How to connect with JMSToolBox to ActiveMQ Artemis with limited permissions?

Question

When I connect to ActiveMQ Artemis 2.x broker with JMSToolBox, it tries to create an address with non-durable temporary queue which name is generated from UUID. The security settings on this instance of broker does not allow creation of addresses and queues with arbitrary name, and client gets security exception.

To make JMSToolBox work with this server, I need to allow permissions for all addresses (match="#"): createAddress, createNonDurableQueue, send, consume. I can also grant manage permission, but it seems that it is not used. These permissions are too wide, and I do not wish to allow it for any user who needs just to list queues and read from / write to particular queue.

When I connect, I get an error:

org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229213: User: amq_user does not have permission='CREATE_NON_DURABLE_QUEUE' for queue 2a092c7c-c335-4f16-867e-c0253d34a3e6 on address 2a092c7c-c335-4f16-867e-c0253d34a3e6

Is there some possible workarounds on the client side, or on the server?

For example, can I specify separate security settings for all temporary queues? There is a temporary-queue-namespace setting in broker.xml, but it seems that it works only with address settings.

The security settings which I specify for match="activemq.management#" also does not have any effect.

Can I specify exact temporary queue name or address prefix on the application side? Can I change something in the application to ensure that it uses some address with predefined or prefixed name?

There is an information in JMSToolBox help about connection requirements and it looks strange because it uses address name with jms.queue prefix (it also does not work):

The following configuration is required in broker.xml for JMSToolBox :
 <security-setting match="jms.queue.activemq.management">
 <permission type="manage" roles="<admin role>" />
 </security-setting>

Here is a code block which creates management session in JMSToolBox:

Session sessionJMS = jmsConnection.createSession(false, Session.AUTO_ACKNOWLEDGE);
Queue managementQueue = ((ActiveMQSession) sessionJMS).createQueue("activemq.management");
QueueRequestor requestorJMS = new QueueRequestor((QueueSession) sessionJMS, managementQueue);

Steps to reproduce:

• create ActiveMQ Artemis instance with user admin: artemis.cmd create --user admin --password admin --require-login /path/to/instance
• start instance: artemis run
• create a read-only user - for example "view" with role "view"
• add security settings for address match activemq.management# for role "view"
• try to connect from JMSToolBox with user admin (success)
• try to connect from JMSToolBox with user view (get an error)

Example security settings:

      <security-settings>
         <security-setting match="#">
            <permission type="createNonDurableQueue" roles="amq"/>
            <permission type="deleteNonDurableQueue" roles="amq"/>
            <permission type="createDurableQueue" roles="amq"/>
            <permission type="deleteDurableQueue" roles="amq"/>
            <permission type="createAddress" roles="amq"/>
            <permission type="deleteAddress" roles="amq"/>
            <permission type="consume" roles="amq"/>
            <permission type="browse" roles="amq"/>
            <permission type="send" roles="amq"/>
            <!-- we need this otherwise ./artemis data imp wouldn't work -->
            <permission type="manage" roles="amq"/>
         </security-setting>
         <security-setting match="activemq.management#">
             <permission type="createNonDurableQueue" roles="amq,view"/>
             <permission type="deleteNonDurableQueue" roles="amq,view"/>
             <permission type="createDurableQueue" roles="amq,view"/>
             <permission type="deleteDurableQueue" roles="amq,view"/>
             <permission type="createAddress" roles="amq,view"/>
             <permission type="deleteAddress" roles="amq,view"/>
             <permission type="consume" roles="amq,view"/>
             <permission type="browse" roles="amq,view"/>
             <permission type="send" roles="amq,view"/>
             <permission type="manage" roles="amq,view"/>
         </security-setting>
      </security-settings>

Full stacktrace:

org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229213: User: amq_user does not have permission='CREATE_NON_DURABLE_QUEUE' for queue 2a092c7c-c335-4f16-867e-c0253d34a3e6 on address 2a092c7c-c335-4f16-867e-c0253d34a3e6
    at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:558)
    at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:450)
    at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.createQueue(ActiveMQSessionContext.java:829)
    at org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.internalCreateQueue(ClientSessionImpl.java:2054)
    at org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.createQueue(ClientSessionImpl.java:309)
    at org.apache.activemq.artemis.jms.client.ActiveMQSession.createTemporaryQueue(ActiveMQSession.java:1007)
    at javax.jms.QueueRequestor.<init>(QueueRequestor.java:93)
    at org.titou10.jtb.qm.artemis2.ActiveMQArtemis2QManager.connect(ActiveMQArtemis2QManager.java:221)
    at org.titou10.jtb.jms.model.JTBConnection.connect(JTBConnection.java:267)
    at org.titou10.jtb.handler.SessionConnectHandler$1.run(SessionConnectHandler.java:111)
    at org.eclipse.swt.custom.BusyIndicator.showWhile(BusyIndicator.java:74)
    at org.titou10.jtb.handler.SessionConnectHandler.execute(SessionConnectHandler.java:106)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at org.eclipse.e4.core.internal.di.MethodRequestor.execute(MethodRequestor.java:58)
    at org.eclipse.e4.core.internal.di.InjectorImpl.invokeUsingClass(InjectorImpl.java:317)
    at org.eclipse.e4.core.internal.di.InjectorImpl.invoke(InjectorImpl.java:251)
    at org.eclipse.e4.core.contexts.ContextInjectionFactory.invoke(ContextInjectionFactory.java:173)
    at org.eclipse.e4.core.commands.internal.HandlerServiceHandler.execute(HandlerServiceHandler.java:156)
    at org.eclipse.core.commands.Command.executeWithChecks(Command.java:488)
    at org.eclipse.core.commands.ParameterizedCommand.executeWithChecks(ParameterizedCommand.java:485)
    at org.eclipse.e4.core.commands.internal.HandlerServiceImpl.executeHandler(HandlerServiceImpl.java:213)
    at org.eclipse.e4.ui.workbench.renderers.swt.HandledContributionItem.executeItem(HandledContributionItem.java:438)
    at org.eclipse.e4.ui.workbench.renderers.swt.AbstractContributionItem.handleWidgetSelection(AbstractContributionItem.java:449)
    at org.eclipse.e4.ui.workbench.renderers.swt.AbstractContributionItem.lambda$2(AbstractContributionItem.java:475)
    at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:89)
    at org.eclipse.swt.widgets.Display.sendEvent(Display.java:4256)
    at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1066)
    at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:4054)
    at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3642)
    at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$5.run(PartRenderingEngine.java:1155)
    at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:338)
    at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.run(PartRenderingEngine.java:1046)
    at org.eclipse.e4.ui.internal.workbench.E4Workbench.createAndRunUI(E4Workbench.java:155)
    at org.eclipse.e4.ui.internal.workbench.swt.E4Application.start(E4Application.java:168)
    at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:203)
    at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:136)
    at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:104)
    at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:402)
    at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:255)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:659)
    at org.eclipse.equinox.launcher.Main.basicRun(Main.java:596)
    at org.eclipse.equinox.launcher.Main.run(Main.java:1467)