You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@activemq.apache.org by cl...@apache.org on 2017/09/25 14:30:07 UTC

[1/2] activemq-artemis git commit: ARTEMIS-1435 - provide default jolokia-access.xml security policy in etc to lock down cors to http.host

Repository: activemq-artemis
Updated Branches:
  refs/heads/master d7612531f -> bb8c11b1e


ARTEMIS-1435 - provide default jolokia-access.xml security policy in etc to lock down cors to http.host


Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/574e5c8c
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/574e5c8c
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/574e5c8c

Branch: refs/heads/master
Commit: 574e5c8c7bb2cb4b9a99b98b5c3c512d092365fe
Parents: d761253
Author: gtully <ga...@gmail.com>
Authored: Fri Sep 22 21:31:22 2017 +0100
Committer: gtully <ga...@gmail.com>
Committed: Mon Sep 25 10:37:09 2017 +0100

----------------------------------------------------------------------
 .../activemq/artemis/cli/commands/Create.java   |  2 ++
 .../cli/commands/bin/artemis-service.xml        |  1 +
 .../artemis/cli/commands/etc/artemis.profile    |  2 +-
 .../cli/commands/etc/artemis.profile.cmd        |  2 +-
 .../artemis/cli/commands/etc/jolokia-access.xml | 33 ++++++++++++++++++++
 .../activemq/cli/test/StreamClassPathTest.java  |  1 +
 docs/user-manual/en/management-console.md       |  6 ++++
 7 files changed, 45 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
----------------------------------------------------------------------
diff --git a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
index aabb3fe..bd0b4cd 100644
--- a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
+++ b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
@@ -104,6 +104,7 @@ public class Create extends InputAbstract {
 
    public static final String ETC_GLOBAL_MAX_SPECIFIED_TXT = "etc/global-max-specified.txt";
    public static final String ETC_GLOBAL_MAX_DEFAULT_TXT = "etc/global-max-default.txt";
+   public static final String ETC_JOLOKIA_ACCESS_XML = "etc/jolokia-access.xml";
 
    @Arguments(description = "The instance directory to hold the broker's configuration and data.  Path must be writable.", required = true)
    private File directory;
@@ -687,6 +688,7 @@ public class Create extends InputAbstract {
       // we want this variable to remain unchanged so that it will use the value set in the profile
       filters.remove("${artemis.instance}");
       write(ETC_BOOTSTRAP_XML, filters, false);
+      write(ETC_JOLOKIA_ACCESS_XML, filters, false);
 
       context.out.println("");
       context.out.println("You can now start the broker by executing:  ");

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml
----------------------------------------------------------------------
diff --git a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml
index aab7f6c..cb98364 100644
--- a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml
+++ b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml
@@ -62,6 +62,7 @@
    <argument>-Dhawtio.offline="true"</argument>
    <argument>-Dhawtio.role=${role}</argument>
    <argument>-Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal</argument>
+   <argument>-Djolokia.policyLocation=%ARTEMIS_INSTANCE_URI%/etc/jolokia-access.xml</argument>
 
    <!-- Debug args: Uncomment to enable debug
    <argument>-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005</argument>

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
----------------------------------------------------------------------
diff --git a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
index c982232..4173e32 100644
--- a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
+++ b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
@@ -28,7 +28,7 @@ ARTEMIS_INSTANCE_URI='${artemis.instance.uri}'
 
 
 # Java Opts
-JAVA_ARGS="${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx2G -Dhawtio.realm=activemq  -Dhawtio.offline="true" -Dhawtio.role=${role} -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal"
+JAVA_ARGS="${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx2G -Dhawtio.realm=activemq  -Dhawtio.offline="true" -Dhawtio.role=${role} -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=file:etc/jolokia-access.xml"
 
