falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré (JIRA) <j...@apache.org>
Subject [jira] [Commented] (FALCON-230) Secure activemq topics
Date Tue, 21 Jan 2014 13:19:19 GMT

    [ https://issues.apache.org/jira/browse/FALCON-230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13877445#comment-13877445
] 

Jean-Baptiste Onofré commented on FALCON-230:
---------------------------------------------

On this topic, I propose two parts:

1/ Secure of the transport
Currently, we use openwire directly, bound to all network interfaces. Using embedded broker,
the user can only define the port number, not the protocol (hardcoded to tcp), not the network
interface (hardcoded to 0.0.0.0 so all interfaces).
I propose to let the user define the transport connector URL.
Thanks to that, it would be possible:
- to bind to given network interface (for instance localhost or specific interface IP)
- use OpenWire over SSL (using a transport like ssl://0.0.0.0:61616 instead of tcp). In conf/falcon-env.sh,
the user can defines his keystore (using -Djavax.net.ssl.keyStore=/path/to/falcon.ks -Djavax.net.ssl.keyStorePassword=password).
The messaging interface in the cluster entity should use properties to contain keystore in
order to correctly create the connection factory.
- eventually define clientAuth (using a transport like ssl://localhost:61616?transport.needClientAuth=true)
and provide a keystore/truststore

I'm preparing a patch for that including update on the documentation.

2/ Add authentication support

On the other hand, we can force the authentication to use a broker. It means that the messaging
interface in the cluster entity should use properties like principal/credential to use username/password
when creating the connection factory.
On the embedded broker side, if the user provides a system property like falcon.embeddedmq.authentication=true,
in that case, we can lookup a conf/users.properties file to create the ActiveMQ JAAS plugin
and use it in the broker service.

I'm preparing another patch for that (including documentation update too).

The two topics are isolated (an user can do both, or only secure transport, or only force
authentication).

> Secure activemq topics
> ----------------------
>
>                 Key: FALCON-230
>                 URL: https://issues.apache.org/jira/browse/FALCON-230
>             Project: Falcon
>          Issue Type: Sub-task
>            Reporter: Venkatesh Seetharam
>            Assignee: Jean-Baptiste Onofré
>
> I'm leaving it here for the sake of completeness. Topics might need authorization and
not sure how to do it.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message