[
https://issues.apache.org/jira/browse/ARTEMIS-5949?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Bertram updated ARTEMIS-5949:
------------------------------------
Description:
When the {{create}} command is used to create a broker instance the
{{broker.xml}} contains this:
{code:xml}
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="browse" roles="amq"/>
<permission type="send" roles="amq"/>
<!-- we need this otherwise ./artemis data imp wouldn't work -->
<permission type="manage" roles="amq"/>
</security-setting>
</security-settings>{code}
Applying the {{manage}} role to {{#}} works, but it is imprecise and
potentially confusing. This permission should only be applied to the
*management address*. We can also remove the comment as I don't believe it's
necessary. Therefore, the default {{security-settings}} should look something
like this:
{code:xml}
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="browse" roles="amq"/>
<permission type="send" roles="amq"/>
</security-setting>
<security-setting match="activemq.management.#">
<permission type="manage" roles="amq"/>
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="send" roles="amq"/>
</security-setting>
</security-settings>{code}
was:
When the {{create}} command is used to create a broker instance the
{{broker.xml}} contains this:
{code:xml}
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="browse" roles="amq"/>
<permission type="send" roles="amq"/>
<!-- we need this otherwise ./artemis data imp wouldn't work -->
<permission type="manage" roles="amq"/>
</security-setting>
</security-settings>{code}
Applying the {{manage}} role to {{#}} works, but it is imprecise and
potentially confusing. This permission should only be applied to the
*management address*. The {{address-settings}} contains a block for the
management address so it makes sense for {{security-settings}} to contain one
as well. We can also remove the comment as I don't believe it's necessary.
Therefore, the default {{security-settings}} should look something like this:
{code:xml}
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="browse" roles="amq"/>
<permission type="send" roles="amq"/>
</security-setting>
<security-setting match="activemq.management.#">
<permission type="manage" roles="amq"/>
</security-setting>
</security-settings>{code}
> Clarify manage permission in default broker.xml
> -----------------------------------------------
>
> Key: ARTEMIS-5949
> URL: https://issues.apache.org/jira/browse/ARTEMIS-5949
> Project: Artemis
> Issue Type: Task
> Reporter: Justin Bertram
> Assignee: Justin Bertram
> Priority: Major
>
> When the {{create}} command is used to create a broker instance the
> {{broker.xml}} contains this:
> {code:xml}
> <security-settings>
> <security-setting match="#">
> <permission type="createNonDurableQueue" roles="amq"/>
> <permission type="deleteNonDurableQueue" roles="amq"/>
> <permission type="createDurableQueue" roles="amq"/>
> <permission type="deleteDurableQueue" roles="amq"/>
> <permission type="createAddress" roles="amq"/>
> <permission type="deleteAddress" roles="amq"/>
> <permission type="consume" roles="amq"/>
> <permission type="browse" roles="amq"/>
> <permission type="send" roles="amq"/>
> <!-- we need this otherwise ./artemis data imp wouldn't work -->
> <permission type="manage" roles="amq"/>
> </security-setting>
> </security-settings>{code}
> Applying the {{manage}} role to {{#}} works, but it is imprecise and
> potentially confusing. This permission should only be applied to the
> *management address*. We can also remove the comment as I don't believe it's
> necessary. Therefore, the default {{security-settings}} should look something
> like this:
> {code:xml}
> <security-settings>
> <security-setting match="#">
> <permission type="createNonDurableQueue" roles="amq"/>
> <permission type="deleteNonDurableQueue" roles="amq"/>
> <permission type="createDurableQueue" roles="amq"/>
> <permission type="deleteDurableQueue" roles="amq"/>
> <permission type="createAddress" roles="amq"/>
> <permission type="deleteAddress" roles="amq"/>
> <permission type="consume" roles="amq"/>
> <permission type="browse" roles="amq"/>
> <permission type="send" roles="amq"/>
> </security-setting>
> <security-setting match="activemq.management.#">
> <permission type="manage" roles="amq"/>
> <permission type="createNonDurableQueue" roles="amq"/>
> <permission type="deleteNonDurableQueue" roles="amq"/>
> <permission type="createAddress" roles="amq"/>
> <permission type="deleteAddress" roles="amq"/>
> <permission type="consume" roles="amq"/>
> <permission type="send" roles="amq"/>
> </security-setting>
> </security-settings>{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
