Having multiple role definitions for the same queue selector results in duplicate xml blocks with this section <security-setting match="#">, this is not the correct syntax.

SUMMARY

Having multiple role definitions for the same que selector results in duplicate xml blocks with this section , this is not the correct syntax.

ISSUE TYPE

Bug Report

ANSIBLE VERSION

ansible --version
ansible [core 2.14.4]
  config file = None
  configured module search path = ['/home/robert/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/linuxbrew/.linuxbrew/Cellar/ansible/7.4.0/libexec/lib/python3.11/site-packages/ansible
  ansible collection location = /home/robert/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/linuxbrew/.linuxbrew/bin/ansible
  python version = 3.11.2 (main, Feb  7 2023, 13:52:42) [GCC 11.3.0] (/home/linuxbrew/.linuxbrew/Cellar/ansible/7.4.0/libexec/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION


# /home/linuxbrew/.linuxbrew/Cellar/ansible/7.4.0/libexec/lib/python3.11/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    5.4.0
ansible.netcommon             4.1.0
ansible.posix                 1.5.1
ansible.utils                 2.9.0
ansible.windows               1.13.0
arista.eos                    6.0.0
awx.awx                       21.14.0
azure.azcollection            1.15.0
check_point.mgmt              4.0.0
chocolatey.chocolatey         1.4.0
cisco.aci                     2.4.0
cisco.asa                     4.0.0
cisco.dnac                    6.6.4
cisco.intersight              1.0.24
cisco.ios                     4.4.0
cisco.iosxr                   4.1.0
cisco.ise                     2.5.12
cisco.meraki                  2.15.1
cisco.mso                     2.2.1
cisco.nso                     1.0.3
cisco.nxos                    4.1.0
cisco.ucs                     1.8.0
cloud.common                  2.1.3
cloudscale_ch.cloud           2.2.4
community.aws                 5.4.0
community.azure               2.0.0
community.ciscosmb            1.0.5
community.crypto              2.11.1
community.digitalocean        1.23.0
community.dns                 2.5.2
community.docker              3.4.3
community.fortios             1.0.0
community.general             6.5.0
community.google              1.0.0
community.grafana             1.5.4
community.hashi_vault         4.2.0
community.hrobot              1.8.0
community.libvirt             1.2.0
community.mongodb             1.5.1
community.mysql               3.6.0
community.network             5.0.0
community.okd                 2.3.0
community.postgresql          2.3.2
community.proxysql            1.5.1
community.rabbitmq            1.2.3
community.routeros            2.8.0
community.sap                 1.0.0
community.sap_libs            1.4.1
community.skydive             1.0.0
community.sops                1.6.1
community.vmware              3.5.0
community.windows             1.12.0
community.zabbix              1.9.2
containers.podman             1.10.1
cyberark.conjur               1.2.0
cyberark.pas                  1.0.17
dellemc.enterprise_sonic      2.0.0
dellemc.openmanage            6.3.0
dellemc.os10                  1.1.1
dellemc.os6                   1.0.7
dellemc.os9                   1.0.4
dellemc.powerflex             1.5.0
dellemc.unity                 1.5.0
f5networks.f5_modules         1.23.0
fortinet.fortimanager         2.1.7
fortinet.fortios              2.2.3
frr.frr                       2.0.0
gluster.gluster               1.0.2
google.cloud                  1.1.3
grafana.grafana               1.1.1
hetzner.hcloud                1.10.0
hpe.nimble                    1.1.4
ibm.qradar                    2.1.0
ibm.spectrum_virtualize       1.11.0
infinidat.infinibox           1.3.12
infoblox.nios_modules         1.4.1
inspur.ispim                  1.3.0
inspur.sm                     2.3.0
junipernetworks.junos         4.1.0
kubernetes.core               2.4.0
lowlydba.sqlserver            1.3.1
mellanox.onyx                 1.0.0
netapp.aws                    21.7.0
netapp.azure                  21.10.0
netapp.cloudmanager           21.22.0
netapp.elementsw              21.7.0
netapp.ontap                  22.4.1
netapp.storagegrid            21.11.1
netapp.um_info                21.8.0
netapp_eseries.santricity     1.4.0
netbox.netbox                 3.11.0
ngine_io.cloudstack           2.3.0
ngine_io.exoscale             1.0.0
ngine_io.vultr                1.1.3
openstack.cloud               1.10.0
openvswitch.openvswitch       2.1.0
ovirt.ovirt                   2.4.1
purestorage.flasharray        1.17.2
purestorage.flashblade        1.10.0
purestorage.fusion            1.4.1
sensu.sensu_go                1.13.2
splunk.es                     2.1.0
t_systems_mms.icinga_director 1.32.2
theforeman.foreman            3.9.0
vmware.vmware_rest            2.3.1
vultr.cloud                   1.7.0
vyos.vyos                     4.0.1
wti.remote                    1.0.4

