activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Newsham <jnews...@referentia.com>
Subject Re: Fully programmatic authorization map
Date Thu, 20 May 2010 20:42:05 GMT

I'm running activemq embedded within our app, and configuring it 
programmatically (rather than using xml files).  Here is how I configure 
the authorization plugin.  I had to look at some of the source to figure 
this stuff out, as I unfortunately couldn't find it documented 
anywhere.  Hopefully this pertains to what you are trying to do:

         AuthorizationMap authMap = new 
DefaultAuthorizationMap(Arrays.asList(
           makeAuthorization(">", "", "", ""),
           makeQueueAuthorization("proto.chat.request", "servers", 
"clients", "servers"),
           makeTopicAuthorization("proto.chat.message", "clients", 
"servers", "servers"),
           makeQueueAuthorization("rpc.request.>", "servers", "clients", 
"clients,servers"),
           makeTopicAuthorization("ActiveMQ.Advisory.>", 
"clients,servers", "clients,servers", "clients,servers")
           ));
         AuthorizationPlugin authPlugin = new AuthorizationPlugin(authMap);


   private static AuthorizationEntry makeTopicAuthorization(String 
topicName, String readRoles,
     String writeRoles, String adminRoles) throws Exception {
     return makeAuthorization(topicName, null, readRoles, writeRoles, 
adminRoles);
   }

   private static AuthorizationEntry makeQueueAuthorization(String 
queueName, String readRoles,
     String writeRoles, String adminRoles) throws Exception {
     return makeAuthorization(null, queueName, readRoles, writeRoles, 
adminRoles);
   }

   private static AuthorizationEntry makeAuthorization(String 
destinationName, String readRoles,
     String writeRoles, String adminRoles) throws Exception {
     return makeAuthorization(destinationName, destinationName, 
readRoles, writeRoles, adminRoles);
   }

   private static AuthorizationEntry makeAuthorization(String topicName, 
String queueName,
     String readRoles, String writeRoles, String adminRoles) throws 
Exception {
     AuthorizationEntry auth = new AuthorizationEntry();
     if (topicName != null) {
       auth.setTopic(topicName);
     }
     if (queueName != null) {
       auth.setQueue(queueName);
     }
     if (readRoles != null) {
       auth.setRead(readRoles);
     }
     if (writeRoles != null) {
       auth.setWrite(writeRoles);
     }
     if (adminRoles != null) {
       auth.setAdmin(adminRoles);
     }
     return auth;
   }

