You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by cl...@apache.org on 2017/09/25 14:30:07 UTC
[1/2] activemq-artemis git commit: ARTEMIS-1435 - provide default
jolokia-access.xml security policy in etc to lock down cors to http.host
Repository: activemq-artemis
Updated Branches:
refs/heads/master d7612531f -> bb8c11b1e
ARTEMIS-1435 - provide default jolokia-access.xml security policy in etc to lock down cors to http.host
Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/574e5c8c
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/574e5c8c
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/574e5c8c
Branch: refs/heads/master
Commit: 574e5c8c7bb2cb4b9a99b98b5c3c512d092365fe
Parents: d761253
Author: gtully <ga...@gmail.com>
Authored: Fri Sep 22 21:31:22 2017 +0100
Committer: gtully <ga...@gmail.com>
Committed: Mon Sep 25 10:37:09 2017 +0100
----------------------------------------------------------------------
.../activemq/artemis/cli/commands/Create.java | 2 ++
.../cli/commands/bin/artemis-service.xml | 1 +
.../artemis/cli/commands/etc/artemis.profile | 2 +-
.../cli/commands/etc/artemis.profile.cmd | 2 +-
.../artemis/cli/commands/etc/jolokia-access.xml | 33 ++++++++++++++++++++
.../activemq/cli/test/StreamClassPathTest.java | 1 +
docs/user-manual/en/management-console.md | 6 ++++
7 files changed, 45 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
----------------------------------------------------------------------
diff --git a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
index aabb3fe..bd0b4cd 100644
--- a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
+++ b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
@@ -104,6 +104,7 @@ public class Create extends InputAbstract {
public static final String ETC_GLOBAL_MAX_SPECIFIED_TXT = "etc/global-max-specified.txt";
public static final String ETC_GLOBAL_MAX_DEFAULT_TXT = "etc/global-max-default.txt";
+ public static final String ETC_JOLOKIA_ACCESS_XML = "etc/jolokia-access.xml";
@Arguments(description = "The instance directory to hold the broker's configuration and data. Path must be writable.", required = true)
private File directory;
@@ -687,6 +688,7 @@ public class Create extends InputAbstract {
// we want this variable to remain unchanged so that it will use the value set in the profile
filters.remove("${artemis.instance}");
write(ETC_BOOTSTRAP_XML, filters, false);
+ write(ETC_JOLOKIA_ACCESS_XML, filters, false);
context.out.println("");
context.out.println("You can now start the broker by executing: ");
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml
----------------------------------------------------------------------
diff --git a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml
index aab7f6c..cb98364 100644
--- a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml
+++ b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml
@@ -62,6 +62,7 @@
<argument>-Dhawtio.offline="true"</argument>
<argument>-Dhawtio.role=${role}</argument>
<argument>-Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal</argument>
+ <argument>-Djolokia.policyLocation=%ARTEMIS_INSTANCE_URI%/etc/jolokia-access.xml</argument>
<!-- Debug args: Uncomment to enable debug
<argument>-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005</argument>
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
----------------------------------------------------------------------
diff --git a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
index c982232..4173e32 100644
--- a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
+++ b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
@@ -28,7 +28,7 @@ ARTEMIS_INSTANCE_URI='${artemis.instance.uri}'
# Java Opts
-JAVA_ARGS="${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx2G -Dhawtio.realm=activemq -Dhawtio.offline="true" -Dhawtio.role=${role} -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal"
+JAVA_ARGS="${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx2G -Dhawtio.realm=activemq -Dhawtio.offline="true" -Dhawtio.role=${role} -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=file:etc/jolokia-access.xml"
#
# There might be options that you only want to enable on specifc commands, like setting a JMX port
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
----------------------------------------------------------------------
diff --git a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
index 0d4cd46..0ed593e 100644
--- a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
+++ b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
@@ -28,7 +28,7 @@ rem Cluster Properties: Used to pass arguments to ActiveMQ Artemis which can be
rem set ARTEMIS_CLUSTER_PROPS=-Dactivemq.remoting.default.port=61617 -Dactivemq.remoting.amqp.port=5673 -Dactivemq.remoting.stomp.port=61614 -Dactivemq.remoting.hornetq.port=5446
rem Java Opts
-set JAVA_ARGS=${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx1024M -Xbootclasspath/a:%ARTEMIS_HOME%\lib\${logmanager} -Djava.security.auth.login.config=%ARTEMIS_INSTANCE%\etc\login.config -Dhawtio.offline="true" -Dhawtio.realm=activemq -Dhawtio.role=${role} -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Dartemis.instance=%ARTEMIS_INSTANCE%
+set JAVA_ARGS=${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx1024M -Xbootclasspath/a:%ARTEMIS_HOME%\lib\${logmanager} -Djava.security.auth.login.config=%ARTEMIS_INSTANCE%\etc\login.config -Dhawtio.offline="true" -Dhawtio.realm=activemq -Dhawtio.role=${role} -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=%ARTEMIS_INSTANCE_URI%\etc\jolokia-access.xml -Dartemis.instance=%ARTEMIS_INSTANCE%
rem There might be options that you only want to enable on specifc commands, like setting a JMX port
rem See https://issues.apache.org/jira/browse/ARTEMIS-318
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
----------------------------------------------------------------------
diff --git a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
new file mode 100644
index 0000000..aff5656
--- /dev/null
+++ b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<!-- This policy file controls the Jolokia JMX-HTTP bridge security options for the web console.