STEPS TO REPRODUCE

all:
  children:
    amq:
      children:
        ha1:
          hosts: amq1
          vars:
            artemis: "amq1"
            node0: "amq2"
        ha2:
          hosts: amq2
          vars:
            artemis: "amq2"
            node0: "amq1"
      vars:
        iface: enp0s8
        activemq_configure_firewalld: True
        activemq_prometheus_enabled: False
        activemq_cors_strict_checking: False
        activemq_ha_enabled: true
        activemq_shared_storage: true
        activemq_shared_storage_path: /data/amq-broker/shared
        ansible_user: ansible
        #ansible_ssh_private_key_file: hostfiles/privkey
        activemq_offline_install: True
        activemq_version: 7.10.2
        activemq_dest: /opt/amq
        activemq_archive: "amq-broker-{{ activemq_version }}-bin.zip"
        activemq_installdir: "{{ activemq_dest }}/amq-broker-{{ activemq_version }}"
        activemq_shared_storage_mounted: true
        activemq_port: 61616
        nfs_mount_source: "192.168.2.221:/"
        activemq_instance_username: amq-admin
        # activemq_instance_password: activemq_instance_password
        # activemq_sa_password: "asb-sa-password"
        # activemq_testers_password: "asb-testers-password"
        activemq_address_settings:
        - match: "#"
          parameters:
            dead_letter_address: DLQ
            expiry_address: ExpiryQueue
            redelivery_delay: 2000
            max_size_bytes: -1
            message_counter_history_day_limit: 10
            max_delivery_attempts: -1
            max_redelivery_delay: 300000
            redelivery_delay_multiplier: 2
            address_full_policy: PAGE
            auto_create_queues: true
            auto_create_addresses: true
            auto_create_jms_queues: true
            auto_create_jms_topics: true 
        activemq_users:
        - user: "{{ activemq_instance_username }}"
          password: "{{ activemq_instance_password }}"
          roles: [ amq ]
        - user: "asb-application-sa"
          password: "{{ activemq_sa_password }}"
          roles: [ amq-sa ]
        - user: "asb-testers-sa"
          password: "{{ activemq_testers_password }}"
          roles: [ amq-testers ]
        activemq_roles:
        - name: amq
          match: '#'
          permissions: [ createDurableQueue, deleteDurableQueue, createAddress, deleteAddress, consume, browse, send, manage ]   
        - name: amq-sa
          match: '#'
          permissions: [ createDurableQueue, deleteDurableQueue, createAddress, deleteAddress, consume, browse, send, manage ]   
        - name: amq-testers
          match: '#'
          permissions: [ createDurableQueue, deleteDurableQueue, createAddress, deleteAddress, consume, browse, send, manage ]   
        activemq_acceptors:
          - name: amqp
            bind_address: "0.0.0.0"
            bind_port: "{{ activemq_port }}"
            parameters:
              tcpSendBufferSize: 1048576
              tcpReceiveBufferSize: 1048576
              protocols: CORE,AMQP,OPENWIRE
              useEpoll: true

              verifyHost: False
        activemq_connectors:
        - name: artemis
          address: "{{ artemis }}"
          port: "{{ activemq_port }}"
          parameters:
            tcpSendBufferSize: 1048576
            tcpReceiveBufferSize: 1048576
            protocols: CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE
            useEpoll: true
            amqpMinLargeMessageSize: 102400
            amqpCredits: 1000
            amqpLowCredits: 300
            amqpDuplicateDetection: true
            supportAdvisory: False
            suppressInternalManagementObjects: False

