You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by greenapple <zt...@gmail.com> on 2008/04/22 19:01:42 UTC
Adding users on the fly ACTIVEMQ
I have activemq running and a new user asks for an account. Is it possible to
add users and groups on the fly to the list of users and groups in activemq
without restarting it?
If so, how?
--
View this message in context: http://www.nabble.com/Adding-users-on-the-fly-ACTIVEMQ-tp16825211s2354p16825211.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Adding users on the fly ACTIVEMQ
Posted by Dejan Bosanac <de...@nighttale.net>.
I think the only way at the moment is to use LDAP JAAS login module (
http://activemq.apache.org/maven/activemq-jaas/apidocs/org/apache/activemq/jaas/LDAPLoginModule.html).
The appropriate relational database solution is still to come.
Cheers
--
Dejan Bosanac
www.scriptinginjava.net
On Tue, Apr 22, 2008 at 7:01 PM, greenapple <zt...@gmail.com> wrote:
>
> I have activemq running and a new user asks for an account. Is it possible
> to
> add users and groups on the fly to the list of users and groups in
> activemq
> without restarting it?
>
> If so, how?
> --
> View this message in context:
> http://www.nabble.com/Adding-users-on-the-fly-ACTIVEMQ-tp16825211s2354p16825211.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
>
Re: Adding users on the fly ACTIVEMQ
Posted by rbramley <ap...@rbramley.com>.
greenapple wrote:
>
> Say a new application yyy requested to use JMS.
>
> My job as a JMS admin is to create the queues needed (on the fly), add
> users and groups (on the fly) and grant permissions to certain users and
> groups to read/write/both/etc (also on the fly).
>
> By on the fly, I mean: without having to restart ActiveMQ. TIBCO EMS for
> example had some user interface to do this.
>
I'm in the middle of an ActiveMQ 5.1 rollout using LDAP configuration for
this very reason
(I will be contributing some patches so apologies if the following
instructions won't work out of the box)...
There are several components required for an LDAP solution:
1. An LDAP server (there are several Open Source options - we're using
OpenLDAP)
2. An LDAP GUI client - you don't want to be editing/importing LDIF files
all the time or mucking about with the command line - we've got
phpldapadmin.
Once these are installed you need to perform a base set-up on LDAP:
1. Create the structure for ActiveMQ in your LDAP server (sample LDIF file
attached)
2. Create a 'bind user' for ActiveMQ to logon to the LDAP server (included
in LDIF)
To configure ActiveMQ (assuming you don't need networked brokers):
1. Configure the JAAS LDAPLoginModule and the LDAPAuthorizationMap in
activemq.xml:
<plugins>
<!-- use JAAS to authenticate using the login.config file on the
classpath to configure JAAS -->
<jaasAuthenticationPlugin configuration="LdapConfiguration" />
<!-- lets configure a destination based role/group authorization
mechanism -->
<authorizationPlugin>
<map>
<bean xmlns="http://www.springframework.org/schema/beans"
id="lDAPAuthorizationMap"
class="org.apache.activemq.security.LDAPAuthorizationMap">
<property name="initialContextFactory"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
<property name="connectionURL" value="ldap://ldap.acme.com:389"/>
<property name="authentication" value="simple"/>
<property name="connectionUsername"
value="cn=mqbroker,ou=Services,dc=acme,dc=com"/>
<property name="connectionPassword" value="password"/>
<property name="connectionProtocol" value="s"/>
<property name="topicSearchMatching"
value="cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=systems,dc=acme,dc=com"/>
<property name="topicSearchSubtreeBool" value="true"/>
<property name="queueSearchMatching"
value="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=systems,dc=acme,dc=com"/>
<property name="queueSearchSubtreeBool" value="true"/>
<property name="adminBase" value="(cn=admin)"/>
<property name="adminAttribute" value="member"/>
<property name="adminAttributePrefix" value="cn="/>
<property name="readBase" value="(cn=read)"/>
<property name="readAttribute" value="member"/>
<property name="readAttributePrefix" value="cn="/>
<property name="writeBase" value="(cn=write)"/>
<property name="writeAttribute" value="member"/>
<property name="writeAttributePrefix" value="cn="/>
</bean>
</map>
</authorizationPlugin>
</plugins>
2. Configure the JAAS login.config (I haven't de-duplicated the config yet):
LdapConfiguration {
org.apache.activemq.jaas.LDAPLoginModule required
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://ldap.acme.com:389"
connectionUsername="cn=mqbroker,ou=Services,dc=acme,dc=com"
connectionPassword=password
connectionProtocol=s
authentication=simple
userBase="ou=User,ou=ActiveMQ,ou=systems,dc=acme,dc=com"
userRoleName=dummyUserRoleName
userSearchMatching="(uid={0})"
userSearchSubtree=false
roleBase="ou=Group,ou=ActiveMQ,ou=systems,dc=acme,dc=com"
roleName=cn
roleSearchMatching="(member:=uid={1})"
roleSearchSubtree=true
;
};
