You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by "Modanese, Riccardo" <Ri...@eurotech.com.INVALID> on 2019/08/26 10:24:07 UTC
Artemis - Implement ACL programmatically
Hello,
In our ActiveMQ 5.x security plugin code we are enforcing ACL programmatically so I’m investigating how to migrate our current ACL from ActiveMQ 5.x to Artemis.
I took a look into Artemis source code and I didn’t find any similar object to those present in ActiveMQ 5.x (E.g. org.apache.activemq.security.AuthorizationMap, org.apache.activemq.security.AuthorizationEntry, ...)
Can you point me to the right direction?
Re: Artemis - Implement ACL programmatically
Posted by "Modanese, Riccardo" <Ri...@eurotech.com.INVALID>.
Great news, thank you!
> Il giorno 11 dic 2019, alle ore 20:48, Justin Bertram <jb...@apache.org> ha scritto:
>
>> Currently there is no way to use a custom ActiveMQSecurityManager
> implementation via the XML configuration.
>
> FYI - I just opened ARTEMIS-2574 [1] and sent a PR [2] to address this.
>
>
> Justin
>
> [1] https://issues.apache.org/jira/browse/ARTEMIS-2574
> [2] https://github.com/apache/activemq-artemis/pull/2917
>
> On Fri, Sep 20, 2019 at 8:34 AM Justin Bertram <jb...@apache.org> wrote:
>
>>> In few word what I’d like to achieve is to let Artemis instantiate and
>> use a custom ActiveMQSecurityManager provided through a configuration
>> parameter. Is there a way or I must patch the Artemis code to allow the
>> ActiveMQSecurityManager pluggability?
>>
>> Currently there is no way to use a custom ActiveMQSecurityManager
>> implementation via the XML configuration. The broker would need to be
>> modified to allow this behavior (and I think that would be a valid
>> enhancement).
>>
>> For what it's worth, using a custom ActiveMQSecurityManager implementation
>> is a trivial matter for embedded use-cases.
>>
>>
>> Justin
>>
>> On Wed, Sep 11, 2019 at 9:28 AM Modanese, Riccardo
>> <Ri...@eurotech.com.invalid> wrote:
>>
>>> Hi, unfortunately I cannot rely on a security repository and the users
>>> and ACLs profiles could be thousands.
>>>
>>> My idea is to replace the ActiveMQJAASSecurityManager with my own custom
>>> ActiveMQSecurityManager implementation.
>>> But I didn’t find a way.
>>> It seems that there is no other way than specifying a jaas-security tag
>>> in the bootstrap.xml configuration file (<jaas-security
>>> domain="activemq"/>).
>>> If I remove the tag, or I try to change the DTO instance (with the
>>> appropriate annotation in the new DTO file itself), I get a xml validation
>>> schema error.
>>> From my attempts there is no way to remove the jaas-security tag.
>>>
>>> In few word what I’d like to achieve is to let Artemis instantiate and
>>> use a custom ActiveMQSecurityManager provided through a configuration
>>> parameter.
>>> Is there a way or I must patch the Artemis code to allow the
>>> ActiveMQSecurityManager pluggability?
>>>
>>>
>>> Il giorno 28 ago 2019, alle ore 05:23, yw yw <wy96fyw@gmail.com<mailto:
>>> wy96fyw@gmail.com>> ha scritto:
>>>
>>> Yes, it would check every time a client publishes a message or subscribes
>>> an address.
>>>
>>> From my understanding, SecuritySettingPlugin should meet your
>>> requirements.
>>> You can save the "securityRepository" passed by "SecuritySettingPlugin::
>>> setSecurityRepository" in your custom SecuritySettingPlugin. When you
>>> receive a notification that user is added/removed, you can call
>>> securityRepository::addMatch/removeMatch/swap to change ACL in matching
>>> address.
>>>
>>>
>>> Modanese, Riccardo <Riccardo.Modanese@eurotech.com.invalid<mailto:
>>> Riccardo.Modanese@eurotech.com.invalid>> 于2019年8月27日周二
>>> 下午11:12写道:
>>>
>>> I think the SecuritySettingPlugin will not solve my issue but an
>>> ActiveMQSecurityManager3 custom implementation could be.
