activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Lloyd <jll...@silvertailsystems.com>
Subject Re: Fully programmatic authorization map
Date Fri, 21 May 2010 04:32:53 GMT
Jim Newsham

Thanks for sharing the code. Unfortunately I don't think I can use this
method, for a couple reasons. The first is we only want auth & auth between
brokers and our client code is all C++. The second is that we need to
automatically accept new users (authenticated by their client certificates)
for a potentially unlimited number of users. The authorization code can't
know in advance what the user names will be (other than the admin users),
but given a user name and a topic it can specify whether the user is
authorized to use the topic. So, I think I will need broker plugins for both
authentication and authorization.

Thanks,
Jim Lloyd

On Thu, May 20, 2010 at 1:42 PM, Jim Newsham <jnewsham@referentia.com>wrote:

>
> I'm running activemq embedded within our app, and configuring it
> programmatically (rather than using xml files).  Here is how I configure the
> authorization plugin.  I had to look at some of the source to figure this
> stuff out, as I unfortunately couldn't find it documented anywhere.
>  Hopefully this pertains to what you are trying to do:
>
>        AuthorizationMap authMap = new
> DefaultAuthorizationMap(Arrays.asList(
>          makeAuthorization(">", "", "", ""),
>          makeQueueAuthorization("proto.chat.request", "servers", "clients",
> "servers"),
>          makeTopicAuthorization("proto.chat.message", "clients", "servers",
> "servers"),
>          makeQueueAuthorization("rpc.request.>", "servers", "clients",
> "clients,servers"),
>          makeTopicAuthorization("ActiveMQ.Advisory.>", "clients,servers",
> "clients,servers", "clients,servers")
>          ));
>        AuthorizationPlugin authPlugin = new AuthorizationPlugin(authMap);
>
>
>  private static AuthorizationEntry makeTopicAuthorization(String topicName,
> String readRoles,
>    String writeRoles, String adminRoles) throws Exception {
>    return makeAuthorization(topicName, null, readRoles, writeRoles,
> adminRoles);
>  }
>
>  private static AuthorizationEntry makeQueueAuthorization(String queueName,
> String readRoles,
>    String writeRoles, String adminRoles) throws Exception {
>    return makeAuthorization(null, queueName, readRoles, writeRoles,
> adminRoles);
>  }
>
>  private static AuthorizationEntry makeAuthorization(String
> destinationName, String readRoles,
>    String writeRoles, String adminRoles) throws Exception {
>    return makeAuthorization(destinationName, destinationName, readRoles,
> writeRoles, adminRoles);
>  }
>
>  private static AuthorizationEntry makeAuthorization(String topicName,
> String queueName,
>    String readRoles, String writeRoles, String adminRoles) throws Exception
> {
>    AuthorizationEntry auth = new AuthorizationEntry();
>    if (topicName != null) {
>      auth.setTopic(topicName);
>    }
>    if (queueName != null) {
>      auth.setQueue(queueName);
>    }
>    if (readRoles != null) {
>      auth.setRead(readRoles);
>    }
>    if (writeRoles != null) {
>      auth.setWrite(writeRoles);
>    }
>    if (adminRoles != null) {
>      auth.setAdmin(adminRoles);
>    }
>    return auth;
>  }
>
> Jim
>
>
> On 5/20/2010 6:21 AM, Jim Lloyd wrote:
>
>> Dejan and James,
>>
>> I'm looking at the JAAS plugins now and yes this approach for deriving the
>> user and group from a certificate looks pretty clear, and this will save
>> me
>> a lot of time. Thanks!
>>
>> Can either of you give me a similar guidance for how I would do the
>> AuthorizationMap piece? It looks like I can simply implement
>> AuthorizationMap, but the return type of Set<?>  for the methods seems
>> highly
>> under-constrained. The comments say that the methods return ACLs, but its
>> not obvious to me what forms the ACLs take. Looking at
>> SimpleAuthorizationMap, I see that it is primarily delegating to
>> DestinationMap, but DestinationMap (and its helper DestinationMapNode,
>> DestinationMapEntry) is just complex enough that I haven't been able to
>> figure it out from just browsing the code. I have a hunch that one of you
>> can give me some quick pointers here that will also save me a lot of time.
>>
>> Thanks,
>> Jim
>>
>>
>> On Thu, May 20, 2010 at 6:13 AM, Dejan Bosanac<dejan@nighttale.net>
>>  wrote:
>>
>>
>>
>>> Hi James,
>>>
>>> thanks for adding this info. I totally forgot to mention activemq-jaas.
>>>
>>> Cheers
>>> --
>>> Dejan Bosanac - http://twitter.com/dejanb
>>>
>>> Open Source Integration - http://fusesource.com/
>>> ActiveMQ in Action - http://www.manning.com/snyder/
>>> Blog - http://www.nighttale.net
>>>
>>>
>>> On Thu, May 20, 2010 at 8:34 AM, James Casey<jamesc.000@gmail.com>