Jim

On 5/20/2010 6:21 AM, Jim Lloyd wrote:
> Dejan and James,
>
> I'm looking at the JAAS plugins now and yes this approach for deriving the
> user and group from a certificate looks pretty clear, and this will save me
> a lot of time. Thanks!
>
> Can either of you give me a similar guidance for how I would do the
> AuthorizationMap piece? It looks like I can simply implement
> AuthorizationMap, but the return type of Set<?>  for the methods seems highly
> under-constrained. The comments say that the methods return ACLs, but its
> not obvious to me what forms the ACLs take. Looking at
> SimpleAuthorizationMap, I see that it is primarily delegating to
> DestinationMap, but DestinationMap (and its helper DestinationMapNode,
> DestinationMapEntry) is just complex enough that I haven't been able to
> figure it out from just browsing the code. I have a hunch that one of you
> can give me some quick pointers here that will also save me a lot of time.
>
> Thanks,
> Jim
>
>
> On Thu, May 20, 2010 at 6:13 AM, Dejan Bosanac<dejan@nighttale.net>  wrote:
>
>    
>> Hi James,
>>
>> thanks for adding this info. I totally forgot to mention activemq-jaas.
>>
>> Cheers
>> --
>> Dejan Bosanac - http://twitter.com/dejanb
>>
>> Open Source Integration - http://fusesource.com/
>> ActiveMQ in Action - http://www.manning.com/snyder/
>> Blog - http://www.nighttale.net
>>
>>
>> On Thu, May 20, 2010 at 8:34 AM, James Casey<jamesc.000@gmail.com>  wrote:
>>
>>      
>>> Hi Jim,
>>>
>>> What Dejan has pointed you at is the classes that have all the various
>>> plugin methods for doing Auth in ActiveMQ by inserting a Broker object
>>> into the chain which is called during a connection.  It would be
>>> possible to write a custom Broker subclass here that does what you
>>> want, but I think it would be easier inside JAAS.
>>>
>>> What I'd suggest is you use the standard
>>> JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin.
>>>
>>> The JAAS plugins are in
>>>
>>>
>>>        
>> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas
>>      
>>> .
>>>
>>> I would suggest to create a subclass of CertificateLoginModule and
>>> override the getUserNameForCertificate method to extract and return
>>> the CN.  If you look at TextFileCertificateLoginModule.java you can
>>> see the logic it uses to extract the DN and match against entries in
>>> the file - you would just need to write a simpler version which just
>>> pulls out the CN from the client DN. Then you hook it into ActiveMQ
>>> via a login.config file pointing at your custom class.
>>>
>>> Let me know if this makes sense or if you need any more info.
>>>
>>> cheers,
>>>
>>> James.
>>>
>>>
>>> On 20 May 2010 12:14, Dejan Bosanac<dejan@nighttale.net>  wrote:
>>>        
>>>> Hi Jim,
>>>>
>>>> the best way is to look at the source code of the current plugin
>>>> implementation.
>>>>
>>>> You can find it in org.apache.activemq.security package.
>>>>
>>>> For a quick preview, you can use this URL:
>>>>
>>>>
>>>>          
>>>        
>> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security
>>      
>>>> Cheers
>>>> --
>>>> Dejan Bosanac - http://twitter.com/dejanb
>>>>
>>>> Open Source Integration - http://fusesource.com/
>>>> ActiveMQ in Action - http://www.manning.com/snyder/
>>>> Blog - http://www.nighttale.net
>>>>
>>>>
>>>> On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd<
>>>>          
>> jlloyd@silvertailsystems.com
>>      
>>>> wrote:
>>>>
>>>>          
>>>>> I'd like to implement an authorization plugin that would allow me to
>>>>> implement a fully automatic authorization policy. Here's an outline of
>>>>>            
>>> what
>>>        
>>>>> I want:
>>>>>
>>>>> We have a broker that is a hub in a hub&  spoke topology network
of
>>>>> brokers.
>>>>> A connections to this hub broker are via SSL and the hub broker
>>>>>            
>> requires
>>      
>>>>> SSL
>>>>> client authentication. We require the client certificates to always be
>>>>>            
>>> of a
>>>        
>>>>> form where the Common Name (CN) of the certificate defines the user.
>>>>>            
>> So,
>>      
>>>>> for
>>>>> example, if we instead used a jaas.TextFileCertificateLoginModule the
>>>>> user.properties file would look like this:
>>>>>
>>>>> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
>>>>> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
>>>>> ...
>>>>> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
>>>>>
>>>>> Meanwhile, the AuthorizationMap we want would look something like
>>>>>            
>> this:
>>      
>>>>> <authorizationPlugin>
>>>>> <map>
>>>>> <authorizationMap>
>>>>> <authorizationEntries>
>>>>> <authorizationEntry topic=">" read="admins" write="admins"
>>>>>            
>>> admin="admins"
>>>        
>>>>> />
>>>>> <authorizationEntry topic="user1.>" read="user1" write="user1"
>>>>> admin="user1"
>>>>> />
>>>>> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
>>>>> admin="userFoo" />
>>>>> ...
>>>>> <authorizationEntry topic="userZeta.>" read="userZeta"
>>>>>            
>> write="userZeta"
>>      
>>>>> admin="userZeta" />
>>>>> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
>>>>> admin="all"/>
>>>>> </authorizationEntries>
>>>>> </authorizationMap>
>>>>> </map>
>>>>> </authorizationPlugin>
>>>>>
>>>>> If we use jaas.TextFileCertificateLoginModule, we have to update the
>>>>> users.properties, groups.properties file and the authorizationMap in
>>>>>            
>> the
>>      
>>>>> activemq.xml file every time we add a user. We can automate this with
>>>>> scripting, but a more elegant solution would be to write our own
>>>>>            
>>> plugin(s)
>>>        
>>>>> to implement this policy. I'm in the process of scoping this effort,
>>>>>            
>> and
>>      
>>> so
>>>        
>>>>> far I haven't found anything other than javadocs on the various
>>>>>            
>> classes
>>      
>>> to
>>>        
>>>>> guide me. Can anyone provide a high level outline of how I would
>>>>>            
>>> implement
>>>        
>>>>> this?
>>>>>
>>>>> Thanks,
>>>>> Jim Lloyd
>>>>> Silver Tail Systems
>>>>>
>>>>>            
>>>>          
>>>        
>>      
>    


Mime
View raw message