+ see: https://jolokia.org/reference/html/security.html -->
+<restrict>
+
+ <cors>
+ <!-- Allow cross origin access from ${http.host} ... -->
+ <allow-origin>*://${http.host}*</allow-origin>
+
+ <!-- Check for the proper origin on the server side, too -->
+ <strict-checking/>
+ </cors>
+
+</restrict>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java
----------------------------------------------------------------------
diff --git a/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java b/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java
index c7fe76b..c802fb2 100644
--- a/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java
+++ b/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java
@@ -58,6 +58,7 @@ public class StreamClassPathTest {
openStream(Create.ETC_COMMENTED_PING_TXT);
openStream(Create.ETC_GLOBAL_MAX_SPECIFIED_TXT);
openStream(Create.ETC_GLOBAL_MAX_DEFAULT_TXT);
+ openStream(Create.ETC_JOLOKIA_ACCESS_XML);
}
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/docs/user-manual/en/management-console.md
----------------------------------------------------------------------
diff --git a/docs/user-manual/en/management-console.md b/docs/user-manual/en/management-console.md
index d7956c8..80d22bb 100644
--- a/docs/user-manual/en/management-console.md
+++ b/docs/user-manual/en/management-console.md
@@ -13,6 +13,12 @@ A login screen will be presented, if your broker is secure, you will need to use
![ActiveMQ Artemis Console Login](images/console-login.png)
+## Security
+
+That Jolokia JMX-HTTP bridge is secured via a policy file in the broker configuration directory: 'etc/jolokia-access.xml'.
+The contents of that file should be modified as described in the [Jolokia Security Guide](https://jolokia.org/reference/html/security.html).
+By default the console is locked down
+to 'localhost', pay particular attention to the 'CORS' restrictions when exposing the console web endpoint over the network.
## Console
[2/2] activemq-artemis git commit: This closes #1550
Posted by cl...@apache.org.
This closes #1550
Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/bb8c11b1
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/bb8c11b1
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/bb8c11b1
Branch: refs/heads/master
Commit: bb8c11b1e3ad3f047ef8e8e7e1bb140f7993b4d0
Parents: d761253 574e5c8
Author: Clebert Suconic <cl...@apache.org>
Authored: Mon Sep 25 10:30:18 2017 -0400
Committer: Clebert Suconic <cl...@apache.org>
Committed: Mon Sep 25 10:30:18 2017 -0400
----------------------------------------------------------------------
.../activemq/artemis/cli/commands/Create.java | 2 ++
.../cli/commands/bin/artemis-service.xml | 1 +
.../artemis/cli/commands/etc/artemis.profile | 2 +-
.../cli/commands/etc/artemis.profile.cmd | 2 +-
.../artemis/cli/commands/etc/jolokia-access.xml | 33 ++++++++++++++++++++
.../activemq/cli/test/StreamClassPathTest.java | 1 +
docs/user-manual/en/management-console.md | 6 ++++
7 files changed, 45 insertions(+), 2 deletions(-)
----------------------------------------------------------------------