activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Wood <christopher_w...@pobox.com>
Subject Re: periodic 5.6.0 ldap permission issues, solved by restart?
Date Fri, 22 Jun 2012 15:46:42 GMT
It certainly makes sense to reconnect if there's a problem.

Will 5.7.0 also keep the current authorization cache if there's an ldap issue? In a production
scenario it's probably okay to keep functioning if the ldap server goes away for a while.

Thank you for the pointer, very much appreciated.

On Fri, Jun 22, 2012 at 10:12:29AM +0200, Dejan Bosanac wrote:
> Hi,
> 
> there are some improvements in that area on the trunk (and will be
> available in the next fuse release). Please take a look at
> 
> https://issues.apache.org/jira/browse/AMQ-3845
> 
> 
> Regards
> --
> Dejan Bosanac
> Senior Software Engineer | FuseSource Corp.
> dejanb@fusesource.com | fusesource.com
> skype: dejan.bosanac | twitter: @dejanb
> blog: http://www.nighttale.net
> ActiveMQ in Action: http://www.manning.com/snyder/
> 
> 
> On Thu, Jun 21, 2012 at 6:56 PM, Christopher Wood
> <christopher_wood@pobox.com> wrote:
> > I upgraded our lab ActiveMQ to 5.6.0 and am using the cached ldap auth module. I
appear to be having a problem where at times ActiveMQ loses its authorization data cache and
does not refresh this from ldap. Is there any way of forcing a retry if it has a connection
issue, or otherwise further diagnosing what is happening?
> >
> > Details:
> >
> > Three times now (solved by an ActiveMQ restart) I have started seeing these errors
in the log (but for all queues that they are trying to access):
> >
> > 2012-06-21 11:57:31,538 | DEBUG | Error occured while processing sync command: ConsumerInfo
{commandId = 28936, responseRequired = true, consumerId = ID:myhost-53793-1340295272790-0:6:-1:1,
destination = ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic, prefetchSize = 0, maximumPendingMessageLimit
= 0, browser = false, dispatchAsync = false, selector = null, subscriptionName = null, noLocal
= true, exclusive = false, retroactive = false, priority = 0, brokerPath = null, optimizedAcknowledge
= false, noRangeAcks = false, additionalPredicate = null}, exception: java.lang.SecurityException:
User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic
| org.apache.activemq.broker.TransportConnection.Service | ActiveMQ Transport: tcp:///10.201.147.250:51236
> > java.lang.SecurityException: User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic
> >
> > Per our developers, they are seeing:
> >
> > 12:16:53,926  WARN DefaultMessageListenerContainer:822 - Setup of JMS message listener
invoker failed for destination 'queue://vm5.queuename' - trying to recover. Cause: User vm5a
is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic
> >
> > I ran some tcpdumps. While this is in the logs, I do not see any ldap searches attempting
to update the authorization info. Just after a restart, I do see intermittent searches for
the entries under ou=destination,ou=activemq,ou=systems,o=me.
> >
> > My plugin info:
> >
> > <authorizationPlugin>
> >  <map>
> >    <cachedLDAPAuthorizationMap
> >         connectionURL="ldap://ldap-lab.me:389"
> >         connectionUsername="cn=mqbroker,ou=services,o=me"
> >         connectionPassword="password"
> >         baseDn="ou=systems,o=me"
> >         refreshInterval="5000"
> >     />
> >  </map>
> > </authorizationPlugin>
> 

Mime
View raw message