>>>
>>> So I tried to plug an ActiveMQSecurityManager3 implementation but without
>>> any success.
>>> From my understanding this plugin should be defined into bootstrap.xml but
>>> unfortunately I found no way to replace the jaas-security tag with another
>>> one pointing to my configuration DTO (the xsd doesn’t provide alternative
>>> tag to jaas-security)
>>>
>>> Anyway, just to be sure if the ActiveMQSecurityManager3 api could fit my
>>> needs, is the method validateUserAndRole called before every
>>> publish/subscribe?
>>>
>>> Il giorno 26 ago 2019, alle ore 18:00, Christopher Shannon <
>>> christopher.l.shannon@gmail.com<ma...@gmail.com>>
>>> ha scritto:
>>>
>>> You might need to write some custom code to do what you want and you
>>> could
>>> try a custom Security plugin.
>>> See the API and Java docs for the security setting plugin:
>>>
>>>
>>> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java
>>>
>>> If you need even more control you can create your own SecurityManager and
>>> register it with the broker. The interface to extend is:
>>>
>>>
>>> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java
>>>
>>> The validateUserAndRole() method is where you do your ACL checks
>>>
>>> A default implementation that delegates to a JAAS module is including in
>>> the broker already which you can use as an example or to extend:
>>>
>>>
>>> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
>>>
>>> On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo
>>> <Ri...@eurotech.com.invalid> wrote:
>>>
>>> I already read this page and I wasn’t able to find any helpful
>>> information.
>>> In our use case each user has ACL depending on the username itself.
>>> Moreover a user can be added at runtime and the broker must be able to
>>> create and handle correctly the ACL also for the new created user.
>>>
>>> So, at the end, what I need is the capability of creating ACL
>>> programmatically and keep them in a session in order to be used every
>>> time
>>> a client publishes a message or subscribes an address.
>>> In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a
>>> DefaultAuthorizationMap object, but I cannot find a similar object in
>>> Artemis
>>>
>>> [1]
>>>
>>>
>>> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
>>> [2]
>>>
>>>
>>> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557
>>>
>>>
>>> Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <
>>> christopher.l.shannon@gmail.com<mailto:christopher.l.shannon@gmail.com
>>>
>>> ha scritto:
>>>
>>> All of the info you should need to get started should be here:
>>>
>>>
>>>
>>> https://activemq.apache.org/components/artemis/documentation/latest/security.html
>>>
>>> On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
>>> <Ri...@eurotech.com.invalid> wrote:
>>>
>>> Hello,
>>> In our ActiveMQ 5.x security plugin code we are enforcing ACL
>>> programmatically so I’m investigating how to migrate our current ACL
>>> from
>>> ActiveMQ 5.x to Artemis.
>>>
>>> I took a look into Artemis source code and I didn’t find any similar
>>> object to those present in ActiveMQ 5.x (E.g.
>>> org.apache.activemq.security.AuthorizationMap,
>>> org.apache.activemq.security.AuthorizationEntry, ...)
>>>
>>> Can you point me to the right direction?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
Re: Artemis - Implement ACL programmatically
Posted by Justin Bertram <jb...@apache.org>.
> Currently there is no way to use a custom ActiveMQSecurityManager
implementation via the XML configuration.
FYI - I just opened ARTEMIS-2574 [1] and sent a PR [2] to address this.
Justin
[1] https://issues.apache.org/jira/browse/ARTEMIS-2574
[2] https://github.com/apache/activemq-artemis/pull/2917
On Fri, Sep 20, 2019 at 8:34 AM Justin Bertram <jb...@apache.org> wrote:
> > In few word what I’d like to achieve is to let Artemis instantiate and
> use a custom ActiveMQSecurityManager provided through a configuration
> parameter. Is there a way or I must patch the Artemis code to allow the
> ActiveMQSecurityManager pluggability?
>
> Currently there is no way to use a custom ActiveMQSecurityManager
> implementation via the XML configuration. The broker would need to be
> modified to allow this behavior (and I think that would be a valid
> enhancement).
>
> For what it's worth, using a custom ActiveMQSecurityManager implementation
> is a trivial matter for embedded use-cases.
>
>
> Justin
>
> On Wed, Sep 11, 2019 at 9:28 AM Modanese, Riccardo
> <Ri...@eurotech.com.invalid> wrote:
>
>> Hi, unfortunately I cannot rely on a security repository and the users
>> and ACLs profiles could be thousands.
>>
>> My idea is to replace the ActiveMQJAASSecurityManager with my own custom
>> ActiveMQSecurityManager implementation.
>> But I didn’t find a way.
>> It seems that there is no other way than specifying a jaas-security tag
>> in the bootstrap.xml configuration file (<jaas-security
>> domain="activemq"/>).
>> If I remove the tag, or I try to change the DTO instance (with the
>> appropriate annotation in the new DTO file itself), I get a xml validation
>> schema error.
>> From my attempts there is no way to remove the jaas-security tag.
>>
>> In few word what I’d like to achieve is to let Artemis instantiate and
>> use a custom ActiveMQSecurityManager provided through a configuration
>> parameter.
>> Is there a way or I must patch the Artemis code to allow the
>> ActiveMQSecurityManager pluggability?
>>
>>
>> Il giorno 28 ago 2019, alle ore 05:23, yw yw <wy96fyw@gmail.com<mailto:
>> wy96fyw@gmail.com>> ha scritto:
>>
>> Yes, it would check every time a client publishes a message or subscribes
>> an address.
>>
>> From my understanding, SecuritySettingPlugin should meet your
>> requirements.
>> You can save the "securityRepository" passed by "SecuritySettingPlugin::
>> setSecurityRepository" in your custom SecuritySettingPlugin. When you
>> receive a notification that user is added/removed, you can call
>> securityRepository::addMatch/removeMatch/swap to change ACL in matching
>> address.
>>
>>
>> Modanese, Riccardo <Riccardo.Modanese@eurotech.com.invalid<mailto:
>> Riccardo.Modanese@eurotech.com.invalid>> 于2019年8月27日周二
>> 下午11:12写道:
>>
>> I think the SecuritySettingPlugin will not solve my issue but an
>> ActiveMQSecurityManager3 custom implementation could be.
>>
>> So I tried to plug an ActiveMQSecurityManager3 implementation but without
>> any success.
>> From my understanding this plugin should be defined into bootstrap.xml but
>> unfortunately I found no way to replace the jaas-security tag with another
>> one pointing to my configuration DTO (the xsd doesn’t provide alternative
>> tag to jaas-security)
>>
>> Anyway, just to be sure if the ActiveMQSecurityManager3 api could fit my
>> needs, is the method validateUserAndRole called before every
>> publish/subscribe?
>>
>> Il giorno 26 ago 2019, alle ore 18:00, Christopher Shannon <
>> christopher.l.shannon@gmail.com<ma...@gmail.com>>
>> ha scritto:
>>
>> You might need to write some custom code to do what you want and you
>> could
>> try a custom Security plugin.
>> See the API and Java docs for the security setting plugin:
>>
>>
>> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java
>>
>> If you need even more control you can create your own SecurityManager and
>> register it with the broker. The interface to extend is:
>>
>>
>> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java
>>
>> The validateUserAndRole() method is where you do your ACL checks
>>
>> A default implementation that delegates to a JAAS module is including in
>> the broker already which you can use as an example or to extend:
>>
>>
>> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
>>
>> On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo
>> <Ri...@eurotech.com.invalid> wrote:
>>
>> I already read this page and I wasn’t able to find any helpful
>> information.
>> In our use case each user has ACL depending on the username itself.
>> Moreover a user can be added at runtime and the broker must be able to
>> create and handle correctly the ACL also for the new created user.
>>
>> So, at the end, what I need is the capability of creating ACL
>> programmatically and keep them in a session in order to be used every
>> time
>> a client publishes a message or subscribes an address.
>> In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a
>> DefaultAuthorizationMap object, but I cannot find a similar object in
>> Artemis
>>
>> [1]
>>
>>
>> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
>> [2]
>>
>>
>> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557
>>
>>
>> Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <
>> christopher.l.shannon@gmail.com<mailto:christopher.l.shannon@gmail.com
>>
>> ha scritto:
>>
>> All of the info you should need to get started should be here:
>>
>>
>>
>> https://activemq.apache.org/components/artemis/documentation/latest/security.html
>>
>> On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
>> <Ri...@eurotech.com.invalid> wrote:
>>
>> Hello,
>> In our ActiveMQ 5.x security plugin code we are enforcing ACL
>> programmatically so I’m investigating how to migrate our current ACL
>> from
>> ActiveMQ 5.x to Artemis.
>>
>> I took a look into Artemis source code and I didn’t find any similar
>> object to those present in ActiveMQ 5.x (E.g.
>> org.apache.activemq.security.AuthorizationMap,
>> org.apache.activemq.security.AuthorizationEntry, ...)
>>
>> Can you point me to the right direction?
>>
>>
>>
>>
>>
>>
>>
Re: Artemis - Implement ACL programmatically
Posted by Justin Bertram <jb...@apache.org>.
> In few word what I’d like to achieve is to let Artemis instantiate and
use a custom ActiveMQSecurityManager provided through a configuration
parameter. Is there a way or I must patch the Artemis code to allow the
ActiveMQSecurityManager pluggability?
Currently there is no way to use a custom ActiveMQSecurityManager
implementation via the XML configuration. The broker would need to be
modified to allow this behavior (and I think that would be a valid
enhancement).
For what it's worth, using a custom ActiveMQSecurityManager implementation
is a trivial matter for embedded use-cases.
Justin
On Wed, Sep 11, 2019 at 9:28 AM Modanese, Riccardo
<Ri...@eurotech.com.invalid> wrote:
> Hi, unfortunately I cannot rely on a security repository and the users and
> ACLs profiles could be thousands.
>
> My idea is to replace the ActiveMQJAASSecurityManager with my own custom
> ActiveMQSecurityManager implementation.
> But I didn’t find a way.
> It seems that there is no other way than specifying a jaas-security tag in
> the bootstrap.xml configuration file (<jaas-security domain="activemq"/>).
> If I remove the tag, or I try to change the DTO instance (with the
> appropriate annotation in the new DTO file itself), I get a xml validation
> schema error.
> From my attempts there is no way to remove the jaas-security tag.
>
> In few word what I’d like to achieve is to let Artemis instantiate and use
> a custom ActiveMQSecurityManager provided through a configuration parameter.
> Is there a way or I must patch the Artemis code to allow the
> ActiveMQSecurityManager pluggability?
>
>
> Il giorno 28 ago 2019, alle ore 05:23, yw yw <wy96fyw@gmail.com<mailto:
> wy96fyw@gmail.com>> ha scritto:
>
> Yes, it would check every time a client publishes a message or subscribes
> an address.
>
> From my understanding, SecuritySettingPlugin should meet your requirements.
> You can save the "securityRepository" passed by "SecuritySettingPlugin::
> setSecurityRepository" in your custom SecuritySettingPlugin. When you
> receive a notification that user is added/removed, you can call
> securityRepository::addMatch/removeMatch/swap to change ACL in matching
> address.
>
>
> Modanese, Riccardo <Riccardo.Modanese@eurotech.com.invalid<mailto:
> Riccardo.Modanese@eurotech.com.invalid>> 于2019年8月27日周二
> 下午11:12写道:
>
> I think the SecuritySettingPlugin will not solve my issue but an
> ActiveMQSecurityManager3 custom implementation could be.
>
> So I tried to plug an ActiveMQSecurityManager3 implementation but without
> any success.
> From my understanding this plugin should be defined into bootstrap.xml but
> unfortunately I found no way to replace the jaas-security tag with another
> one pointing to my configuration DTO (the xsd doesn’t provide alternative
> tag to jaas-security)
>
> Anyway, just to be sure if the ActiveMQSecurityManager3 api could fit my
> needs, is the method validateUserAndRole called before every
> publish/subscribe?
>
> Il giorno 26 ago 2019, alle ore 18:00, Christopher Shannon <
> christopher.l.shannon@gmail.com<ma...@gmail.com>>
> ha scritto:
>
> You might need to write some custom code to do what you want and you
> could
> try a custom Security plugin.
> See the API and Java docs for the security setting plugin:
>
>
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java
>
> If you need even more control you can create your own SecurityManager and
> register it with the broker. The interface to extend is:
>
>
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java
>
> The validateUserAndRole() method is where you do your ACL checks
>
> A default implementation that delegates to a JAAS module is including in
> the broker already which you can use as an example or to extend:
>
>
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
>
> On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo
> <Ri...@eurotech.com.invalid> wrote:
>
> I already read this page and I wasn’t able to find any helpful
> information.
> In our use case each user has ACL depending on the username itself.
> Moreover a user can be added at runtime and the broker must be able to
> create and handle correctly the ACL also for the new created user.
>
> So, at the end, what I need is the capability of creating ACL
> programmatically and keep them in a session in order to be used every
> time
> a client publishes a message or subscribes an address.
> In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a
> DefaultAuthorizationMap object, but I cannot find a similar object in
> Artemis
>
> [1]
>
>
> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
> [2]
>
>
> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557
>
>
> Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <
> christopher.l.shannon@gmail.com<mailto:christopher.l.shannon@gmail.com
>
> ha scritto:
>
> All of the info you should need to get started should be here:
>
>
>
> https://activemq.apache.org/components/artemis/documentation/latest/security.html
>
> On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
> <Ri...@eurotech.com.invalid> wrote:
>
> Hello,
> In our ActiveMQ 5.x security plugin code we are enforcing ACL
> programmatically so I’m investigating how to migrate our current ACL
> from
> ActiveMQ 5.x to Artemis.
>
> I took a look into Artemis source code and I didn’t find any similar
> object to those present in ActiveMQ 5.x (E.g.
> org.apache.activemq.security.AuthorizationMap,
> org.apache.activemq.security.AuthorizationEntry, ...)
>
> Can you point me to the right direction?
>
>
>
>
>
>
>
Re: Artemis - Implement ACL programmatically
Posted by "Modanese, Riccardo" <Ri...@eurotech.com.INVALID>.
Hi, unfortunately I cannot rely on a security repository and the users and ACLs profiles could be thousands.
My idea is to replace the ActiveMQJAASSecurityManager with my own custom ActiveMQSecurityManager implementation.
But I didn’t find a way.
It seems that there is no other way than specifying a jaas-security tag in the bootstrap.xml configuration file (<jaas-security domain="activemq"/>).
If I remove the tag, or I try to change the DTO instance (with the appropriate annotation in the new DTO file itself), I get a xml validation schema error.
From my attempts there is no way to remove the jaas-security tag.
In few word what I’d like to achieve is to let Artemis instantiate and use a custom ActiveMQSecurityManager provided through a configuration parameter.
Is there a way or I must patch the Artemis code to allow the ActiveMQSecurityManager pluggability?
Il giorno 28 ago 2019, alle ore 05:23, yw yw <wy...@gmail.com>> ha scritto:
Yes, it would check every time a client publishes a message or subscribes
an address.
From my understanding, SecuritySettingPlugin should meet your requirements.
You can save the "securityRepository" passed by "SecuritySettingPlugin::
setSecurityRepository" in your custom SecuritySettingPlugin. When you
receive a notification that user is added/removed, you can call
securityRepository::addMatch/removeMatch/swap to change ACL in matching
address.
Modanese, Riccardo <Ri...@eurotech.com.invalid>> 于2019年8月27日周二
下午11:12写道:
I think the SecuritySettingPlugin will not solve my issue but an
ActiveMQSecurityManager3 custom implementation could be.
So I tried to plug an ActiveMQSecurityManager3 implementation but without
any success.
From my understanding this plugin should be defined into bootstrap.xml but
unfortunately I found no way to replace the jaas-security tag with another
one pointing to my configuration DTO (the xsd doesn’t provide alternative
tag to jaas-security)
Anyway, just to be sure if the ActiveMQSecurityManager3 api could fit my
needs, is the method validateUserAndRole called before every
publish/subscribe?
Il giorno 26 ago 2019, alle ore 18:00, Christopher Shannon <
christopher.l.shannon@gmail.com<ma...@gmail.com>> ha scritto:
You might need to write some custom code to do what you want and you
could
try a custom Security plugin.
See the API and Java docs for the security setting plugin:
https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java
If you need even more control you can create your own SecurityManager and
register it with the broker. The interface to extend is:
https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java
The validateUserAndRole() method is where you do your ACL checks
A default implementation that delegates to a JAAS module is including in
the broker already which you can use as an example or to extend:
https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo
<Ri...@eurotech.com.invalid> wrote:
I already read this page and I wasn’t able to find any helpful
information.
In our use case each user has ACL depending on the username itself.
Moreover a user can be added at runtime and the broker must be able to
create and handle correctly the ACL also for the new created user.
So, at the end, what I need is the capability of creating ACL
programmatically and keep them in a session in order to be used every
time
a client publishes a message or subscribes an address.
In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a
DefaultAuthorizationMap object, but I cannot find a similar object in
Artemis
[1]
https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
[2]
https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557
Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <
christopher.l.shannon@gmail.com<mailto:christopher.l.shannon@gmail.com
ha scritto:
All of the info you should need to get started should be here:
https://activemq.apache.org/components/artemis/documentation/latest/security.html
On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
<Ri...@eurotech.com.invalid> wrote:
Hello,
In our ActiveMQ 5.x security plugin code we are enforcing ACL
programmatically so I’m investigating how to migrate our current ACL
from
ActiveMQ 5.x to Artemis.
I took a look into Artemis source code and I didn’t find any similar
object to those present in ActiveMQ 5.x (E.g.
org.apache.activemq.security.AuthorizationMap,
org.apache.activemq.security.AuthorizationEntry, ...)
Can you point me to the right direction?
Re: Artemis - Implement ACL programmatically
Posted by yw yw <wy...@gmail.com>.
Yes, it would check every time a client publishes a message or subscribes
an address.
From my understanding, SecuritySettingPlugin should meet your requirements.
You can save the "securityRepository" passed by "SecuritySettingPlugin::
setSecurityRepository" in your custom SecuritySettingPlugin. When you
receive a notification that user is added/removed, you can call
securityRepository::addMatch/removeMatch/swap to change ACL in matching
address.
Modanese, Riccardo <Ri...@eurotech.com.invalid> 于2019年8月27日周二
下午11:12写道:
> I think the SecuritySettingPlugin will not solve my issue but an
> ActiveMQSecurityManager3 custom implementation could be.
>
> So I tried to plug an ActiveMQSecurityManager3 implementation but without
> any success.
> From my understanding this plugin should be defined into bootstrap.xml but
> unfortunately I found no way to replace the jaas-security tag with another
> one pointing to my configuration DTO (the xsd doesn’t provide alternative
> tag to jaas-security)
>
> Anyway, just to be sure if the ActiveMQSecurityManager3 api could fit my
> needs, is the method validateUserAndRole called before every
> publish/subscribe?
>
> > Il giorno 26 ago 2019, alle ore 18:00, Christopher Shannon <
> christopher.l.shannon@gmail.com> ha scritto:
> >
> > You might need to write some custom code to do what you want and you
> could
> > try a custom Security plugin.
> > See the API and Java docs for the security setting plugin:
> >
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java
> >
> > If you need even more control you can create your own SecurityManager and
> > register it with the broker. The interface to extend is:
> >
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java
> >
> > The validateUserAndRole() method is where you do your ACL checks
> >
> > A default implementation that delegates to a JAAS module is including in
> > the broker already which you can use as an example or to extend:
> >
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
> >
> > On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo
> > <Ri...@eurotech.com.invalid> wrote:
> >
> >> I already read this page and I wasn’t able to find any helpful
> information.
> >> In our use case each user has ACL depending on the username itself.
> >> Moreover a user can be added at runtime and the broker must be able to
> >> create and handle correctly the ACL also for the new created user.
> >>
> >> So, at the end, what I need is the capability of creating ACL
> >> programmatically and keep them in a session in order to be used every
> time
> >> a client publishes a message or subscribes an address.
> >> In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a
> >> DefaultAuthorizationMap object, but I cannot find a similar object in
> >> Artemis
> >>
> >> [1]
> >>
> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
> >> [2]
> >>
> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557
> >>
> >>
> >> Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <
> >> christopher.l.shannon@gmail.com<mailto:christopher.l.shannon@gmail.com
> >>
> >> ha scritto:
> >>
> >> All of the info you should need to get started should be here:
> >>
> >>
> https://activemq.apache.org/components/artemis/documentation/latest/security.html
> >>
> >> On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
> >> <Ri...@eurotech.com.invalid> wrote:
> >>
> >> Hello,
> >> In our ActiveMQ 5.x security plugin code we are enforcing ACL
> >> programmatically so I’m investigating how to migrate our current ACL
> from
> >> ActiveMQ 5.x to Artemis.
> >>
> >> I took a look into Artemis source code and I didn’t find any similar
> >> object to those present in ActiveMQ 5.x (E.g.
> >> org.apache.activemq.security.AuthorizationMap,
> >> org.apache.activemq.security.AuthorizationEntry, ...)
> >>
> >> Can you point me to the right direction?
> >>
> >>
> >>
>
>
Re: Artemis - Implement ACL programmatically
Posted by "Modanese, Riccardo" <Ri...@eurotech.com.INVALID>.
I think the SecuritySettingPlugin will not solve my issue but an ActiveMQSecurityManager3 custom implementation could be.
So I tried to plug an ActiveMQSecurityManager3 implementation but without any success.
From my understanding this plugin should be defined into bootstrap.xml but unfortunately I found no way to replace the jaas-security tag with another one pointing to my configuration DTO (the xsd doesn’t provide alternative tag to jaas-security)
Anyway, just to be sure if the ActiveMQSecurityManager3 api could fit my needs, is the method validateUserAndRole called before every publish/subscribe?
> Il giorno 26 ago 2019, alle ore 18:00, Christopher Shannon <ch...@gmail.com> ha scritto:
>
> You might need to write some custom code to do what you want and you could
> try a custom Security plugin.
> See the API and Java docs for the security setting plugin:
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java
>
> If you need even more control you can create your own SecurityManager and
> register it with the broker. The interface to extend is:
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java
>
> The validateUserAndRole() method is where you do your ACL checks
>
> A default implementation that delegates to a JAAS module is including in
> the broker already which you can use as an example or to extend:
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
>
> On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo
> <Ri...@eurotech.com.invalid> wrote:
>
>> I already read this page and I wasn’t able to find any helpful information.
>> In our use case each user has ACL depending on the username itself.
>> Moreover a user can be added at runtime and the broker must be able to
>> create and handle correctly the ACL also for the new created user.
>>
>> So, at the end, what I need is the capability of creating ACL
>> programmatically and keep them in a session in order to be used every time
>> a client publishes a message or subscribes an address.
>> In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a
>> DefaultAuthorizationMap object, but I cannot find a similar object in
>> Artemis
>>
>> [1]
>> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
>> [2]
>> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557
>>
>>
>> Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <
>> christopher.l.shannon@gmail.com<ma...@gmail.com>>
>> ha scritto:
>>
>> All of the info you should need to get started should be here:
>>
>> https://activemq.apache.org/components/artemis/documentation/latest/security.html
>>
>> On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
>> <Ri...@eurotech.com.invalid> wrote:
>>
>> Hello,
>> In our ActiveMQ 5.x security plugin code we are enforcing ACL
>> programmatically so I’m investigating how to migrate our current ACL from
>> ActiveMQ 5.x to Artemis.
>>
>> I took a look into Artemis source code and I didn’t find any similar
>> object to those present in ActiveMQ 5.x (E.g.
>> org.apache.activemq.security.AuthorizationMap,
>> org.apache.activemq.security.AuthorizationEntry, ...)
>>
>> Can you point me to the right direction?
>>
>>
>>
Re: Artemis - Implement ACL programmatically
Posted by Christopher Shannon <ch...@gmail.com>.
You might need to write some custom code to do what you want and you could
try a custom Security plugin.
See the API and Java docs for the security setting plugin:
https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java
If you need even more control you can create your own SecurityManager and
register it with the broker. The interface to extend is:
https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java
The validateUserAndRole() method is where you do your ACL checks
A default implementation that delegates to a JAAS module is including in
the broker already which you can use as an example or to extend:
https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo
<Ri...@eurotech.com.invalid> wrote:
> I already read this page and I wasn’t able to find any helpful information.
> In our use case each user has ACL depending on the username itself.
> Moreover a user can be added at runtime and the broker must be able to
> create and handle correctly the ACL also for the new created user.
>
> So, at the end, what I need is the capability of creating ACL
> programmatically and keep them in a session in order to be used every time
> a client publishes a message or subscribes an address.
> In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a
> DefaultAuthorizationMap object, but I cannot find a similar object in
> Artemis
>
> [1]
> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
> [2]
> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557
>
>
> Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <
> christopher.l.shannon@gmail.com<ma...@gmail.com>>
> ha scritto:
>
> All of the info you should need to get started should be here:
>
> https://activemq.apache.org/components/artemis/documentation/latest/security.html
>
> On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
> <Ri...@eurotech.com.invalid> wrote:
>
> Hello,
> In our ActiveMQ 5.x security plugin code we are enforcing ACL
> programmatically so I’m investigating how to migrate our current ACL from
> ActiveMQ 5.x to Artemis.
>
> I took a look into Artemis source code and I didn’t find any similar
> object to those present in ActiveMQ 5.x (E.g.
> org.apache.activemq.security.AuthorizationMap,
> org.apache.activemq.security.AuthorizationEntry, ...)
>
> Can you point me to the right direction?
>
>
>
Re: Artemis - Implement ACL programmatically
Posted by "Modanese, Riccardo" <Ri...@eurotech.com.INVALID>.
I already read this page and I wasn’t able to find any helpful information.
In our use case each user has ACL depending on the username itself. Moreover a user can be added at runtime and the broker must be able to create and handle correctly the ACL also for the new created user.
So, at the end, what I need is the capability of creating ACL programmatically and keep them in a session in order to be used every time a client publishes a message or subscribes an address.
In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a DefaultAuthorizationMap object, but I cannot find a similar object in Artemis
[1] https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
[2] https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557
Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <ch...@gmail.com>> ha scritto:
All of the info you should need to get started should be here:
https://activemq.apache.org/components/artemis/documentation/latest/security.html
On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
<Ri...@eurotech.com.invalid> wrote:
Hello,
In our ActiveMQ 5.x security plugin code we are enforcing ACL
programmatically so I’m investigating how to migrate our current ACL from
ActiveMQ 5.x to Artemis.
I took a look into Artemis source code and I didn’t find any similar
object to those present in ActiveMQ 5.x (E.g.
org.apache.activemq.security.AuthorizationMap,
org.apache.activemq.security.AuthorizationEntry, ...)
Can you point me to the right direction?
Re: Artemis - Implement ACL programmatically
Posted by Christopher Shannon <ch...@gmail.com>.
All of the info you should need to get started should be here:
https://activemq.apache.org/components/artemis/documentation/latest/security.html
On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
<Ri...@eurotech.com.invalid> wrote:
> Hello,
> In our ActiveMQ 5.x security plugin code we are enforcing ACL
> programmatically so I’m investigating how to migrate our current ACL from
> ActiveMQ 5.x to Artemis.
>
> I took a look into Artemis source code and I didn’t find any similar
> object to those present in ActiveMQ 5.x (E.g.
> org.apache.activemq.security.AuthorizationMap,
> org.apache.activemq.security.AuthorizationEntry, ...)
>
> Can you point me to the right direction?
>