You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by jb...@apache.org on 2019/10/17 15:03:21 UTC
[activemq-artemis] branch master updated: ARTEMIS-2521 add
documentation for role-mapping
This is an automated email from the ASF dual-hosted git repository.
jbertram pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/master by this push:
new 8043828 ARTEMIS-2521 add documentation for role-mapping
new 3baf602 This closes #2865
8043828 is described below
commit 8043828e84f74f458796ef322871630ad30d3465
Author: Sascha Dirbach <sa...@endless-webservices.de>
AuthorDate: Wed Oct 16 17:33:19 2019 +0200
ARTEMIS-2521 add documentation for role-mapping
---
docs/user-manual/en/configuration-index.md | 3 +++
docs/user-manual/en/security.md | 14 ++++++++++++++
2 files changed, 17 insertions(+)
diff --git a/docs/user-manual/en/configuration-index.md b/docs/user-manual/en/configuration-index.md
index 0deb104..9239123 100644
--- a/docs/user-manual/en/configuration-index.md
+++ b/docs/user-manual/en/configuration-index.md
@@ -374,6 +374,9 @@ Name | Description
[permission](security.md) |
[permission.type](security.md) | the type of permission
[permission.roles](security.md) | a comma-separated list of roles to apply the permission to
+[role-mapping](security.md) | A simple role mapping that can be used to map roles from external authentication providers (i.e. LDAP) to internal roles
+[role-mapping.from](security.md) | The external role which should be mapped
+[role-mapping.to](security.md) | The internal role which should be assigned to the authenticated user
## broker-plugin type
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index 6a45271..063fc28 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -1022,6 +1022,20 @@ superseded by SASL GSSAPI. However, for clients that don't support SASL (core
client), using TLS can provide Kerberos authentication over an *unsecure*
channel.
+## Mapping external roles
+Roles from external authentication providers (i.e. LDAP) can be mapped to internally used roles. The is done through role-mapping entries in the security-settings block:
+
+```xml
+<security-settings>
+ [...]
+ <role-mapping from="cn=admins,ou=Group,ou=ActiveMQ,ou=system" to="my-admin-role"/>
+ <role-mapping from="cn=users,ou=Group,ou=ActiveMQ,ou=system" to="my-user-role"/>
+</security-settings>
+```
+
+Note: Role mapping is additive. That means the user will keep the original role(s) as well as the newly assigned role(s).
+
+Note: This role mapping only affects the roles which are used to authorize queue access through the configured acceptors. It can not be used to map the role required to access the web console.
## SASL
[AMQP](using-AMQP.md) supports SASL. The following mechanisms are supported; PLAIN, EXTERNAL, ANONYMOUS, GSSAPI.