3. Fire it up...
You can then perform your runtime tasks using the LDAP admin tool.
Hope this helps,
Robin
http://www.nabble.com/file/p16984528/sample.ldif sample.ldif
--
View this message in context: http://www.nabble.com/Adding-users-on-the-fly-ACTIVEMQ-tp16825211s2354p16984528.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Adding users on the fly ACTIVEMQ
Posted by greenapple <zt...@gmail.com>.
Thanks Abdul for your time,
Exactly I am trying to do the following:
Say a new application yyy requested to use JMS.
My job as a JMS admin is to create the queues needed (on the fly), add users
and groups (on the fly) and grant permissions to certain users and groups to
read/write/both/etc (also on the fly).
By on the fly, I mean: without having to restart ActiveMQ. TIBCO EMS for
example had some user interface to do this.
I am very new to ActiveMQ and have been playing with it for a couple of
days.
It seems to me that this information needs to go somewhere else other than
activemq.xml (as you have mentioned) since activemq.xml is only loaded at
startup (correct?). I have some ideas.
I am thinking to implement the AuthorizationMap in a way similar to
DefaultAuthorizationMap and fill it up with entries through some UI. Then
create a AuthorizationPlugin and install the plugin.
My questions are: can I create a AuthorizationPlugin and install it while
ActiveMQ is running (so that it will be effective on the fly)? Can I install
many AuthorizationPlugins?
As far as adding users on the fly, I was able to do that through adding
users directly to users.properties and groups.properties. Is there a cleaner
way?
Could you please direct me to some JAAS user realm documentation?
I have more ideas but I am going to sleep on them for now :-)
Thanks again,
Abdul Alhazred wrote:
>
> Right. OK, there are a couple of different issues.
>
> 1) If ALL you want to do is add users and the permissions of the users
> will be set up entirely in the activemq.sql file, then you would just need
> to create a JAAS auth realm and if you say want to use JDBC then write or
> acquire a JDBC JAAS auth module. I wrote one in an afternoon that worked
> with my user base, it is fairly easy.
>
> 2) If you want to have DYNAMIC mapping to queues and topics, say you need
> to be able to have a queue for each user that only they can read from,
> then you need to implement an AuthorizationMap (or else put everyone in
> the activemq.xml file entries, which kind of defeats the purpose).
>
> 3) If you say wanted to use LDAP for either or both of these things, then
> you would use a JAAS LDAP auth module and an LDAP AuthorizationMap (which
> actually I believe exists, see the javadoc). Depending on your schema
> requirements you may need to configure or tweak the code in either of
> those.
>
> Finally, yes, LDAP requires an LDAP server. LDAP is a pretty useful
> technology, but setting up and running LDAP servers is somewhat of a pain.