 #
 # There might be options that you only want to enable on specifc commands, like setting a JMX port

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
----------------------------------------------------------------------
diff --git a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
index 0d4cd46..0ed593e 100644
--- a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
+++ b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
@@ -28,7 +28,7 @@ rem Cluster Properties: Used to pass arguments to ActiveMQ Artemis which can be
 rem set ARTEMIS_CLUSTER_PROPS=-Dactivemq.remoting.default.port=61617 -Dactivemq.remoting.amqp.port=5673 -Dactivemq.remoting.stomp.port=61614 -Dactivemq.remoting.hornetq.port=5446
 
 rem Java Opts
-set JAVA_ARGS=${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx1024M -Xbootclasspath/a:%ARTEMIS_HOME%\lib\${logmanager} -Djava.security.auth.login.config=%ARTEMIS_INSTANCE%\etc\login.config -Dhawtio.offline="true" -Dhawtio.realm=activemq -Dhawtio.role=${role} -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Dartemis.instance=%ARTEMIS_INSTANCE%
+set JAVA_ARGS=${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx1024M -Xbootclasspath/a:%ARTEMIS_HOME%\lib\${logmanager} -Djava.security.auth.login.config=%ARTEMIS_INSTANCE%\etc\login.config -Dhawtio.offline="true" -Dhawtio.realm=activemq -Dhawtio.role=${role} -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=%ARTEMIS_INSTANCE_URI%\etc\jolokia-access.xml -Dartemis.instance=%ARTEMIS_INSTANCE%
 
 rem There might be options that you only want to enable on specifc commands, like setting a JMX port
 rem See https://issues.apache.org/jira/browse/ARTEMIS-318

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
----------------------------------------------------------------------
diff --git a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
new file mode 100644
index 0000000..aff5656
--- /dev/null
+++ b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<!-- This policy file controls the Jolokia JMX-HTTP bridge security options for the web console.
+   see: https://jolokia.org/reference/html/security.html -->
+<restrict>
+
+    <cors>
+        <!-- Allow cross origin access from ${http.host} ... -->
+        <allow-origin>*://${http.host}*</allow-origin>
+
+        <!-- Check for the proper origin on the server side, too -->
+        <strict-checking/>
+    </cors>
+
+</restrict>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java
----------------------------------------------------------------------
diff --git a/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java b/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java
index c7fe76b..c802fb2 100644
--- a/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java
+++ b/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java
@@ -58,6 +58,7 @@ public class StreamClassPathTest {
       openStream(Create.ETC_COMMENTED_PING_TXT);
       openStream(Create.ETC_GLOBAL_MAX_SPECIFIED_TXT);
       openStream(Create.ETC_GLOBAL_MAX_DEFAULT_TXT);
+      openStream(Create.ETC_JOLOKIA_ACCESS_XML);
 
    }
 

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/docs/user-manual/en/management-console.md
----------------------------------------------------------------------
diff --git a/docs/user-manual/en/management-console.md b/docs/user-manual/en/management-console.md
index d7956c8..80d22bb 100644
--- a/docs/user-manual/en/management-console.md
+++ b/docs/user-manual/en/management-console.md
@@ -13,6 +13,12 @@ A login screen will be presented, if your broker is secure, you will need to use
 
 ![ActiveMQ Artemis Console Login](images/console-login.png)
 
+## Security
+
+That Jolokia JMX-HTTP bridge is secured via a policy file in the broker configuration directory: 'etc/jolokia-access.xml'.
+The contents of that file should be modified as described in the [Jolokia Security Guide](https://jolokia.org/reference/html/security.html).
+By default the console is locked down
+to 'localhost', pay particular attention to the 'CORS' restrictions when exposing the console web endpoint over the network.
 
 ## Console

[2/2] activemq-artemis git commit: This closes #1550

Posted by cl...@apache.org.

This closes #1550


Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/bb8c11b1
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/bb8c11b1
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/bb8c11b1

Branch: refs/heads/master
Commit: bb8c11b1e3ad3f047ef8e8e7e1bb140f7993b4d0
Parents: d761253 574e5c8
Author: Clebert Suconic <cl...@apache.org>
Authored: Mon Sep 25 10:30:18 2017 -0400
Committer: Clebert Suconic <cl...@apache.org>
Committed: Mon Sep 25 10:30:18 2017 -0400

----------------------------------------------------------------------
 .../activemq/artemis/cli/commands/Create.java   |  2 ++
 .../cli/commands/bin/artemis-service.xml        |  1 +
 .../artemis/cli/commands/etc/artemis.profile    |  2 +-
 .../cli/commands/etc/artemis.profile.cmd        |  2 +-
 .../artemis/cli/commands/etc/jolokia-access.xml | 33 ++++++++++++++++++++
 .../activemq/cli/test/StreamClassPathTest.java  |  1 +
 docs/user-manual/en/management-console.md       |  6 ++++
 7 files changed, 45 insertions(+), 2 deletions(-)
----------------------------------------------------------------------