6 Replies Latest reply on Dec 6, 2012 12:06 PM by jbertram

security flaw? or is there a way to apply security roles to a queue?

sudovenko Nov 30, 2012 5:53 PM

Dear All,

Accoding to the maual Section 31.1:

"Seven different permissions can be given to the set of queues which match the address." (not queue)

Now here is the challenge:

1. I have one address, where publisher publishes some data

2. Three remote consumers processes (P1, P2, P3) on that topic each has own queue (Q1, Q2, Q3) possibly filtered differently.

3. How can I prevent P1 from creating consumer on Q2 or Q3, while still able to create a consumer on Q1?

This exposes a possiblity for P1 to sabotage P2/P3 by consuming messagies from Q2/Q3.

Best regards,

Steve

1. Re: security flaw? or is there a way to apply security roles to a queue?

ataylor Dec 3, 2012 3:12 AM (in response to sudovenko)

like you say security is applied to addresses not queues so you will have to partition your destinations so you can apply different roles.
Actions
2. Re: security flaw? or is there a way to apply security roles to a queue?

sudovenko Dec 4, 2012 2:15 PM (in response to ataylor)

Thank you Andy. I'll find the way around it probably with diverts.

It would have been a nice feature to at least to be able to controll the number of consumers per queue.
Otherwise any processes consuming messages on the same address, may intentionaly or unintentionaly sabotage parallel process.
For my current task, this is unacceptable security flaw. As I said I might be able to work around it with diverts, but limiting one consumer per queue would much easier and straight forward solution.
Actions
3. Re: security flaw? or is there a way to apply security roles to a queue?

ataylor Dec 5, 2012 2:44 AM (in response to sudovenko)

It would have been a nice feature to at least to be able to controll the number of consumers per queue.
This is definately something we could add, maybe max consumers per queue variable. feel free to raise a jira.

For my current task, this is unacceptable security flaw.
I don't see this as a flaw at all, we offer fine grained security, just apply the correct roles to each client, so client 1 has consume role on the address but client 2 and 3 dont
Actions
4. Re: security flaw? or is there a way to apply security roles to a queue?

sudovenko Dec 6, 2012 11:47 AM (in response to ataylor)

I did as you suggested, JIRA 1099 has been raised.
Actions
5. Re: security flaw? or is there a way to apply security roles to a queue?

sudovenko Dec 6, 2012 11:50 AM (in response to ataylor)

I did as you suggested, JIRA 1099 has been raised.
Actions
6. Re: security flaw? or is there a way to apply security roles to a queue?

jbertram Dec 6, 2012 12:06 PM (in response to sudovenko)

This seems quite similar to HORNETQ-104.
Actions

Go to original post