> Note however that Active Directory can do your LDAP for you if you are in
> an MS environment, which is a great thing if you have already user
> provisioning etc set up for that. NDS is another commercial product that
> provides LDAP service. Sun also has an LDAP server, and there are a few
> others out there as well. OpenLDAP is your basic OSS implementation. I
> have a feeling there are also OS J2EE components which can provide LDAP
> services. Not familiar with them, but I bet you can find something.
>
> Getting your data INTO LDAP and managing it are a whole other kettle of
> fish. There are command line and GUI tools that will do it. Basically
> they're similar to RDBMS tools like the mysql command line tool, except
> they work with LDAP databases.
>
>
> greenapple wrote:
>>
>> Thanks Abdul and Dejan,
>>
>> Do you need an LDAP server to use LDAP authorization? My knowledge is
>> minimal in LDAP.
>>
>> I found out through trial and error that you can add users on the fly
>> using JAAS authentication and by editing users.properties and
>> groups.properties
>>
>> But somehow, doing this does not seem right since I would like to provide
>> a UI for users to
>> Thanks,
>>
>>
>> Abdul Alhazred wrote:
>>>
>>>
>>>
>>> greenapple wrote:
>>>>
>>>> I have activemq running and a new user asks for an account. Is it
>>>> possible to add users and groups on the fly to the list of users and
>>>> groups in activemq without restarting it?
>>>>
>>>> If so, how? Can I do it programmatically?
>>>>
>>>
>>> Well, you'd need to have an implementation of an AuthorizationMap that
>>> picks up its data from someplace. I think I saw there is an LDAP one.
>>> The default just gets it from the XML in the config file, which is
>>> obviously no good for your purposes. There doesn't seem to be one that
>>> supports JDBC right now, but I know one of these days soon I'm going to
>>> have to write one because all my JAAS stuff is in there (I did write a
>>> JAAS auth module for JDBC which works). You'll probably need something
>>> like that too in order to authenticate the users from your data store.
>>> As a guess I'd say it might take a couple days to unravel the
>>> AuthorizationMap interface and implement something that works. Have a go
>>> at it!
>>>
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Adding-users-on-the-fly-ACTIVEMQ-tp16825211s2354p16887454.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Adding users on the fly ACTIVEMQ
Posted by Abdul Alhazred <th...@tradedesksoftware.com>.
Right. OK, there are a couple of different issues.
1) If ALL you want to do is add users and the permissions of the users will
be set up entirely in the activemq.sql file, then you would just need to
create a JAAS auth realm and if you say want to use JDBC then write or
acquire a JDBC JAAS auth module. I wrote one in an afternoon that worked
with my user base, it is fairly easy.
2) If you want to have DYNAMIC mapping to queues and topics, say you need to
be able to have a queue for each user that only they can read from, then you
need to implement an AuthorizationMap (or else put everyone in the
activemq.xml file entries, which kind of defeats the purpose).
3) If you say wanted to use LDAP for either or both of these things, then
you would use a JAAS LDAP auth module and an LDAP AuthorizationMap (which
actually I believe exists, see the javadoc). Depending on your schema
requirements you may need to configure or tweak the code in either of those.
Finally, yes, LDAP requires an LDAP server. LDAP is a pretty useful
technology, but setting up and running LDAP servers is somewhat of a pain.
Note however that Active Directory can do your LDAP for you if you are in an
MS environment, which is a great thing if you have already user provisioning
etc set up for that. NDS is another commercial product that provides LDAP
service. Sun also has an LDAP server, and there are a few others out there
as well. OpenLDAP is your basic OSS implementation. I have a feeling there
are also OS J2EE components which can provide LDAP services. Not familiar
with them, but I bet you can find something.
Getting your data INTO LDAP and managing it are a whole other kettle of
fish. There are command line and GUI tools that will do it. Basically
they're similar to RDBMS tools like the mysql command line tool, except they
work with LDAP databases.
greenapple wrote:
>
> Thanks Abdul and Dejan,
>
> Do you need an LDAP server to use LDAP authorization? My knowledge is
> minimal in LDAP.
