activemq-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ARTEMIS-592) Allow fine grain access control (durable subscriptions)
Date Thu, 04 Aug 2016 10:19:20 GMT

    [ https://issues.apache.org/jira/browse/ARTEMIS-592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15407527#comment-15407527
] 

ASF GitHub Bot commented on ARTEMIS-592:
----------------------------------------

Github user mtaylor commented on the issue:

    https://github.com/apache/activemq-artemis/pull/701
  
    @jbertram I'm not sure about using the queue name to control access.  It requires users
to understand how subscriptions work internally and how the queue name is constructed, which
might be different across protocols.
    
    Perhaps a neater approach could be to allow all users of a particular role to share subscriptions,
controlled by an address setting.  e.g.
    
    User defines a role "production", all users within this role are able to share subscriptions
between themselves.  Many roles could be created that are able to share subscriptions, "production",
"test", "application-x", only users within the role are able to share the subscription.
    
    Production Role: user1, user2
    Test Role: user3, user4
    
    user1 and user2 can share the subscription, user3 and user4 can also share a subscription,
user1 and user3 can not share a subscription.
    
    We could also create a new security-setting to limit which roles are able to share subsctipions
and for which addresses, something like "sharedSubscriptionGroup" (or better name), which
specifies which roles are allowed to share subscriptions.
    
    e.g. 
    
    ```xml
             <security-setting match="jms.topic.news.us.#">
                <permission type="createDurableQueue" roles="user"/>
                <permission type="send" roles="us-user"/>
                <permission type="shareSubscription" roles="production,test"/>
             </security-setting>
    ```
    
    We already store which user created the queue "the queue owner", we could use this information
to determine whether or not to allow another user to share this subscription.  You can get
the queue owner roles and the current user roles to make the comparison and do a check on
the security setting.
    
    Does this make sense?  Any thoughts?
      
     
    
    
    
    
    



> Allow fine grain access control (durable subscriptions)
> -------------------------------------------------------
>
>                 Key: ARTEMIS-592
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-592
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>            Reporter: Lionel Cons
>            Assignee: Justin Bertram
>
> According to the documentation:
> {quote}
> Apache ActiveMQ Artemis allows sets of permissions to be defined against the queues based
on their address.
> {quote}
> Two different subscriptions on the same topic will have the same address (the topic),
only their name will change. So it seems they will get the same permissions.
> Could you please allow fine grain access control to be able to set different permissions
to different durable subscriptions of the same topic?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message