Restrict access for some methods to special role in ActiveMQ Artemis web console
I have the situation that have user viewer that must have read-only access to ActiveMQ Artemis console.
- Create group
view - Created user
viewer - Added to artemis profail with console access
- Restricted operation with
management.xml viewercannot use update operations in Operations tab Works.
Issue:
If you open "Queues" table on the main tab then the user is able to open queue and delete messages by "Delete Messages" button.
Temporary solution:
Editing file jolokia-access.xml
<?xml version="1.0" encoding="utf-8"?>
<restrict>
<cors>
<allow-origin>*://*</allow-origin>
<strict-checking/>
</cors>
<deny>
<mbean>
<name>org.apache.activemq.artemis:broker="0.0.0.0",component=addresses,address="*",subcomponent=queues,routing-type="*",queue="*"</name>
<operation>*move*</operation>
</mbean>
</deny>
</restrict>
Now nobody can use any operation with move pattern.
How I can restrict the operations for viewer user only?
You should use management.xml if you want to customize management access for particular roles, e.g.:
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="view,amq"/>
<access method="get*" roles="view,amq"/>
<access method="is*" roles="view,amq"/>
<access method="set*" roles="amq"/>
<!-- Note count and browse are need to access the browse tab in the console -->
<access method="browse*" roles="view,amq"/>
<access method="count*" roles="view,amq"/>
<access method="*" roles="amq"/>
</match>
</role-access>
Using this configuration anybody in the view role accessing any MBean in the org.apache.activemq.artemis domain can execute operations named with the following patterns:
list*get*is*browse*count*
Such users will not be able to execute any other operations.
Any user in the amq role will have full access to all operations.
- Restrict access for some methods to special role in ActiveMQ Artemis web console
- Timeouts with lots of MQTT connections to ActiveMQ Artemis
- ActiveMQ Artemis does not display console when runs in K8S
- ActiveMQ Artemis message is lost
- Setting up activemq-artemis-operator web console for external access
- Is it possible to create a Queue in Reactive Messaging AMQP Connector without a broker.xml file?
- Exposing webconsole when using Artemis operator with size > 1
- ActiveMQ Artemis WildFly version release notes
- Wildcard address with fully-qualified-queue-name
- Message are not distributed to virtual topic consumers
- Forward a message to an arbitrary list of addresses in ActiveMQ Artemis
- Paging state is not recovering until queue is empty in ActiveMQ Artemis
- Migrating scheduled messages from ActiveMQ Classic to Artemis
- How to disable ActiveMQ Artemis security for testing purposes?
- Forwarding messages from an ActiveMQ Classic broker to an ActiveMQ Artemis broker
- Consuming a large message from ActiveMQ Artemis via STOMP + Python
- ActiveMQ Artemis fails immediately after start in container
- Qpid Proton Python release(delivered=True) not triggering redelivery in ActiveMQ Artemis (2.40.0)
- How to properly signal message redelivery in ActiveMQ Artemis using Qpid Proton Python?
- ActiveMQ Artemis file lock loop in container
- ActiveMQ multicast topic does round-robin instead
- STOMP Connection Closes Due to Missing Heartbeats Despite Frontend Showing Ping-Pongs
- ActiveMQ Artemis embedded "queue does not exist"
- ActiveMQ Artemis missing MBeans
- ActiveMQ Artemis failure to create Netty connection
- ActiveMQ Artemis: Primary Pod Restart Loop with Shared Store HA
- ActiveMQ Artemis primary pod goes to restart loop after change to shared-store HA option
- ActiveMQ Artemis with STOMP: Same message from a queue is consumed by two consumers
- "Unable to announce backup" warning when an ActiveMQ Artemis master/slave pair is deployed in Openshift
- How can I use the ActiveMQ Artemis management API to apply changes to multiple brokers?