activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hiram Chirino <hi...@hiramchirino.com>
Subject Re: Is it possible to use Client Certs for Authentication/Authorization for Apollo?
Date Sat, 13 Jul 2013 19:34:05 GMT
Yeah should be stable.  1.7 is a bit overdue.  We really should
consider cutting a never version soon.

On Sat, Jul 13, 2013 at 2:59 PM, Garry Watkins <catshow@me.com> wrote:
> Took a look at it, and it should work for me. Thanks for the ultra fast resolution to
the problem.
>
> Is the github version pretty stable for testing?  When do you think 1.7 will be released?
>
> Thanks again for doing this so quickly.
> Garry
>
> On Jul 13, 2013, at 2:18 PM, Hiram Chirino <hiram@hiramchirino.com> wrote:
>
>> Hi Garry,
>>
>> This is what I came up with:
>>
>> Firstly you need to implement the SecurityFactory trait. For example:
>>
>> https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/test/UserOwnershipSecurityFactory.scala#L29
>>
>> Then you need to set the 'security_factory' attribute of the broker
>> element to the name of the class you implemented it with. For example:
>> https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/resources/apollo-stomp-custom-security.xml#L18
>>
>> This change is being tracked via:
>> https://issues.apache.org/jira/browse/APLO-330#comment-13707807
>>
>> On Fri, Jul 12, 2013 at 11:22 AM, Garry Watkins <catshow@me.com> wrote:
>>> That sounds good.  I was searching in the code and that is where i thought I
might be able to hook in.
>>>
>>> Why not add an authorizer attribute which is the class name of the custom authorizer.
>>>
>>> <access_rule allow="*" action="create destroy send" authorizer="MyCustomAuthorizer"/>
>>> <access_rule allow="*" action="connect receive consume" authorizer="MyCustomAuthorizer2"/>
>>>
>>> On Jul 12, 2013, at 11:01 AM, Hiram Chirino <hiram@hiramchirino.com> wrote:
>>>
>>>> Ok then it seems like you will need to implement a custom Authorizer.
>>>> The interface of an Authorizer is quite simple.  It looks like:
>>>>
>>>> trait Authorizer {
>>>> def can(ctx:SecurityContext, action:String, resource:SecuredResource):Boolean;
>>>> }
>>>>
>>>> Basically the ctx will have the user info including the security
>>>> subject/cert info.  The action is stuff like "send", and the resource
>>>> will be an instance of a virtualhost, queue, topic (etc.) that the
>>>> user is trying to perform the action against.  The method just need
>>>> return true if it's allowed.
>>>>
>>>> The only problem is there does not yet exist a way to configure a
>>>> custom authorizer.  Let me see if add support for that in the apollo
>>>> configuration.
>>>>
>>>>
>>>> On Wed, Jul 10, 2013 at 6:38 PM, Garry Watkins <catshow@me.com> wrote:
>>>>> Yes, the users will be unknown at the time of connection.
>>>>>
>>>>> On Jul 10, 2013, at 3:00 PM, Hiram Chirino <hiram@hiramchirino.com>
wrote:
>>>>>
>>>>>> An the user names are dynamic?  You don't know them ahead of time?
>>>>>>
>>>>>> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <catshow@icloud.com>
wrote:
>>>>>>> I have been looking at the documentation in the security section.
>>>>>>>
>>>>>>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security
>>>>>>>
>>>>>>> I need to write code that will capture allow a queue to be created
with the
>>>>>>> same name as the user.  That user may then be allowed to receive
and consume
>>>>>>> messages.
>>>>>>>
>>>>>>> Any hints about where i could inject this into the code?
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>>
>>>>>>> On Jul 08, 2013, at 02:06 PM, Christian Posta <christian.posta@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Should be the distinguished name from the X509 cert:
>>>>>>>
>>>>>>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <catshow@me.com>
wrote:
>>>>>>>
>>>>>>> Ok, now that I know that I can do that.
>>>>>>>
>>>>>>> How does Apollo assign the username? What I want to do is have
another
>>>>>>>
>>>>>>> process create a queue just for that user, and that is the only
queue that
>>>>>>>
>>>>>>> user may access.
>>>>>>>
>>>>>>> Thanks for the speedy response.
>>>>>>>
>>>>>>> On Jul 8, 2013, at 1:28 PM, Christian Posta <christian.posta@gmail.com>
>>>>>>>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Yep, try adding the following to your ssl connector:
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>> <connector id="default" bind="ssl://0.0.0.0:61614">
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>> *<ssl client_auth="need" />*
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>> </connector>
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <catshow@me.com>
wrote:
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>>> Is it possible to use Client Certs for Authentication/Authorization
for
>>>>>>>
>>>>>>>>> Apollo?
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>> --
>>>>>>>
>>>>>>>> *Christian Posta*
>>>>>>>
>>>>>>>> http://www.christianposta.com/blog
>>>>>>>
>>>>>>>> twitter: @christianposta
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> *Christian Posta*
>>>>>>> http://www.christianposta.com/blog
>>>>>>> twitter: @christianposta
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Hiram Chirino
>>>>>>
>>>>>> Engineering | Red Hat, Inc.
>>>>>>
>>>>>> hchirino@redhat.com | fusesource.com | redhat.com
>>>>>>
>>>>>> skype: hiramchirino | twitter: @hiramchirino
>>>>>>
>>>>>> blog: Hiram Chirino's Bit Mojo
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Hiram Chirino
>>>>
>>>> Engineering | Red Hat, Inc.
>>>>
>>>> hchirino@redhat.com | fusesource.com | redhat.com
>>>>
>>>> skype: hiramchirino | twitter: @hiramchirino
>>>>
>>>> blog: Hiram Chirino's Bit Mojo
>>>
>>
>>
>>
>> --
>> Hiram Chirino
>>
>> Engineering | Red Hat, Inc.
>>
>> hchirino@redhat.com | fusesource.com | redhat.com
>>
>> skype: hiramchirino | twitter: @hiramchirino
>>
>> blog: Hiram Chirino's Bit Mojo
>



-- 
Hiram Chirino

Engineering | Red Hat, Inc.

hchirino@redhat.com | fusesource.com | redhat.com

skype: hiramchirino | twitter: @hiramchirino

blog: Hiram Chirino's Bit Mojo

Mime
View raw message