activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Lundström <si...@su.se>
Subject Re: Reloading users and groups properties on change
Date Mon, 04 Apr 2016 06:47:33 GMT
Oh, Nagios is just the username. The actual client is an Apache QPid
Proton producer/consumer which connects via AMQP.

Will get on it, thanks Tim!

BR,
- Simon

On Fri, 2016-04-01 at 08:16:34 -0600, Tim Bain wrote:
> Yes, file a JIRA, and attach a minimal configuration to reproduce the
> problem.
> 
> BTW, from what you describe, I'd expect that this would happen for any
> client (including a tiny Java test app you could write), which would take
> Nagios out of the equation.  Can you confirm that that's the case?  Once
> you do, attach that test client to the JIRA; let's avoid giving the
> impression that this is somehow related to Nagios if it's really not.
> 
> Tim
> On Apr 1, 2016 12:15 AM, "Simon Lundström" <simlu@su.se> wrote:
> 
> > Noone uses PropertiesLoginModule and reloading?
> >
> > Gary, so I should file a jira for this right?
> >
> > BR,
> > - Simon
> >
> > On Thu, 2016-03-10 at 17:14:48 +0100, Simon Lundström wrote:
> > > Hi!
> > >
> > > I talked to Gary Tully on IRC (and mail) and we decided it was best that
> > > I mailed the mailinglist since he was pretty sure that someone here had
> > > solved this.
> > >
> > > We are running 5.13.0 and are trying to get {user,group}s.properties to
> > > be reloaded automatically when they are changed.
> > >
> > > In the init.d-script we've added:
> > > ACTIVEMQ_OPTS+="
> > -Djava.security.auth.login.config=/local/activemq/conf/login.config "
> > >
> > > and login.config looks like this:
> > > activemq-domain {
> > >   org.apache.activemq.jaas.PropertiesLoginModule required
> > >     debug=true
> > >     reload=true
> > >     org.apache.activemq.jaas.properties.user="users.properties"
> > >
> >  org.apache.activemq.jaas.properties.group="../conf.d/approved/groups.properties"
> > >   ;
> > > };
> > >
> > > users.properties:
> > > system=manager
> > > nagios=nagios
> > >
> > > groups.properties:
> > > monitoring=system
> > >
> > > activemq.xml excerpt:
> > > […]
> > >     <plugins>
> > >       <!-- The configuration value matches the JAAS realm in
> > login.config -->
> > >       <jaasAuthenticationPlugin configuration="activemq-domain" />
> > >
> > >       <!-- Enable hot reloading of the The configuration value matches
> > the JAAS realm in login.config -->
> > >       <runtimeConfigurationPlugin checkPeriod="0" />
> > >
> > >       <authorizationPlugin>
> > >          <map>
> > >            <authorizationMap>
> > >                <authorizationEntry
> > >                  queue="aliveness-test"
> > >                  read="monitoring"
> > >                  write="monitoring"
> > >                  admin="monitoring"
> > >                />
> > >              </authorizationEntries>
> > >            </authorizationMap>
> > >          </map>
> > >        </authorizationPlugin>
> > > […]
> > >
> > > With this configuration the user nagios should be able to access the
> > queue aliveness-test.
> > > To reproduce, modify groups.properties so it looks like:
> > > monitoring=system,nagios
> > >
> > > Check your logs (you need to enable debug logging on
> > org.apache.activemq.jaas.ReloadableProperties):
> > > {"thread":"ActiveMQ NIO Worker
> > 622","level":"DEBUG","loggerName":"org.apache.activemq.jaas.ReloadableProperties","message":"Load
> > of: PropsFile=/local/activemq/conf/../conf.d/approved/groups.properties"}
> > > so the reloading works, but nagios still can't consume from (or produce
> > to) the queue:
> > > {"thread":"ActiveMQ NIO Worker
> > 2","level":"WARN","loggerName":"org.apache.activemq.broker.TransportConnection.Service","message":"Security
> > Error occurred on connection to: tcp://0:0:0:0:0:0:0:1:45357, User nagios
> > is not authorized to read from: queue://aliveness-test"}
> > >
> > > Note: If I restart ActiveMQ nagios can consume and produce from the
> > > queue.
> > >
> > > Is there any configuration that I've missed?
> > > Is this a bug?
> > >
> > > BR,
> > > - Simon
> > >
> > > ____________________________________
> > >
> > > Simon Lundström
> > > Section for Infrastructure
> > >
> > > IT Services
> > > Stockholm University
> > > SE-106 91 Stockholm, Sweden
> > >
> > > www.su.se/english/staff-info/it
> >

Mime
View raw message