Custom authorization in Artemis

[anishm <an...@govimana.com>]

Hello everyone,
I just started writing some spikes to evaluate Artemis for a PoC and one of
the use cases that the setup should saitsfy is to accept authenticated
mqtt+wss connections to allow posting to a wildcard of topics specific to a
user.
This means that a user will have permissions to publish to a wildcard topic
expression, for example: A user `userfoo` will have permissions to publish
to `stuff/userfoo/#`. 
The list of users is dynamic and a database holds the authentication
information. The end goal is for Artemis to authenticate and authorize based
on the information in the database without having to restart the broker on
changes.
I realise that there are few ways to do this. The common step being to set
UserPrinicpal and RolePrinciple using a class implementing the LoginModule.
For authorization, 
1. An MQTTInterceptor that gets the destination address, gets the subject's
principals, and allows only matches to pass through. (Do i throw a
SecurityException if match is not found?)
2. Implement a SecuritySetting with HierarchicalRepository that listens to
changes and updates the SecuritySettings map: This method looks way too
complicated for a simple AuthZ rule that I mentioned earlier. However I'd
prefer to have the AuthN and AuthZ fully integrated in the Artemis system so
that the Security is done using the core.
What could be a better way to implement this?



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html

Re: Custom authorization in Artemis

[Justin Bertram <jb...@apache.org>]

For authentication you'll almost certainly want to implement a LoginModule.
You can find reference implementations here [1].

For authorization I think your best bet will be to implement a
SecuritySettingsPlugin [2]. There is an LDAP implementation you can
reference here [3].

That should hopefully provide you all the flexibility you need.


Justin

[1]
https://github.com/apache/activemq-artemis/tree/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas
[2]
https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java
[3]
https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java

On Sun, May 12, 2019 at 1:58 AM anishm <an...@govimana.com> wrote:

> Hello everyone,
> I just started writing some spikes to evaluate Artemis for a PoC and one of
> the use cases that the setup should saitsfy is to accept authenticated
> mqtt+wss connections to allow posting to a wildcard of topics specific to a
> user.
> This means that a user will have permissions to publish to a wildcard topic
> expression, for example: A user `userfoo` will have permissions to publish
> to `stuff/userfoo/#`.
> The list of users is dynamic and a database holds the authentication
> information. The end goal is for Artemis to authenticate and authorize
> based
> on the information in the database without having to restart the broker on
> changes.
> I realise that there are few ways to do this. The common step being to set
> UserPrinicpal and RolePrinciple using a class implementing the LoginModule.
> For authorization,
> 1. An MQTTInterceptor that gets the destination address, gets the subject's
> principals, and allows only matches to pass through. (Do i throw a
> SecurityException if match is not found?)
> 2. Implement a SecuritySetting with HierarchicalRepository that listens to
> changes and updates the SecuritySettings map: This method looks way too
> complicated for a simple AuthZ rule that I mentioned earlier. However I'd
> prefer to have the AuthN and AuthZ fully integrated in the Artemis system
> so
> that the Security is done using the core.
> What could be a better way to implement this?
>
>
>
> --
> Sent from:
> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>