diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/security/Role.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/security/Role.java index a3b4c21b19..7757b3ba24 100644 --- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/security/Role.java +++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/security/Role.java @@ -79,6 +79,7 @@ public class Role implements Serializable { this(name, send, consume, createDurableQueue, deleteDurableQueue, createNonDurableQueue, deleteNonDurableQueue, manage, consume); } + @Deprecated public Role(final String name, final boolean send, final boolean consume, @@ -156,6 +157,14 @@ public class Role implements Serializable { return deleteNonDurableQueue; } + public boolean isManage() { + return manage; + } + + public boolean isBrowse() { + return browse; + } + @Override public String toString() { StringBuffer stringReturn = new StringBuffer("Role {name=" + name + "; allows=["); @@ -260,12 +269,4 @@ public class Role implements Serializable { result = 31 * result + (browse ? 1 : 0); return result; } - - public boolean isManage() { - return manage; - } - - public boolean isBrowse() { - return browse; - } } diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/deployers/impl/FileConfigurationParser.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/deployers/impl/FileConfigurationParser.java index 8500ecf1fb..633a7168c6 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/deployers/impl/FileConfigurationParser.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/deployers/impl/FileConfigurationParser.java @@ -871,7 +871,7 @@ public final class FileConfigurationParser extends XMLConfigurationUtil { } for (String role : allRoles) { - securityRoles.add(new Role(role, send.contains(role), consume.contains(role), createDurableQueue.contains(role), deleteDurableQueue.contains(role), createNonDurableQueue.contains(role), deleteNonDurableQueue.contains(role), manageRoles.contains(role), browseRoles.contains(role))); + securityRoles.add(new Role(role, send.contains(role), consume.contains(role), createDurableQueue.contains(role), deleteDurableQueue.contains(role), createNonDurableQueue.contains(role), deleteNonDurableQueue.contains(role), manageRoles.contains(role), browseRoles.contains(role), createAddressRoles.contains(role), deleteAddressRoles.contains(role))); } return securityMatch; diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java index 6aa762ed31..e38c337e88 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java @@ -366,8 +366,18 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin { Rdn rdn = ldapname.getRdn(ldapname.size() - 1); String roleName = rdn.getValue().toString(); logger.debug("\tRole name: " + roleName); - Role role = new Role(roleName, permissionType.equalsIgnoreCase(writePermissionValue), permissionType.equalsIgnoreCase(readPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), false, // there is no permission from ActiveMQ 5.x that corresponds to the "manage" permission in ActiveMQ Artemis - permissionType.equalsIgnoreCase(readPermissionValue)); // the "browse" permission matches "read" from ActiveMQ 5.x + Role role = new Role(roleName, + permissionType.equalsIgnoreCase(writePermissionValue), // send + permissionType.equalsIgnoreCase(readPermissionValue), // consume + permissionType.equalsIgnoreCase(adminPermissionValue), // createDurableQueue + permissionType.equalsIgnoreCase(adminPermissionValue), // deleteDurableQueue + permissionType.equalsIgnoreCase(adminPermissionValue), // createNonDurableQueue + permissionType.equalsIgnoreCase(adminPermissionValue), // deleteNonDurableQueue + false, // manage - there is no permission from ActiveMQ 5.x that corresponds to this + permissionType.equalsIgnoreCase(readPermissionValue), // browse + permissionType.equalsIgnoreCase(adminPermissionValue), // createAddress + permissionType.equalsIgnoreCase(adminPermissionValue) // deleteAddress + ); roles.add(role); } diff --git a/artemis-server/src/test/java/org/apache/activemq/artemis/core/config/impl/FileConfigurationTest.java b/artemis-server/src/test/java/org/apache/activemq/artemis/core/config/impl/FileConfigurationTest.java index af48c62c97..4cdd11c477 100644 --- a/artemis-server/src/test/java/org/apache/activemq/artemis/core/config/impl/FileConfigurationTest.java +++ b/artemis-server/src/test/java/org/apache/activemq/artemis/core/config/impl/FileConfigurationTest.java @@ -508,63 +508,62 @@ public class FileConfigurationTest extends ConfigurationImplTest { Map> securityRoles = fc.getSecurityRoles(); Set roles = securityRoles.get("#"); - //N.B. - FileConfigurationParser uses the constructor without createAddress and deleteAddress //cn=mygroup,dc=local,dc=com = amq1 Role testRole1 = new Role("cn=mygroup,dc=local,dc=com",false, false, false, false, true, false, false, - false); + false, false, false); //myrole1 = amq1 + amq2 Role testRole2 = new Role("myrole1",false, false, false, false, true, true, false, - false); + false, false, false); //myrole3 = amq3 + amq4 Role testRole3 = new Role("myrole3",false, false, true, true, false, false, false, - false); + false, false, false); //myrole4 = amq5 + amq!