>
> I found out through trial and error that you can add users on the fly
> using JAAS authentication and by editing users.properties and
> groups.properties
>
> But somehow, doing this does not seem right since I would like to provide
> a UI for users to
> Thanks,
>
>
> Abdul Alhazred wrote:
>>
>>
>>
>> greenapple wrote:
>>>
>>> I have activemq running and a new user asks for an account. Is it
>>> possible to add users and groups on the fly to the list of users and
>>> groups in activemq without restarting it?
>>>
>>> If so, how? Can I do it programmatically?
>>>
>>
>> Well, you'd need to have an implementation of an AuthorizationMap that
>> picks up its data from someplace. I think I saw there is an LDAP one. The
>> default just gets it from the XML in the config file, which is obviously
>> no good for your purposes. There doesn't seem to be one that supports
>> JDBC right now, but I know one of these days soon I'm going to have to
>> write one because all my JAAS stuff is in there (I did write a JAAS auth
>> module for JDBC which works). You'll probably need something like that
>> too in order to authenticate the users from your data store. As a guess
>> I'd say it might take a couple days to unravel the AuthorizationMap
>> interface and implement something that works. Have a go at it!
>>
>
>
--
View this message in context: http://www.nabble.com/Adding-users-on-the-fly-ACTIVEMQ-tp16825211s2354p16851064.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Adding users on the fly ACTIVEMQ
Posted by greenapple <zt...@gmail.com>.
Thanks Abdul and Dejan,
Do you need an LDAP server to use LDAP authorization? My knowledge is
minimal in LDAP.
I found out through trial and error that you can add users on the fly using
JAAS authentication and by editing users.properties and groups.properties
But somehow, doing this does not seem right since I would like to provide a
UI for users to
Thanks,
Abdul Alhazred wrote:
>
>
>
> greenapple wrote:
>>
>> I have activemq running and a new user asks for an account. Is it
>> possible to add users and groups on the fly to the list of users and
>> groups in activemq without restarting it?
>>
>> If so, how? Can I do it programmatically?
>>
>
> Well, you'd need to have an implementation of an AuthorizationMap that
> picks up its data from someplace. I think I saw there is an LDAP one. The
> default just gets it from the XML in the config file, which is obviously
> no good for your purposes. There doesn't seem to be one that supports JDBC
> right now, but I know one of these days soon I'm going to have to write
> one because all my JAAS stuff is in there (I did write a JAAS auth module
> for JDBC which works). You'll probably need something like that too in
> order to authenticate the users from your data store. As a guess I'd say
> it might take a couple days to unravel the AuthorizationMap interface and
> implement something that works. Have a go at it!
>
--
View this message in context: http://www.nabble.com/Adding-users-on-the-fly-ACTIVEMQ-tp16825211s2354p16850813.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Adding users on the fly ACTIVEMQ
Posted by Abdul Alhazred <th...@tradedesksoftware.com>.
greenapple wrote:
>
> I have activemq running and a new user asks for an account. Is it possible
> to add users and groups on the fly to the list of users and groups in
> activemq without restarting it?
>
> If so, how? Can I do it programmatically?
>
Well, you'd need to have an implementation of an AuthorizationMap that picks
up its data from someplace. I think I saw there is an LDAP one. The default
just gets it from the XML in the config file, which is obviously no good for
your purposes. There doesn't seem to be one that supports JDBC right now,
but I know one of these days soon I'm going to have to write one because all
my JAAS stuff is in there (I did write a JAAS auth module for JDBC which
works). You'll probably need something like that too in order to
authenticate the users from your data store. As a guess I'd say it might
take a couple days to unravel the AuthorizationMap interface and implement
something that works. Have a go at it!
--
View this message in context: http://www.nabble.com/Adding-users-on-the-fly-ACTIVEMQ-tp16825211s2354p16834707.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.