Skip to content

Commit 0202f63

Browse files
anmol-saxena-14jbertram
authored andcommitted
ARTEMIS-5949 Clarify manage permission in default broker.xml
1 parent f4695ef commit 0202f63

File tree

4 files changed

+67
-2
lines changed
  • artemis-cli/src
  • artemis-features/src/main/resources
  • tests/smoke-tests/src/main/resources/servers/jmx-rbac-broker-security

4 files changed

+67
-2
lines changed

artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/broker.xml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,8 +117,15 @@ ${cluster-security.settings}${cluster.settings}${replicated.settings}${shared-st
117117
<permission type="consume" roles="${role}"/>
118118
<permission type="browse" roles="${role}"/>
119119
<permission type="send" roles="${role}"/>
120-
<!-- we need this otherwise ./artemis data imp wouldn't work -->
120+
</security-setting>
121+
<security-setting match="activemq.management.#">
121122
<permission type="manage" roles="${role}"/>
123+
<permission type="createNonDurableQueue" roles="${role}"/>
124+
<permission type="deleteNonDurableQueue" roles="${role}"/>
125+
<permission type="createAddress" roles="${role}"/>
126+
<permission type="deleteAddress" roles="${role}"/>
127+
<permission type="consume" roles="${role}"/>
128+
<permission type="send" roles="${role}"/>
122129
</security-setting>
123130
</security-settings>
124131

artemis-cli/src/test/java/org/apache/activemq/cli/test/ArtemisTest.java

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,8 +44,11 @@
4444
import java.util.ArrayList;
4545
import java.util.List;
4646
import java.util.Map;
47+
import java.util.Set;
4748
import java.util.regex.Pattern;
4849

50+
import org.apache.activemq.artemis.core.security.Role;
51+
4952
import org.apache.activemq.artemis.api.config.ActiveMQDefaultConfiguration;
5053
import org.apache.activemq.artemis.api.core.ActiveMQIllegalStateException;
5154
import org.apache.activemq.artemis.api.core.JsonUtil;
@@ -2380,6 +2383,46 @@ public String getPropertyTwo() {
23802383
}
23812384
}
23822385

2386+
@Test
2387+
@Timeout(60)
2388+
public void testDefaultSecuritySettings() throws Exception {
2389+
FileConfiguration configuration = createFileConfiguration(getTestMethodName(),
2390+
"--silent", "--no-web", "--no-autotune");
2391+
2392+
Map<String, Set<Role>> securityRoles = configuration.getSecurityRoles();
2393+
2394+
// wildcard match should have all permissions except manage
2395+
Set<Role> wildcardRoles = securityRoles.get("#");
2396+
assertNotNull(wildcardRoles, "Expected security-setting for '#'");
2397+
assertEquals(1, wildcardRoles.size());
2398+
Role wildcardRole = wildcardRoles.iterator().next();
2399+
assertEquals("amq", wildcardRole.getName());
2400+
assertTrue(wildcardRole.isSend());
2401+
assertTrue(wildcardRole.isConsume());
2402+
assertTrue(wildcardRole.isBrowse());
2403+
assertTrue(wildcardRole.isCreateDurableQueue());
2404+
assertTrue(wildcardRole.isDeleteDurableQueue());
2405+
assertTrue(wildcardRole.isCreateNonDurableQueue());
2406+
assertTrue(wildcardRole.isDeleteNonDurableQueue());
2407+
assertTrue(wildcardRole.isCreateAddress());
2408+
assertTrue(wildcardRole.isDeleteAddress());
2409+
assertFalse(wildcardRole.isManage(), "manage permission must not be on the wildcard '#' address");
2410+
2411+
// management address match should have manage plus supporting permissions
2412+
Set<Role> mgmtRoles = securityRoles.get("activemq.management.#");
2413+
assertNotNull(mgmtRoles, "Expected security-setting for 'activemq.management.#'");
2414+
assertEquals(1, mgmtRoles.size());
2415+
Role mgmtRole = mgmtRoles.iterator().next();
2416+
assertEquals("amq", mgmtRole.getName());
2417+
assertTrue(mgmtRole.isManage());
2418+
assertTrue(mgmtRole.isSend());
2419+
assertTrue(mgmtRole.isConsume());
2420+
assertTrue(mgmtRole.isCreateNonDurableQueue());
2421+
assertTrue(mgmtRole.isDeleteNonDurableQueue());
2422+
assertTrue(mgmtRole.isCreateAddress());
2423+
assertTrue(mgmtRole.isDeleteAddress());
2424+
}
2425+
23832426
private static File newFolder(File root, String subFolder) throws IOException {
23842427
File result = new File(root, subFolder);
23852428
if (!result.mkdirs()) {

artemis-features/src/main/resources/artemis.xml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -144,8 +144,15 @@ under the License.
144144
<permission type="consume" roles="manager"/>
145145
<permission type="browse" roles="manager"/>
146146
<permission type="send" roles="manager"/>
147-
<!-- we need this otherwise ./artemis data imp wouldn't work -->
147+
</security-setting>
148+
<security-setting match="activemq.management.#">
148149
<permission type="manage" roles="manager"/>
150+
<permission type="createNonDurableQueue" roles="manager"/>
151+
<permission type="deleteNonDurableQueue" roles="manager"/>
152+
<permission type="createAddress" roles="manager"/>
153+
<permission type="deleteAddress" roles="manager"/>
154+
<permission type="consume" roles="manager"/>
155+
<permission type="send" roles="manager"/>
149156
</security-setting>
150157
</security-settings>
151158

tests/smoke-tests/src/main/resources/servers/jmx-rbac-broker-security/broker.xml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,15 @@ under the License.
7070
<permission type="consume" roles="amq"/>
7171
<permission type="browse" roles="amq"/>
7272
<permission type="send" roles="amq"/>
73+
</security-setting>
74+
<security-setting match="activemq.management.#">
7375
<permission type="manage" roles="amq"/>
76+
<permission type="createNonDurableQueue" roles="amq"/>
77+
<permission type="deleteNonDurableQueue" roles="amq"/>
78+
<permission type="createAddress" roles="amq"/>
79+
<permission type="deleteAddress" roles="amq"/>
80+
<permission type="consume" roles="amq"/>
81+
<permission type="send" roles="amq"/>
7482
</security-setting>
7583

7684
<!-- settings for jmx MBean access to management operations -->

0 commit comments

Comments
 (0)