You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Vince Cole <th...@gmail.com> on 2017/05/15 13:37:41 UTC
where is a producer authorized for writing to a virtual
destination?
I am running ActiveMQ 5.14.0, with all of the following:
* the JAAS plugin - for user authentication on connection
* a custom plugin - similar to authorizationPlugin - for user authorization
on connection per destination
* Selectors, defined in the broker config, as per
http://activemq.apache.org/virtual-destinations.html ("Using filtered
destinations").
Having tested it, I see that when a producer sends a message to a virtual
destination (the 'ingest' queue) on the broker which is configured with
Selectors to forward a copy of the message to one or more 'destination'
queues, ActiveMQ first checks that the producer has write permission on the
ingest queue but it does NOT check if the producer has write permission on
any of the destination queues.
I can't figure out where in the ActiveMQ codebase to look at the code, to
work out if / how it would be possible to enable this extra checking.
I have looked at CompositeDestinationFilter::send - I see that ActiveMQ
iterates over the set of destinations for which the Selectors are matched on
an incoming message, and sends a copy of the message to each one - but I
can't see where, outside of this class, ActiveMQ makes a decision to check
for write permissions on the ingest queue, but NOT on any of the destination
queues.
Can anyone shed any light on this please?
I am hoping that a VirtualDestinationInterceptors config setting somewhere
can be changed to enable the destination checks, otherwise I am going to
have to write my own CompositeDestinationFilter ?
--
View this message in context: http://activemq.2283324.n4.nabble.com/where-is-a-producer-authorized-for-writing-to-a-virtual-destination-tp4726149.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: where is a producer authorized for writing to a virtual
destination?
Posted by Vince Cole <th...@gmail.com>.
OK, answering my own question here, in case anyone finds it useful:
The Broker instance which is used for the 'destination' queues is a
RegionBroker, which is created in BrokerService::createRegionBroker, and
that doesn't have any interceptors added to it (e.g.
AuthorizationBroker::send).
This is because the call to createRegionBroker happens like this (in
BrokerService.java line 2304)
protected Broker createBroker() throws Exception {
regionBroker = createRegionBroker();
Broker broker = addInterceptors(regionBroker);
...
So, what I think is happening here is that broker will have interceptors
added to it, but regionBroker will not.
So, the only way to fix this is to use a custom plugin. There isn't any
config change possible which would cause the AuthorizationBroker plugin to
be added to the interceptor chain for the regionBroker.
--
View this message in context: http://activemq.2283324.n4.nabble.com/where-is-a-producer-authorized-for-writing-to-a-virtual-destination-tp4726149p4726190.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: where is a producer authorized for writing to a virtual
destination?
Posted by Vince Cole <th...@gmail.com>.
Am I right in thinking that there needs to be another instance of the
AuthorizationBroker, added into the interceptor chain, added in such a
manner so as to make ActiveMQ call it on the call to 'send' upon each of the
destination queues?
Does anyone know if / how such as thing can be done?
I know how to write a plugin, but the framework around them which loads them
in and calls them, is still a mystery to me...
--
View this message in context: http://activemq.2283324.n4.nabble.com/where-is-a-producer-authorized-for-writing-to-a-virtual-destination-tp4726149p4726151.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: where is a producer authorized for writing to a virtual
destination?
Posted by Vince Cole <th...@gmail.com>.
The closest I have got so far to answering this myself is looking at
AuthorizationBroker :: addProducer, where allowedACLs is determined via
authorizationMap.getWriteACLs(info.getDestination());
...but, I am still none the wiser, as to why this is only being called for
the ingest queue and not on any of the destination queues. I can't see where
it is (not) being called from...?
--
View this message in context: http://activemq.2283324.n4.nabble.com/where-is-a-producer-authorized-for-writing-to-a-virtual-destination-tp4726149p4726150.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.