(artemis) branch main updated: ARTEMIS-5949 Clarify manage permission in default broker.xml

Tue, 14 Apr 2026 07:32:49 -0700 

This is an automated email from the ASF dual-hosted git repository.

jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/artemis.git


The following commit(s) were added to refs/heads/main by this push:
     new 0202f631c8 ARTEMIS-5949 Clarify manage permission in default broker.xml
0202f631c8 is described below

commit 0202f631c878e12b14d0c5a95b66a18933e1f4e4
Author: Anmol Saxena <[email protected]>
AuthorDate: Thu Apr 9 23:01:12 2026 +0530

    ARTEMIS-5949 Clarify manage permission in default broker.xml
---
 .../activemq/artemis/cli/commands/etc/broker.xml   |  9 ++++-
 .../org/apache/activemq/cli/test/ArtemisTest.java  | 43 ++++++++++++++++++++++
 artemis-features/src/main/resources/artemis.xml    |  9 ++++-
 .../servers/jmx-rbac-broker-security/broker.xml    |  8 ++++
 4 files changed, 67 insertions(+), 2 deletions(-)

diff --git 
a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/broker.xml
 
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/broker.xml
index b0659a995e..d088693034 100644
--- 
a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/broker.xml
+++ 
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/broker.xml
@@ -117,8 +117,15 @@ 
${cluster-security.settings}${cluster.settings}${replicated.settings}${shared-st
             <permission type="consume" roles="${role}"/>
             <permission type="browse" roles="${role}"/>
             <permission type="send" roles="${role}"/>
-            <!-- we need this otherwise ./artemis data imp wouldn't work -->
+         </security-setting>
+         <security-setting match="activemq.management.#">
             <permission type="manage" roles="${role}"/>
+            <permission type="createNonDurableQueue" roles="${role}"/>
+            <permission type="deleteNonDurableQueue" roles="${role}"/>
+            <permission type="createAddress" roles="${role}"/>
+            <permission type="deleteAddress" roles="${role}"/>
+            <permission type="consume" roles="${role}"/>
+            <permission type="send" roles="${role}"/>
          </security-setting>
       </security-settings>
 
diff --git 
a/artemis-cli/src/test/java/org/apache/activemq/cli/test/ArtemisTest.java 
b/artemis-cli/src/test/java/org/apache/activemq/cli/test/ArtemisTest.java
index b8c606979a..82ff7bd58d 100644
--- a/artemis-cli/src/test/java/org/apache/activemq/cli/test/ArtemisTest.java
+++ b/artemis-cli/src/test/java/org/apache/activemq/cli/test/ArtemisTest.java
@@ -44,8 +44,11 @@ import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.regex.Pattern;
 
+import org.apache.activemq.artemis.core.security.Role;
+
 import org.apache.activemq.artemis.api.config.ActiveMQDefaultConfiguration;
 import org.apache.activemq.artemis.api.core.ActiveMQIllegalStateException;
 import org.apache.activemq.artemis.api.core.JsonUtil;
@@ -2380,6 +2383,46 @@ public class ArtemisTest extends CliTestBase {
       }
    }
 
