ActiveMQ Artemis and Hawtio. How to specify user roles?

Question

I am trying to specify user rights in Hawtio connected to ActiveMQ Artemis but I can not figure out what below XML attributes (list*, get*, etc.) from management.xml actually mean. Can some one please explain?

management.xml:

<role-access>
   <match domain="org.apache.activemq.artemis"
      <access method="list*" roles="amq"/>
      <access method="get*" roles="amq"/>
      <access method="is*" roles="amq"/>
      <access method="browse*" roles="amq"/>
      <access method="count*" roles="amq"/>
      <access method="pause*" roles="amq"/>
      <access method="resume*" roles="amq"/>
      <access method="move*" roles="amq"/>
      <access method="removeMessage*" roles="amq"/>         
      <access method="removeAllMessages*"roles="amq">
      <access method="set*" roles="amq"/>
      <access method="*" roles="amq"/>
   </match>
   ...
</role-access>

I am trying to find a list that explains what each "access method" attribute does regarding to user rights in the GUI Hawtio.

Answer 1

There's a few important things to understand concerning your question.

1. The management API in ActiveMQ Artemis is based on JMX MBeans. These MBeans are implemented as a set of "control" classes. You can browse these via JavaDoc to see all the different attributes and operations they expose.

2. The ActiveMQ Artemis web console application is built on top of Hawtio. Hawtio communicates via HTTP with Jolokia running on an embedded web server managed by the broker. Jolokia is a JMX-HTTP bridge, and it essentially provides the web console with access to all the JMX MBeans. Therefore, for example, when the web console displays the number of messages in a queue it got that information by invoking the getMessageCount method on the QueueControl MBean for the respective queue. If you look closely at the web console you will see the name of the MBean which is being used behind the scenes, e.g.:

   

   The name of the MBean being used here is:

   org.apache.activemq.artemis:broker="0.0.0.0",component=addresses,address="testqueue",subcomponent=queues,routing-type="anycast",queue="testqueue"
   

The configuration in management.xml allows one to control who is allowed to execute these MBean methods. Here's a basic example involving the MBeans specifically related to queues:

         <match domain="org.apache.activemq.artemis" key="subcomponent=queues">
            <access method="list*" roles="view,update,amq"/>
            <access method="get*" roles="view,update,amq"/>
            <access method="is*" roles="view,update,amq"/>
            <access method="set*" roles="update,amq"/>
            <access method="*" roles="amq"/>
         </match>

Using this configuration any users in the role view will be able to use MBean methods which match list*, get*, and is* which basically allows the user to see all the attributes but the user is not allowed to change any attributes or invoke any operations (e.g. deleteMessages).

Hopefully you can see how it's possible to provide users in specific roles specific access to (and only to) the MBeans they need.

Keep in mind that any roles used by Hawtio (i.e. the web console) will need to be defined in etc/artemis.profile in the HAWTIO_ROLE variable.