Artemis AMQ119213: User: '' does not have permission='CONSUME'

Question

I need to create an user who is just used to create queues from CI/CD tool.

<permission type="createDurableQueue" roles="amq, opadmin"/>
        <permission type="deleteDurableQueue" roles="amq"/>
        <permission type="createAddress" roles="amq, opadmin"/>
        <permission type="deleteAddress" roles="amq, opadmin"/>
        <permission type="consume" roles="amq, developer"/>

i am getting below error

[amq-broker@x01sipscnaq1a bin]$ ./artemis queue create --auto-create-address --durable --user opadmin --password xxxxxxxx --anycast --preserve-on-no-consumers --url tcp://10.91.xxx.xxx:61716 Exception in thread "main" ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ119213: User: opadmin does not have permission='CONSUME' for queue activemq.management.383ccac9-0084-4c44-8f23-7f5c44f7b0dc on address activemq.management.383ccac9-0084-4c44-8f23-7f5c44f7b0dc.activemq.management.383ccac9-0084-4c44-8f23-7f5c44f7b0dc]

So changed to

<permission type="createDurableQueue" roles="amq, opadmin"/>
        <permission type="deleteDurableQueue" roles="amq"/>
        <permission type="createAddress" roles="amq, opadmin"/>
        <permission type="deleteAddress" roles="amq, opadmin"/>
        <permission type="consume" roles="amq, developer, opadmin"/>

It goes in with no error, but hangs (waited for more than 30 minutes)

[amq-broker@x01sipscnaq1a bin]$ ./artemis queue create --silent --auto-create-address --durable --user opadmin --password xxxxxx --anycast --name TestTorture --preserve-on-no-consumers --url tcp://10.91.xxx.xxx:61716 --verbose Executing org.apache.activemq.artemis.cli.commands.queue.CreateQueue queue create --silent --auto-create-address --durable --user opadmin --password xxxxxx --anycast --name TestTorture --preserve-on-no-consumers --url tcp://10.91.xxx.xxx:61716 --verbose Home::/opt/redhat/amq-broker-7.1.0-hf8, Instance::/opt/redhat/amq-config/cn_soi/broker2b ^C[amq-broker@x01sipscnaq1a bin]$

What is the "match" for the permissions you pasted? – Justin Bertram Jul 02 '18 at 14:49 — Justin Bertram, Jul 02 '18 at 14:49
HI Justin, it is default match="#" – Jagan Vittal Jul 03 '18 at 10:35 — Jagan Vittal, Jul 03 '18 at 10:35

score 2 · Accepted Answer · answered Jul 05 '18 at 15:07

2

Any user performing remote management operations via core messages (e.g. the Artemis CLI) needs the following permissions on activemq.management.#:

createNonDurableQueue (to create a "subscription" queue on the management address in order to receive the management reply)
consume (to receive the management reply)
send (to send the management message)
manage (to perform a management operation)

You are missing the send and manage operations. While the client might not receive exceptions about this since it is sending non-durable messages (which are fire-and-forget) the log on the broker should contain the relevant errors.

answered Jul 05 '18 at 15:07

Justin Bertram

29,372
4
21
43

Hi @Justin , Thanks a lot. I gave all admin permissions to new user and able to create the address. I am using 7.1 version. Can you help on below. 1) Is it possible to create read only user for management console. 2) Deleted address says Address doesn't exist but visible in stat and console. – Jagan Vittal Jul 07 '18 at 07:15
1

I recommend you create new questions for additional issues. Comments aren't designed to be used for this purpose. – Justin Bertram Jul 08 '18 at 02:42

Artemis AMQ119213: User: '' does not have permission='CONSUME'

1 Answers1