+   @Test
+   @Timeout(60)
+   public void testDefaultSecuritySettings() throws Exception {
+      FileConfiguration configuration = 
createFileConfiguration(getTestMethodName(),
+                                                                "--silent", 
"--no-web", "--no-autotune");
+
+      Map<String, Set<Role>> securityRoles = configuration.getSecurityRoles();
+
+      // wildcard match should have all permissions except manage
+      Set<Role> wildcardRoles = securityRoles.get("#");
+      assertNotNull(wildcardRoles, "Expected security-setting for '#'");
+      assertEquals(1, wildcardRoles.size());
+      Role wildcardRole = wildcardRoles.iterator().next();
+      assertEquals("amq", wildcardRole.getName());
+      assertTrue(wildcardRole.isSend());
+      assertTrue(wildcardRole.isConsume());
+      assertTrue(wildcardRole.isBrowse());
+      assertTrue(wildcardRole.isCreateDurableQueue());
+      assertTrue(wildcardRole.isDeleteDurableQueue());
+      assertTrue(wildcardRole.isCreateNonDurableQueue());
+      assertTrue(wildcardRole.isDeleteNonDurableQueue());
+      assertTrue(wildcardRole.isCreateAddress());
+      assertTrue(wildcardRole.isDeleteAddress());
+      assertFalse(wildcardRole.isManage(), "manage permission must not be on 
the wildcard '#' address");
+
+      // management address match should have manage plus supporting 
permissions
+      Set<Role> mgmtRoles = securityRoles.get("activemq.management.#");
+      assertNotNull(mgmtRoles, "Expected security-setting for 
'activemq.management.#'");
+      assertEquals(1, mgmtRoles.size());
+      Role mgmtRole = mgmtRoles.iterator().next();
+      assertEquals("amq", mgmtRole.getName());
+      assertTrue(mgmtRole.isManage());
+      assertTrue(mgmtRole.isSend());
+      assertTrue(mgmtRole.isConsume());
+      assertTrue(mgmtRole.isCreateNonDurableQueue());
+      assertTrue(mgmtRole.isDeleteNonDurableQueue());
+      assertTrue(mgmtRole.isCreateAddress());
+      assertTrue(mgmtRole.isDeleteAddress());
+   }
+
    private static File newFolder(File root, String subFolder) throws 
IOException {
       File result = new File(root, subFolder);
       if (!result.mkdirs()) {
diff --git a/artemis-features/src/main/resources/artemis.xml 
b/artemis-features/src/main/resources/artemis.xml
index 4162707d7a..7bf3daebe6 100644
--- a/artemis-features/src/main/resources/artemis.xml
+++ b/artemis-features/src/main/resources/artemis.xml
@@ -144,8 +144,15 @@ under the License.
             <permission type="consume" roles="manager"/>
             <permission type="browse" roles="manager"/>
             <permission type="send" roles="manager"/>
-            <!-- we need this otherwise ./artemis data imp wouldn't work -->
+         </security-setting>
+         <security-setting match="activemq.management.#">
             <permission type="manage" roles="manager"/>
+            <permission type="createNonDurableQueue" roles="manager"/>
+            <permission type="deleteNonDurableQueue" roles="manager"/>
+            <permission type="createAddress" roles="manager"/>
+            <permission type="deleteAddress" roles="manager"/>
+            <permission type="consume" roles="manager"/>
+            <permission type="send" roles="manager"/>
          </security-setting>
       </security-settings>
 
diff --git 
a/tests/smoke-tests/src/main/resources/servers/jmx-rbac-broker-security/broker.xml
 
b/tests/smoke-tests/src/main/resources/servers/jmx-rbac-broker-security/broker.xml
index 3f9ee00a2c..d2b323d94f 100644
--- 
a/tests/smoke-tests/src/main/resources/servers/jmx-rbac-broker-security/broker.xml
+++ 
b/tests/smoke-tests/src/main/resources/servers/jmx-rbac-broker-security/broker.xml
@@ -70,7 +70,15 @@ under the License.
             <permission type="consume" roles="amq"/>
             <permission type="browse" roles="amq"/>
             <permission type="send" roles="amq"/>
+         </security-setting>
+         <security-setting match="activemq.management.#">
             <permission type="manage" roles="amq"/>
+            <permission type="createNonDurableQueue" roles="amq"/>
+            <permission type="deleteNonDurableQueue" roles="amq"/>
+            <permission type="createAddress" roles="amq"/>
+            <permission type="deleteAddress" roles="amq"/>
+            <permission type="consume" roles="amq"/>
+            <permission type="send" roles="amq"/>
          </security-setting>
 
          <!-- settings for jmx MBean access to management operations -->


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to