activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Modanese, Riccardo" <Riccardo.Modan...@eurotech.com.INVALID>
Subject Re: Artemis - Implement ACL programmatically
Date Wed, 11 Sep 2019 14:28:07 GMT
Hi, unfortunately I cannot rely on a security repository and the users and ACLs profiles could
be thousands.

My idea is to replace the ActiveMQJAASSecurityManager with my own custom ActiveMQSecurityManager
implementation.
But I didn’t find a way.
It seems that there is no other way than specifying a jaas-security tag in the bootstrap.xml
configuration file (<jaas-security domain="activemq"/>).
If I remove the tag, or I try to change the DTO instance (with the appropriate annotation
in the new DTO file itself), I get a xml validation schema error.
From my attempts there is no way to remove the jaas-security tag.

In few word what I’d like to achieve is to let Artemis instantiate and use a custom ActiveMQSecurityManager
provided through a configuration parameter.
Is there a way or I must patch the Artemis code to allow the ActiveMQSecurityManager pluggability?


Il giorno 28 ago 2019, alle ore 05:23, yw yw <wy96fyw@gmail.com<mailto:wy96fyw@gmail.com>>
ha scritto:

Yes, it would check every time a client publishes a message or subscribes
an address.

From my understanding, SecuritySettingPlugin should meet your requirements.
You can save the "securityRepository" passed by "SecuritySettingPlugin::
setSecurityRepository" in your custom SecuritySettingPlugin. When you
receive a notification that user is added/removed,  you can call
securityRepository::addMatch/removeMatch/swap to change ACL in matching
address.


Modanese, Riccardo <Riccardo.Modanese@eurotech.com.invalid<mailto:Riccardo.Modanese@eurotech.com.invalid>>
于2019年8月27日周二
下午11:12写道:

I think the SecuritySettingPlugin will not solve my issue but an
ActiveMQSecurityManager3 custom implementation could be.

So I tried to plug an ActiveMQSecurityManager3 implementation but without
any success.
From my understanding this plugin should be defined into bootstrap.xml but
unfortunately I found no way to replace the jaas-security tag with another
one pointing to my configuration DTO (the xsd doesn’t provide alternative
tag to jaas-security)

Anyway, just to be sure if the ActiveMQSecurityManager3 api could fit my
needs,  is the method validateUserAndRole called before every
publish/subscribe?

Il giorno 26 ago 2019, alle ore 18:00, Christopher Shannon <
christopher.l.shannon@gmail.com<mailto:christopher.l.shannon@gmail.com>> ha scritto:

You might need to write some custom code to do what you want and you
could
try a custom Security plugin.
See the API and Java docs for the security setting plugin:

https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java

If you need even more control you can create your own SecurityManager and
register it with the broker.  The interface to extend is:

https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java

The validateUserAndRole() method is where you do your ACL checks

A default implementation that delegates to a JAAS module is including in
the broker already which you can use as an example or to extend:

https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java

On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo
<Riccardo.Modanese@eurotech.com.invalid> wrote:

I already read this page and I wasn’t able to find any helpful
information.
In our use case each user has ACL depending on the username itself.
Moreover a user can be added at runtime and the broker must be able to
create and handle correctly the ACL also for the new created user.

So, at the end, what I need is the capability of creating ACL
programmatically and keep them in a session in order to be used every
time
a client publishes a message or subscribes an address.
In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a
DefaultAuthorizationMap object, but I cannot find a similar object in
Artemis

[1]

https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
[2]

https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557


Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <
christopher.l.shannon@gmail.com<mailto:christopher.l.shannon@gmail.com

ha scritto:

All of the info you should need to get started should be here:


https://activemq.apache.org/components/artemis/documentation/latest/security.html

On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
<Riccardo.Modanese@eurotech.com.invalid> wrote:

Hello,
 In our ActiveMQ 5.x security plugin code we are enforcing ACL
programmatically so I’m investigating how to migrate our current ACL
from
ActiveMQ 5.x to Artemis.

I took a look into Artemis source code and I didn’t find any similar
object to those present in ActiveMQ 5.x (E.g.
org.apache.activemq.security.AuthorizationMap,
org.apache.activemq.security.AuthorizationEntry, ...)

Can you point me to the right direction?






Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message