        - name: node0
          address: "{{ node0 }}"
          port: "{{ activemq_port }}"
          parameters:
            tcpSendBufferSize: 1048576
            tcpReceiveBufferSize: 1048576
            protocols: CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE
            useEpoll: true
            amqpMinLargeMessageSize: 102400
            amqpCredits: 1000
            amqpLowCredits: 300
            amqpDuplicateDetection: true
            supportAdvisory: False
            suppressInternalManagementObjects: False

EXPECTED RESULTS

The broker.xml should contain this part:

      <security-setting match="#">
        <permission type="createDurableQueue" roles="amq,amq-sa,amq-testers"/>
        <permission type="deleteDurableQueue" roles="amq,amq-sa,amq-testers"/>
        <permission type="createAddress" roles="amq,amq-sa,amq-testers"/>
        <permission type="deleteAddress" roles="amq,amq-sa,amq-testers"/>
        <permission type="consume" roles="amq,amq-sa,amq-testers"/>
        <permission type="browse" roles="amq,amq-sa,amq-testers"/>
        <permission type="send" roles="amq,amq-sa,amq-testers"/>
        <permission type="manage" roles="amq,amq-sa,amq-testers"/>
      </security-setting>

ACTUAL RESULTS

An incorrect broker.xml was created. It has a triplicate block in the code which is not a valid configuration for AMQ. I have discussed this with Red Hat Support earlier in case Case 02925153, and this configuration is not valid. If a client tries to create a queue it gets:

2023-04-06T16:03:07.154|XXXXXXX-2|||WARN|Open of resource:(JmsConsumerInfo: { ID:XXXXXX, destination = XXXXXX}) failed: AMQ119015: not authorized to create consumer, AMQ229032: User: XXXXX does not have permission='CREATE_ADDRESS' on address XXXXX [condition = amqp:unauthorized-access]

This is caused by this triplicate part of the broker.xml

    <security-settings>
      <security-setting match="#">
        <permission type="createDurableQueue" roles="amq"/>
        <permission type="deleteDurableQueue" roles="amq"/>
        <permission type="createAddress" roles="amq"/>
        <permission type="deleteAddress" roles="amq"/>
        <permission type="consume" roles="amq"/>
        <permission type="browse" roles="amq"/>
        <permission type="send" roles="amq"/>
        <permission type="manage" roles="amq"/>
      </security-setting>
      <security-setting match="#">
        <permission type="createDurableQueue" roles="amq-sa"/>
        <permission type="deleteDurableQueue" roles="amq-sa"/>
        <permission type="createAddress" roles="amq-sa"/>
        <permission type="deleteAddress" roles="amq-sa"/>
        <permission type="consume" roles="amq-sa"/>
        <permission type="browse" roles="amq-sa"/>
        <permission type="send" roles="amq-sa"/>
        <permission type="manage" roles="amq-sa"/>
      </security-setting>
      <security-setting match="#">
        <permission type="createDurableQueue" roles="amq-testers"/>
        <permission type="deleteDurableQueue" roles="amq-testers"/>
        <permission type="createAddress" roles="amq-testers"/>
        <permission type="deleteAddress" roles="amq-testers"/>
        <permission type="consume" roles="amq-testers"/>
        <permission type="browse" roles="amq-testers"/>
        <permission type="send" roles="amq-testers"/>
        <permission type="manage" roles="amq-testers"/>
      </security-setting>
    </security-settings>

ansible-middleware / amq