如何使用JMSToolBox以有限的权限连接ActiveMQ Artemis？

当我使用 JMSToolBox 连接到 ActiveMQ Artemis 2.x 代理时，它尝试使用非持久临时队列创建一个地址，该队列的名称是从 UUID 生成的。此代理实例上的安全设置不允许创建具有任意名称的地址和队列，并且客户端会出现安全异常。

为了使 JMSToolBox 与此服务器配合使用，我需要允许所有地址 (

match="#"

) 的权限：

createAddress

、

createNonDurableQueue

、

send

、

consume

。我也可以授予

manage

权限，不过好像没有用。这些权限太宽了，我不希望允许任何只需要列出队列并读取/写入特定队列的用户。

连接时出现错误：

org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229213: User: amq_user does not have permission='CREATE_NON_DURABLE_QUEUE' for queue 2a092c7c-c335-4f16-867e-c0253d34a3e6 on address 2a092c7c-c335-4f16-867e-c0253d34a3e6

在客户端或服务器上是否有一些可能的解决方法？

例如，我可以为所有临时队列指定单独的安全设置吗？

temporary-queue-namespace

中有一个

broker.xml

设置，但似乎只适用于地址设置。

我为

match="activemq.management#"

指定的安全设置也没有任何效果。

我可以在应用程序端指定准确的临时队列名称或地址前缀吗？我可以更改应用程序中的某些内容以确保它使用具有预定义或前缀名称的某些地址吗？

JMSToolBox 帮助中有一个关于连接要求的信息，它看起来很奇怪，因为它使用带有

jms.queue

前缀的地址名称（它也不起作用）：

The following configuration is required in broker.xml for JMSToolBox :
 <security-setting match="jms.queue.activemq.management">
 <permission type="manage" roles="<admin role>" />
 </security-setting>

这里是一个代码块，它在 JMSToolBox 中创建管理会话：

Session sessionJMS = jmsConnection.createSession(false, Session.AUTO_ACKNOWLEDGE);
Queue managementQueue = ((ActiveMQSession) sessionJMS).createQueue("activemq.management");
QueueRequestor requestorJMS = new QueueRequestor((QueueSession) sessionJMS, managementQueue);

重现步骤：

• 使用管理员用户创建 ActiveMQ Artemis 实例：

  artemis.cmd create --user admin --password admin --require-login /path/to/instance

• 启动实例：

  artemis run

• 创建一个只读用户 - 例如“view”角色为“view”
• 为地址匹配添加安全设置

  activemq.management#

  角色“查看”
• 尝试使用用户 admin 从 JMSToolBox 连接（成功）
• 尝试使用用户视图从 JMSToolBox 进行连接（出现错误）

安全设置示例：

      <security-settings>
         <security-setting match="#">
            <permission type="createNonDurableQueue" roles="amq"/>
            <permission type="deleteNonDurableQueue" roles="amq"/>
            <permission type="createDurableQueue" roles="amq"/>
            <permission type="deleteDurableQueue" roles="amq"/>
            <permission type="createAddress" roles="amq"/>
            <permission type="deleteAddress" roles="amq"/>
            <permission type="consume" roles="amq"/>
            <permission type="browse" roles="amq"/>
            <permission type="send" roles="amq"/>
            <!-- we need this otherwise ./artemis data imp wouldn't work -->
            <permission type="manage" roles="amq"/>
         </security-setting>
         <security-setting match="activemq.management#">
             <permission type="createNonDurableQueue" roles="amq,view"/>
             <permission type="deleteNonDurableQueue" roles="amq,view"/>
             <permission type="createDurableQueue" roles="amq,view"/>
             <permission type="deleteDurableQueue" roles="amq,view"/>
             <permission type="createAddress" roles="amq,view"/>
             <permission type="deleteAddress" roles="amq,view"/>
             <permission type="consume" roles="amq,view"/>
             <permission type="browse" roles="amq,view"/>
             <permission type="send" roles="amq,view"/>
             <permission type="manage" roles="amq,view"/>
         </security-setting>
      </security-settings>

完整的堆栈跟踪：

org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229213: User: amq_user does not have permission='CREATE_NON_DURABLE_QUEUE' for queue 2a092c7c-c335-4f16-867e-c0253d34a3e6 on address 2a092c7c-c335-4f16-867e-c0253d34a3e6
    at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:558)
    at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:450)
    at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.createQueue(ActiveMQSessionContext.java:829)
    at org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.internalCreateQueue(ClientSessionImpl.java:2054)
    at org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.createQueue(ClientSessionImpl.java:309)
    at org.apache.activemq.artemis.jms.client.ActiveMQSession.createTemporaryQueue(ActiveMQSession.java:1007)
    at javax.jms.QueueRequestor.<init>(QueueRequestor.java:93)
    at org.titou10.jtb.qm.artemis2.ActiveMQArtemis2QManager.connect(ActiveMQArtemis2QManager.java:221)
    at org.titou10.jtb.jms.model.JTBConnection.connect(JTBConnection.java:267)
    at org.titou10.jtb.handler.SessionConnectHandler$1.run(SessionConnectHandler.java:111)
    at org.eclipse.swt.custom.BusyIndicator.showWhile(BusyIndicator.java:74)
    at org.titou10.jtb.handler.SessionConnectHandler.execute(SessionConnectHandler.java:106)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at org.eclipse.e4.core.internal.di.MethodRequestor.execute(MethodRequestor.java:58)
    at org.eclipse.e4.core.internal.di.InjectorImpl.invokeUsingClass(InjectorImpl.java:317)
    at org.eclipse.e4.core.internal.di.InjectorImpl.invoke(InjectorImpl.java:251)
    at org.eclipse.e4.core.contexts.ContextInjectionFactory.invoke(ContextInjectionFactory.java:173)
    at org.eclipse.e4.core.commands.internal.HandlerServiceHandler.execute(HandlerServiceHandler.java:156)
    at org.eclipse.core.commands.Command.executeWithChecks(Command.java:488)
    at org.eclipse.core.commands.ParameterizedCommand.executeWithChecks(ParameterizedCommand.java:485)
    at org.eclipse.e4.core.commands.internal.HandlerServiceImpl.executeHandler(HandlerServiceImpl.java:213)
    at org.eclipse.e4.ui.workbench.renderers.swt.HandledContributionItem.executeItem(HandledContributionItem.java:438)
    at org.eclipse.e4.ui.workbench.renderers.swt.AbstractContributionItem.handleWidgetSelection(AbstractContributionItem.java:449)
    at org.eclipse.e4.ui.workbench.renderers.swt.AbstractContributionItem.lambda$2(AbstractContributionItem.java:475)
    at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:89)
    at org.eclipse.swt.widgets.Display.sendEvent(Display.java:4256)
    at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1066)
    at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:4054)
    at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3642)
    at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$5.run(PartRenderingEngine.java:1155)
    at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:338)
    at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.run(PartRenderingEngine.java:1046)
    at org.eclipse.e4.ui.internal.workbench.E4Workbench.createAndRunUI(E4Workbench.java:155)
    at org.eclipse.e4.ui.internal.workbench.swt.E4Application.start(E4Application.java:168)
    at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:203)
    at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:136)
    at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:104)
    at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:402)
    at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:255)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:659)
    at org.eclipse.equinox.launcher.Main.basicRun(Main.java:596)
    at org.eclipse.equinox.launcher.Main.run(Main.java:1467)