [artemis-server-1.5.2.jar:1.5.2]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:610) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:551) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:465) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:437) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-all-4.1.5.Final.jar:4.1.5.Final]
              at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_91]
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                martyntaylor Martyn Taylor
                Reporter:
                Galactico Himer MARTINEZ
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: