Dynamic Security Configuration of users and roles

[gfrank <gr...@netfrank.net>]

hopefully someone can give advice on this, my project requires dynamic
creation of topics, users and roles such that a given topic can only be
accessed by one user and that user can only access that one topic.  this
must be done in a programmatic fashion without bouncing the activemq server
a a user represents a customer and the system must be able to add customers
on-the-fly without downtime.

i've noticed an object: org.apache.activemq.security.AuthorizationBroker
which implements a jmx interface to create roles and add them to users and
topics.  I'm not sure if this is a proper target for my needs and i dont see
it visible in a jmx console.

perhaps the answer is to move to some sort of database-backed authentication
module and then just manipulate the database with code?  i'd prefer to keep
databases out of my implementation and use direct programmatic manipulation
of the activemq server.

thanks for any advice,
Greg
-- 
View this message in context: http://www.nabble.com/Dynamic-Security-Configuration-of-users-and-roles-tp20352446p20352446.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Dynamic Security Configuration of users and roles

[Joe Fernandez <jo...@ttmsolutions.com>]

Hi Greg, 

AFAIK, ActiveMQ does not currently provide a solution to your specific
programmatic requirement. 

Joe 


gfrank wrote:
> 
> hi Joe,
> 
> Thanks for the reply.  Just to be absolutely clear, you are saying that
> there is no existing authentication and authorization solution open to
> programmatic manipulation and i should write my own.
> 
> Thanks,
> Greg
> 
> 
> 
> 
> Joe Fernandez wrote:
>> 
>> There's both authentication and authorization to take into account. If
>> you want to take your direct programmatic approach via JMX, consider
>> creating security plug-ins through which you can both authenticate and
>> authorize. Maybe use the existing security plug-ins as models. Extend
>> AuthorizationBroker so that you can override and actually implement the
>> SecurityAdminMBean methods. Then have your plug-in register it with the
>> MBeanServer. Question: how do you intend to persist your updates so that
>> they stick if and when you do bounce the broker?
>> 
>> Joe
>> Get a free ActiveMQ User Guide @ http://www.ttmsolutions.com
>> 
>> 
>> 
>> gfrank wrote:
>>> 
>>> hopefully someone can give advice on this, my project requires dynamic
>>> creation of topics, users and roles such that a given topic can only be
>>> accessed by one user and that user can only access that one topic.  this
>>> must be done in a programmatic fashion without bouncing the activemq
>>> server a a user represents a customer and the system must be able to add
>>> customers on-the-fly without downtime.
>>> 
>>> i've noticed an object: org.apache.activemq.security.AuthorizationBroker
>>> which implements a jmx interface to create roles and add them to users
>>> and topics.  I'm not sure if this is a proper target for my needs and i
>>> dont see it visible in a jmx console.
>>> 
>>> perhaps the answer is to move to some sort of database-backed
>>> authentication module and then just manipulate the database with code? 
>>> i'd prefer to keep databases out of my implementation and use direct
>>> programmatic manipulation of the activemq server.
>>> 
>>> thanks for any advice,
>>> Greg
>>> 
>> 
>> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Dynamic-Security-Configuration-of-users-and-roles-tp20352446p20365083.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Dynamic Security Configuration of users and roles

[gfrank <gr...@netfrank.net>]

hi Joe,

Thanks for the reply.  Just to be absolutely clear, you are saying that
there is no existing authentication and authorization solution open to
programmatic manipulation and i should write my own.

Thanks,
Greg




Joe Fernandez wrote:
> 
> There's both authentication and authorization to take into account. If you
> want to take your direct programmatic approach via JMX, consider creating
> security plug-ins through which you can both authenticate and authorize.
> Maybe use the existing security plug-ins as models. Extend
> AuthorizationBroker so that you can override and actually implement the
> SecurityAdminMBean methods. Then have your plug-in register it with the
> MBeanServer. Question: how do you intend to persist your updates so that
> they stick if and when you do bounce the broker?
> 
> Joe
> Get a free ActiveMQ User Guide @ http://www.ttmsolutions.com
> 
> 
> 
> gfrank wrote:
>> 
>> hopefully someone can give advice on this, my project requires dynamic
>> creation of topics, users and roles such that a given topic can only be
>> accessed by one user and that user can only access that one topic.  this
>> must be done in a programmatic fashion without bouncing the activemq
>> server a a user represents a customer and the system must be able to add
>> customers on-the-fly without downtime.
>> 
>> i've noticed an object: org.apache.activemq.security.AuthorizationBroker
>> which implements a jmx interface to create roles and add them to users
>> and topics.  I'm not sure if this is a proper target for my needs and i
>> dont see it visible in a jmx console.
>> 
>> perhaps the answer is to move to some sort of database-backed
>> authentication module and then just manipulate the database with code? 
>> i'd prefer to keep databases out of my implementation and use direct
>> programmatic manipulation of the activemq server.
>> 
>> thanks for any advice,
>> Greg
>> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Dynamic-Security-Configuration-of-users-and-roles-tp20352446p20363589.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Dynamic Security Configuration of users and roles

[Joe Fernandez <jo...@ttmsolutions.com>]

There's both authentication and authorization to take into account. If you
want to take your direct programmatic approach via JMX, consider creating
security plug-ins through which you can both authenticate and authorize.
Maybe use the existing security plug-ins as models. Extend
AuthorizationBroker so that you can override and actually implement the
SecurityAdminMBean methods. Then have your plug-in register it with the
MBeanServer. Question: how do you intend to persist your updates so that
they stick if and when you do bounce the broker?

Joe
Get a free ActiveMQ User Guide @ http://www.ttmsolutions.com



gfrank wrote:
> 
> hopefully someone can give advice on this, my project requires dynamic
> creation of topics, users and roles such that a given topic can only be
> accessed by one user and that user can only access that one topic.  this
> must be done in a programmatic fashion without bouncing the activemq
> server a a user represents a customer and the system must be able to add
> customers on-the-fly without downtime.
> 
> i've noticed an object: org.apache.activemq.security.AuthorizationBroker
> which implements a jmx interface to create roles and add them to users and
> topics.  I'm not sure if this is a proper target for my needs and i dont
> see it visible in a jmx console.
> 
> perhaps the answer is to move to some sort of database-backed
> authentication module and then just manipulate the database with code? 
> i'd prefer to keep databases out of my implementation and use direct
> programmatic manipulation of the activemq server.
> 
> thanks for any advice,
> Greg
> 

-- 
View this message in context: http://www.nabble.com/Dynamic-Security-Configuration-of-users-and-roles-tp20352446p20353105.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.