ActiveMQ - Authorization - Revoked Roles Not Updating Runtime - User Able To Access Queue for Revoked Role

Question

Team,

I am implementing runtime reloading of authorization map settings in activemq.xml using following configuration, (http://activemq.apache.org/runtime-configuration.html)

<broker xmlns="http://activemq.apache.org/schema/core" start="false" ... >
    <plugins>
      <runtimeConfigurationPlugin checkPeriod="1000" />
    </plugins>
    ...
</broker>

I performed test cases out of which one specific case (critical) is not working as expected. Failed test case is that a User-A has read and write access over Queue-A. User-A successfully reads and writes. But, If the role is deleted for User-A, without restarting ActiveMQ, User-A is still able to read and write to Queue-A. Expected result was that ActiveMQ shall forbid user from reading and writing to Queue-A.

Detailed Steps are as follows.

Action 1 : After starting the broker with a User A without any map entry for test queue

        <plugins>
        <authorizationPlugin>
            <map>
                <authorizationMap>
                    <authorizationEntries>
                        <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins" write="admins" admin="admins"/>
                        <authorizationEntry queue="test.queue.A>" read="admins" write="admins" admin="admins"/>                         
                    </authorizationEntries>
                </authorizationMap>
            </map>
        </authorizationPlugin>
    </plugins>

Result 1: User A login Successful but not authorized to access test queue

Action 2: then I modified the authorization map and allowed user A to read and write on test queue. i.e. made User-A member of "grp_subscribers"

        <plugins>
        <authorizationPlugin>
            <map>
                <authorizationMap>
                    <authorizationEntries>
                        <authorizationEntry topic="ActiveMQ.Advisory.>" read="grp_subscribers, admins" write="grp_subscribers, admins" admin="grp_subscribers, admins"/>
                        <authorizationEntry queue="test.queue.A>" read="grp_subscribers" write="grp_subscribers" admin="grp_subscribers, admins"/>                          
                    </authorizationEntries>
                </authorizationMap>
            </map>
        </authorizationPlugin>
    </plugins>

Result 2: User A login Successful and authorized on test queue

Action 3: then I again modified the authorization map by removing the access of user A on test queue

        <plugins>
        <authorizationPlugin>
            <map>
                <authorizationMap>
                    <authorizationEntries>
                        <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins" write="admins" admin="admins"/>
                        <authorizationEntry queue="test.queue.A>" read="admins" write="admins" admin="admins"/>                         
                    </authorizationEntries>
                </authorizationMap>
            </map>
        </authorizationPlugin>
    </plugins>

Result 3: User A login successful and still authorized on the test queue, which is here the problem is. User A should not be authorized on test queue.

I tried different ways and did a lot of troubleshooting for something if I am missing. I believe there is something I am missing

Answer 1

Activemq AuthorizationMap gets updated using checkPeriod attribute. After making a change in authorization roles, consumer/subscriber/producer connections need to be refreshed, which can be refreshed by stopping or starting a transport connector via jmx.