@#$%^&*() + amq6 Role testRole4 = new Role("myrole4",true, true, false, false, false, false, false, - true); + true, true, true); //myrole5 = amq4 = amq3 + amq4 Role testRole5 = new Role("myrole5",false, false, true, true, false, false, false, - false); + false, false, false); Role testRole6 = new Role("amq1",false, false, false, false, true, false, false, - false); + false, false, false); Role testRole7 = new Role("amq2",false, false, false, false, false, true, false, - false); + false, false, false); Role testRole8 = new Role("amq3",false, false, true, false, false, false, false, - false); + false, false, false); Role testRole9 = new Role("amq4",false, false, true, true, false, false, false, - false); + false, false, false); Role testRole10 = new Role("amq5",false, false, false, false, false, false, false, - false); + false, true, true); Role testRole11 = new Role("amq6",false, true, false, false, false, false, false, - true); + true, false, false); Role testRole12 = new Role("amq7",false, false, false, false, false, false, true, - false); + false, false, false); Role testRole13 = new Role("amq!@#$%^&*()",true, false, false, false, false, false, false, - false); + false, false, false); assertEquals(13, roles.size()); assertTrue(roles.contains(testRole1)); diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md index d1639608dc..82b062d834 100644 --- a/docs/user-manual/en/security.md +++ b/docs/user-manual/en/security.md @@ -35,6 +35,12 @@ wildcard match can be used using the wildcard characters '`#`' and Eight different permissions can be given to the set of queues which match the address. Those permissions are: +- `createAddress`. This permission allows the user to create an + address fitting the `match`. + +- `deleteAddress`. This permission allows the user to delete an + address fitting the `match`. + - `createDurableQueue`. This permission allows the user to create a durable queue under matching addresses. @@ -225,13 +231,14 @@ The name of the queue or topic defined in LDAP will serve as the "match" for the will be mapped from the ActiveMQ 5.x type to the Artemis type, and the role will be mapped as-is. ActiveMQ 5.x only has 3 permission types - `read`, `write`, and `admin`. These permission types are described on their -[website](http://activemq.apache.org/security.html). However, as described previously, ActiveMQ Artemis has 7 permission -types - `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`, `deleteNonDurableQueue`, `send`, `consume`, -`browse`, and `manage`. Here's how the old types are mapped to the new types: +[website](http://activemq.apache.org/security.html). However, as described previously, ActiveMQ Artemis has 9 permission +types - `createAddress`, `deleteAddress`, `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`, +`deleteNonDurableQueue`, `send`, `consume`, `browse`, and `manage`. Here's how the old types are mapped to the new types: - `read` - `consume`, `browse` - `write` - `send` -- `admin` - `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`, `deleteNonDurableQueue` +- `admin` - `createAddress`, `deleteAddress`, `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`, + `deleteNonDurableQueue` As mentioned, there are a few places where a translation was performed to achieve some equivalence.: diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/AmqpClientTestSupport.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/AmqpClientTestSupport.java index a01c975de8..991f467523 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/AmqpClientTestSupport.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/AmqpClientTestSupport.java @@ -256,10 +256,10 @@ public class AmqpClientTestSupport extends AmqpTestSupport { // Configure roles HierarchicalRepository> securityRepository = server.getSecurityRepository(); HashSet value = new HashSet<>(); - value.add(new Role("nothing", false, false, false, false, false, false, false, false)); - value.add(new Role("browser", false, false, false, false, false, false, false, true)); - value.add(new Role("guest", false, true, false, false, false, false, false, true)); - value.add(new Role("full", true, true, true, true, true, true, true, true)); + value.add(new Role("nothing", false, false, false, false, false, false, false, false, false, false)); + value.add(new Role("browser", false, false, false, false, false, false, false, true, false, false)); + value.add(new Role("guest", false, true, false, false, false, false, false, true, false, false)); + value.add(new Role("full", true, true, true, true, true, true, true, true, true, true)); securityRepository.addMatch(getQueueName(), value); server.getConfiguration().setSecurityEnabled(true); diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/jms/SimpleJNDIClientTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/jms/SimpleJNDIClientTest.java index d776961758..54109b1e9f 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/jms/SimpleJNDIClientTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/jms/SimpleJNDIClientTest.java @@ -486,7 +486,7 @@ public class SimpleJNDIClientTest extends ActiveMQTestBase { //setup user and role on broker ((ActiveMQJAASSecurityManager) liveService.getSecurityManager()).getConfiguration().addUser("myUser", "myPassword"); ((ActiveMQJAASSecurityManager) liveService.getSecurityManager()).getConfiguration().addRole("myUser", "consumeCreateRole"); - Role consumeCreateRole = new Role("consumeCreateRole", false, true, true, true, true, true, true, true); + Role consumeCreateRole = new Role("consumeCreateRole", false, true, true, true, true, true, true, true, true, true); Set consumerCreateRoles = new HashSet<>(); consumerCreateRoles.add(consumeCreateRole); liveService.getSecurityRepository().addMatch("test.queue", consumerCreateRoles); diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTTestSupport.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTTestSupport.java index 6ad13f1c14..e49ec92ed6 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTTestSupport.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTTestSupport.java @@ -181,10 +181,10 @@ public class MQTTTestSupport extends ActiveMQTestBase { // Configure roles HierarchicalRepository> securityRepository = server.getSecurityRepository(); HashSet value = new HashSet<>(); - value.add(new Role("nothing", false, false, false, false, false, false, false, false)); - value.add(new Role("browser", false, false, false, false, false, false, false, true)); - value.add(new Role("guest", false, true, false, false, false, false, false, true)); - value.add(new Role("full", true, true, true, true, true, true, true, true)); + value.add(new Role("nothing", false, false, false, false, false, false, false, false, false, false)); + value.add(new Role("browser", false, false, false, false, false, false, false, true, false, false)); + value.add(new Role("guest", false, true, false, false, false, false, false, true, false, false)); + value.add(new Role("full", true, true, true, true, true, true, true, true, true, true)); securityRepository.addMatch(getQueueName(), value); server.getConfiguration().setSecurityEnabled(true); diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ra/OutgoingConnectionNoJTATest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ra/OutgoingConnectionNoJTATest.java index 2cc129f1e1..430c0f3fda 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ra/OutgoingConnectionNoJTATest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ra/OutgoingConnectionNoJTATest.java @@ -71,7 +71,7 @@ public class OutgoingConnectionNoJTATest extends ActiveMQRATestBase { ((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().setDefaultUser("guest"); ((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().addRole("testuser", "arole"); ((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().addRole("guest", "arole"); - Role role = new Role("arole", true, true, true, true, true, true, true, true); + Role role = new Role("arole", true, true, true, true, true, true, true, true, true, true); Set roles = new HashSet<>(); roles.add(role); server.getSecurityRepository().addMatch(MDBQUEUEPREFIXED, roles); diff --git a/tests/jms-tests/src/test/resources/broker.xml b/tests/jms-tests/src/test/resources/broker.xml index 28550ae647..733e8c37bc 100644 --- a/tests/jms-tests/src/test/resources/broker.xml +++ b/tests/jms-tests/src/test/resources/broker.xml @@ -44,6 +44,8 @@ + +