I have a setup of AmazonMQ (ActiveMQ 5.17.1) with a user defined like this in my terraform:
user {
username = "myUser"
password = "somethingSecret"
console_access = false
}
and the ActiveMQ configuration without any authorizationMap: my client is able to connect without issue.
Now I want to set up the authorizationMap for some other users and give the user myUser admin rights on all queues and topics.
Here is how looks my authorizationMap:
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue="SYS1.IN.>" read="system1"/>
<authorizationEntry queue="SYS2.IN>" read="system2"/>
<authorizationEntry queue="SYS2.OUT>" write="system2"/>
<!-- few other queues / permissions -->
<!-- taken from https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/child-element-details.html#authorizationEntry -->
<authorizationEntry admin="admins,activemq-webconsole" read="admins,users,activemq-webconsole" write="admins,activemq-webconsole" queue=">"/>
<authorizationEntry admin="admins,activemq-webconsole" read="admins,users,activemq-webconsole" write="admins,activemq-webconsole" topic=">"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
and I also added the myUSer to the admin group in terraform:
user {
username = "myUser"
password = "somethingSecret"
groups = ["admins"]
}
But with this setup I see in the AWS logs (and on the client side as well) an error saying something like:
... User myUser doesn't have permission to write in topic `ActiveMQ.Advisory.Connection` ...
I tried to add the following entry in the authorizationMap (keeping the existing one above):
<authorizationEntry topic="ActiveMQ.Advisory.>" read="admins,activemq-webconsole" write="admins,activemq-webconsole" admin="admins,activemq-webconsole"/>
But the error is still the same.
Note that when I tried to send a message in a queue from the console (with another user where console_access = true) an error occurs but I can create new queues.
Note that I force a reboot of the broker between each configuration change but the above error remains.
I found two issues with my terraform file:
First I had to add an authentication_strategy:
authentication_strategy = "simple"
but this alone was still not working.
After from the Console I saw that my broker was not referring the latest configuration.
Then secondly, I had to explicitly add the revision line in my configuration like this:
configuration {
id = aws_mq_configuration.conf-amq-area51-dev.id
revision = aws_mq_configuration.conf-amq-area51-dev.latest_revision
}
to explicitly refer the latest version as I made the (false) assumption that not referring the revision would implicitly take the latest one.
After these two changes I am able to use my user properly and the console admin is also working properly.
Another important point which was also missing in my initial configuration: the group assigned to each user. If I want to assign authorization like the one in the question:
<authorizationEntry queue="SYS1.IN.>" read="system1"/>
<authorizationEntry queue="SYS2.IN>" read="system2"/>
<authorizationEntry queue="SYS2.OUT>" write="system2"/>
The system1 and system2 represents groups and not user because in ActiveMQ the authorizationEntry is always referring to a group and not individual user. The workaround is to name (and assign) the group with the same name as the user (a bit like in Linux).
In Terraform, you can declare them like this:
user {
username = "system1"
password = "somethingSecretPa$$01"
console_access = false
groups = ["system1"]
}
user {
username = "system2"
password = "somethingSecretPa$$02"
console_access = false
groups = ["system2"]
}