Return-Path: X-Original-To: apmail-activemq-dev-archive@www.apache.org Delivered-To: apmail-activemq-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id ECCCE10F9A for ; Tue, 4 Feb 2014 16:08:53 +0000 (UTC) Received: (qmail 45417 invoked by uid 500); 4 Feb 2014 16:08:52 -0000 Delivered-To: apmail-activemq-dev-archive@activemq.apache.org Received: (qmail 45185 invoked by uid 500); 4 Feb 2014 16:08:52 -0000 Mailing-List: contact dev-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@activemq.apache.org Delivered-To: mailing list dev@activemq.apache.org Received: (qmail 45167 invoked by uid 99); 4 Feb 2014 16:08:50 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Feb 2014 16:08:50 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [64.85.173.253] (HELO server.dankulp.com) (64.85.173.253) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Feb 2014 16:08:44 +0000 Received: by server.dankulp.com (Postfix, from userid 5000) id 80360182E91; Tue, 4 Feb 2014 11:08:23 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on server.dankulp.com X-Spam-Level: X-Msg-File: /tmp/mailfilter-dev@activemq.apache.org.1Shu2rSVcG Received: from [192.168.1.104] (c-50-176-22-10.hsd1.ma.comcast.net [50.176.22.10]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by server.dankulp.com (Postfix) with ESMTPSA id 2405D18056E for ; Tue, 4 Feb 2014 11:08:20 -0500 (EST) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Subject: Re: ActiveMQ Console - moving toward a solution (starting with brainstorming) From: Daniel Kulp In-Reply-To: <1391527874026-4677405.post@n4.nabble.com> Date: Tue, 4 Feb 2014 11:08:20 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <727C2CE7-39BE-4289-9C84-9F0437C5F982@apache.org> References: <1391527874026-4677405.post@n4.nabble.com> To: dev@activemq.apache.org X-Mailer: Apple Mail (2.1827) X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No, score=-2.8 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00 shortcircuit=no autolearn=ham version=3.3.2 On Feb 4, 2014, at 10:31 AM, artnaseef wrote: > With the "problem definition" having collected a decent amount of > information, let's start talking about where we want to be and = possible ways > to solve the problems. >=20 > Before starting, this is "brainstorming". So please, feel free to = share any > ideas without concern for absurdity. And please be respectful of = others > sharing. That means, provide actionable feedback, or perceptions, of = the > content of the idea and try to avoid pure criticism (negative feedback > that's unactionable) and personal attacks. We will filter the ideas = later. >=20 > First off, I want to argue that the solution to security concerns with = the > console, and the rest of ActiveMQ, is to pursue the best practice of = not > exposing ActiveMQ to untrusted sources. So the following guidelines = for > ActiveMQ installations follow: >=20 > * Avoid placing ActiveMQ's web console on the internet, or otherwise = making > it accessible to untrusted parties, by placing it behind firewalls and > requiring internal network access or VPN access to reach the console. > * Avoid opening ActiveMQ's transports to the internet, or otherwise = making > them accessible to untrusted parties to the extent possible, again = using > firewalls and network precautions. > * Where absolutely necessary, using SSL with required = client-certificates > can greatly reduce security risks. Any brokers whose SSL connectors = are > accessible to untrusted parties should also incorporate firewall = protections > to prevent access to other, non-SSL-secured ports on the same ActiveMQ > instances. >=20 > Should we do anything more on this front? This sounds mostly like documentation things. That definitely brings = up the point that the docs at: http://activemq.apache.org/web-console.html need some major updates. I=92d certainly start with removing all the = references to ActiveMQ 4. :-) > For the "buggy" issue - I recommend to start fixing it. Without any > evidence that the time and effort to maintain the console is = significant, it > seems like this is more an issue of lack of motivation. I'll start = working > on the bugs myself. I=92m happy to help as well. I=92ll start by getting the issues Tim = brought up assigned to the we console component. =20 Does everyone have access to assign themselves issues in JIRA? If not, = let me know and I can help out making sure people can do so. > For look-and-feel, what makes sense? I like the idea of a built-in = console > that is minimalistic - making it easy to navigate and get specific = content, > and having it consistent for everyone to make talking about their > experiences, especially when reporting problems, straight-forward. = Note > that does not mean I'm against a major change to look-and-feel. And, = a nice > looking UI is awesome to have. Should we promote the use of = third-party > UIs? If so, how can we do so in a way that is acceptable to everyone? = Or, > should we put in some effort on the built-in console - giving it a = facelift > while still keeping to a more streamlined/information-focused than = something > like Hawt.io. I also would prefer a very stream lined ActiveMQ specific interface as = well. I=92m certainly OK with just a simple facelift if we fell thats = needed, but I=92m not even sure that is needed. --=20 Daniel Kulp dkulp@apache.org - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com