Artemis AMQ119213: User: '' does not have permission='CONSUME'

I need to create an user who is just used to create queues from CI/CD tool.

<permission type="createDurableQueue" roles="amq, opadmin"/>
        <permission type="deleteDurableQueue" roles="amq"/>
        <permission type="createAddress" roles="amq, opadmin"/>
        <permission type="deleteAddress" roles="amq, opadmin"/>
        <permission type="consume" roles="amq, developer"/>

i am getting below error

[amq-broker@x01sipscnaq1a bin]$ ./artemis queue create --auto-create-address --durable --user opadmin --password xxxxxxxx --anycast --preserve-on-no-consumers --url tcp://10.91.xxx.xxx:61716 Exception in thread "main" ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ119213: User: opadmin does not have permission='CONSUME' for queue activemq.management.383ccac9-0084-4c44-8f23-7f5c44f7b0dc on address activemq.management.383ccac9-0084-4c44-8f23-7f5c44f7b0dc.activemq.management.383ccac9-0084-4c44-8f23-7f5c44f7b0dc]

So changed to

<permission type="createDurableQueue" roles="amq, opadmin"/>
        <permission type="deleteDurableQueue" roles="amq"/>
        <permission type="createAddress" roles="amq, opadmin"/>
        <permission type="deleteAddress" roles="amq, opadmin"/>
        <permission type="consume" roles="amq, developer, opadmin"/>

It goes in with no error, but hangs (waited for more than 30 minutes)

[amq-broker@x01sipscnaq1a bin]$ ./artemis queue create --silent --auto-create-address --durable --user opadmin --password xxxxxx --anycast --name TestTorture --preserve-on-no-consumers --url tcp://10.91.xxx.xxx:61716 --verbose Executing org.apache.activemq.artemis.cli.commands.queue.CreateQueue queue create --silent --auto-create-address --durable --user opadmin --password xxxxxx --anycast --name TestTorture --preserve-on-no-consumers --url tcp://10.91.xxx.xxx:61716 --verbose Home::/opt/redhat/amq-broker-7.1.0-hf8, Instance::/opt/redhat/amq-config/cn_soi/broker2b ^C[amq-broker@x01sipscnaq1a bin]$

Solution

Any user performing remote management operations via core messages (e.g. the Artemis CLI) needs the following permissions on activemq.management.#:

createNonDurableQueue (to create a "subscription" queue on the management address in order to receive the management reply)
consume (to receive the management reply)
send (to send the management message)
manage (to perform a management operation)

You are missing the send and manage operations. While the client might not receive exceptions about this since it is sending non-durable messages (which are fire-and-forget) the log on the broker should contain the relevant errors.