>>>  wrote:
>>>
>>>
>>>
>>>> Hi Jim,
>>>>
>>>> What Dejan has pointed you at is the classes that have all the various
>>>> plugin methods for doing Auth in ActiveMQ by inserting a Broker object
>>>> into the chain which is called during a connection.  It would be
>>>> possible to write a custom Broker subclass here that does what you
>>>> want, but I think it would be easier inside JAAS.
>>>>
>>>> What I'd suggest is you use the standard
>>>> JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin.
>>>>
>>>> The JAAS plugins are in
>>>>
>>>>
>>>>
>>>>
>>>
>>> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas
>>>
>>>
>>>> .
>>>>
>>>> I would suggest to create a subclass of CertificateLoginModule and
>>>> override the getUserNameForCertificate method to extract and return
>>>> the CN.  If you look at TextFileCertificateLoginModule.java you can
>>>> see the logic it uses to extract the DN and match against entries in
>>>> the file - you would just need to write a simpler version which just
>>>> pulls out the CN from the client DN. Then you hook it into ActiveMQ
>>>> via a login.config file pointing at your custom class.
>>>>
>>>> Let me know if this makes sense or if you need any more info.
>>>>
>>>> cheers,
>>>>
>>>> James.
>>>>
>>>>
>>>> On 20 May 2010 12:14, Dejan Bosanac<dejan@nighttale.net>  wrote:
>>>>
>>>>
>>>>> Hi Jim,
>>>>>
>>>>> the best way is to look at the source code of the current plugin
>>>>> implementation.
>>>>>
>>>>> You can find it in org.apache.activemq.security package.
>>>>>
>>>>> For a quick preview, you can use this URL:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security
>>>
>>>
>>>> Cheers
>>>>> --
>>>>> Dejan Bosanac - http://twitter.com/dejanb
>>>>>
>>>>> Open Source Integration - http://fusesource.com/
>>>>> ActiveMQ in Action - http://www.manning.com/snyder/
>>>>> Blog - http://www.nighttale.net
>>>>>
>>>>>
>>>>> On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd<
>>>>>
>>>>>
>>>> jlloyd@silvertailsystems.com
>>>
>>>
>>>> wrote:
>>>>>
>>>>>
>>>>>
>>>>>> I'd like to implement an authorization plugin that would allow me
to
>>>>>> implement a fully automatic authorization policy. Here's an outline
of
>>>>>>
>>>>>>
>>>>> what
>>>>
>>>>
>>>>> I want:
>>>>>>
>>>>>> We have a broker that is a hub in a hub&  spoke topology network
of
>>>>>> brokers.
>>>>>> A connections to this hub broker are via SSL and the hub broker
>>>>>>
>>>>>>
>>>>> requires
>>>
>>>
>>>> SSL
>>>>>> client authentication. We require the client certificates to always
be
>>>>>>
>>>>>>
>>>>> of a
>>>>
>>>>
>>>>> form where the Common Name (CN) of the certificate defines the user.
>>>>>>
>>>>>>
>>>>> So,
>>>
>>>
>>>> for
>>>>>> example, if we instead used a jaas.TextFileCertificateLoginModule
the
>>>>>> user.properties file would look like this:
>>>>>>
>>>>>> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
>>>>>> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
>>>>>> ...
>>>>>> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
>>>>>>
>>>>>> Meanwhile, the AuthorizationMap we want would look something like
>>>>>>
>>>>>>
>>>>> this:
>>>
>>>
>>>> <authorizationPlugin>
>>>>>> <map>
>>>>>> <authorizationMap>
>>>>>> <authorizationEntries>
>>>>>> <authorizationEntry topic=">" read="admins" write="admins"
>>>>>>
>>>>>>
>>>>> admin="admins"
>>>>
>>>>
>>>>> />
>>>>>> <authorizationEntry topic="user1.>" read="user1" write="user1"
>>>>>> admin="user1"
>>>>>> />
>>>>>> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
>>>>>> admin="userFoo" />
>>>>>> ...
>>>>>> <authorizationEntry topic="userZeta.>" read="userZeta"
>>>>>>
>>>>>>
>>>>> write="userZeta"
>>>
>>>
>>>> admin="userZeta" />
>>>>>> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all"
write="all"
>>>>>> admin="all"/>
>>>>>> </authorizationEntries>
>>>>>> </authorizationMap>
>>>>>> </map>
>>>>>> </authorizationPlugin>
>>>>>>
>>>>>> If we use jaas.TextFileCertificateLoginModule, we have to update
the
>>>>>> users.properties, groups.properties file and the authorizationMap
in
>>>>>>
>>>>>>
>>>>> the
>>>
>>>
>>>> activemq.xml file every time we add a user. We can automate this with
>>>>>> scripting, but a more elegant solution would be to write our own
>>>>>>
>>>>>>
>>>>> plugin(s)
>>>>
>>>>
>>>>> to implement this policy. I'm in the process of scoping this effort,
>>>>>>
>>>>>>
>>>>> and
>>>
>>>
>>>> so
>>>>
>>>>
>>>>> far I haven't found anything other than javadocs on the various
>>>>>>
>>>>>>
>>>>> classes
>>>
>>>
>>>> to
>>>>
>>>>
>>>>> guide me. Can anyone provide a high level outline of how I would
>>>>>>
>>>>>>
>>>>> implement
>>>>
>>>>
>>>>> this?
>>>>>>
>>>>>> Thanks,
>>>>>> Jim Lloyd
>>>>>> Silver Tail Systems
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message