Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-5622

User with Read-only privilege can delete/move messages through hawtio

    Details

      Description

      1. Unzip a plain vanilla A-MQ 6.2.1R1 (-i.e. version 090)
      2. In etc/users.properties, create an admin and a monitor users as below:
      admin=admin,admin,manager,viewer,Operator, Maintainer, Deployer, Auditor, Administrator, SuperUser
      monitor=passwd,Monitor
      3. Start the broker
      4. Inject messages in the queue TEST using the admin user:
      ./bin/client -u admin "activemq:producer --user admin --password admin"
      5. Connect to the hawtio console with user "monitor"
      6. In the menu "JMX", for queue object "org.apache.activemq/Broker/amq/Queue/TEST", the sub-menu "Operations" shows the non-read-only operations in red i.e. disabled. E.g. "removeMessage".
      This proves that the "monitor" user actually has a read-only profile.
      7. However, going to the menu "ActiveMQ" and browsing the queue TEST (sub-menu "Browse" for object amq/Queue/TEST), you can select a message, click on the top-right button "Delete" and confirm.
      This actually deletes the message. This applies as well to the "Move" button.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  tadayosi Tadayoshi Sato
                  Reporter:
                  lakagwu Lami Akagwu
                  Tester:
                  Martin Stepanek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: