You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Thorsten Meinl <th...@knime.com> on 2022/04/28 12:59:23 UTC
Questions around security and permissions
We have a more complicated scenario where we use Artemis and are
currently struggling with some security-related problems. Let me try to
sketch our setup:
- Several producers put work items into queues in Artemis. Every
producer uses a dedicated queue, e.g. "jobs.123" where 123 is the
unique producer name.
- We create consumers on-demand for every producer, i.e. for producer
"123" there is a consumer "123" that is consuming from queu "jobs.123".
- The consumers are started in containers and get the access
credentials for Artemis passed as environment variables. All consumers
share the same credentials and therefore have access to all queues.
- Now comes the crucial part: the consumers essentially allow for
arbitrary code execution. This is not an issue per se because they are
restricted to the container. But a carefully crafted work item allows
you to read the container's environment variables, create a consumer
and read *any* message including work items which are not supposed to
be read by the current consumer. E.g. the rogue consumer "123" can then
read messages addressed to consumer "456". This compromises
confidentiality.
Now we are looking for solutions to this problem. We have to ensure
that consumer XYZ can only read messages addressed to it (i.e.
"jobs.XYZ") and nothing else. I guess this would be possible by
creating dedicated Artemis users for each consumer and setting
permissions accordingly. But can users be created (and deleted) on-
demand? And is there a practical limit? We would need hundreds if not
thousands of Artemis users.
An alternative solution would be to use some kind of proxy between the
broker and the consumer which allows access to certain queues only.
Does something like this exist?
Are there any other solutions that may think of?
I know it's a very generic question but maybe some of you have ideas
that they can share.
Thanks,
Thorsten
--
Dr.-Ing. Thorsten Meinl
KNIME AG
Hardturmstrasse 66
8005 Zurich, Switzerland
RE: Questions around security and permissions
Posted by Vilius Šumskas <vi...@rivile.lt>.
Hi,
we have very similar requirements. You can search this mailing list for my recent questions and answers from others for details.
Basically we have chosen ActiveMQBasicSecurityManager as a backend, and we are creating users, their permissions and queues on-demand, using activemq.management address.
--
Vilius
-----Original Message-----
From: Thorsten Meinl <th...@knime.com>
Sent: Thursday, April 28, 2022 3:59 PM
To: users@activemq.apache.org
Subject: Questions around security and permissions
We have a more complicated scenario where we use Artemis and are currently struggling with some security-related problems. Let me try to sketch our setup:
- Several producers put work items into queues in Artemis. Every producer uses a dedicated queue, e.g. "jobs.123" where 123 is the unique producer name.
- We create consumers on-demand for every producer, i.e. for producer "123" there is a consumer "123" that is consuming from queu "jobs.123".
- The consumers are started in containers and get the access credentials for Artemis passed as environment variables. All consumers share the same credentials and therefore have access to all queues.
- Now comes the crucial part: the consumers essentially allow for arbitrary code execution. This is not an issue per se because they are restricted to the container. But a carefully crafted work item allows you to read the container's environment variables, create a consumer and read *any* message including work items which are not supposed to be read by the current consumer. E.g. the rogue consumer "123" can then read messages addressed to consumer "456". This compromises confidentiality.
Now we are looking for solutions to this problem. We have to ensure that consumer XYZ can only read messages addressed to it (i.e.
"jobs.XYZ") and nothing else. I guess this would be possible by creating dedicated Artemis users for each consumer and setting permissions accordingly. But can users be created (and deleted) on- demand? And is there a practical limit? We would need hundreds if not thousands of Artemis users.
An alternative solution would be to use some kind of proxy between the broker and the consumer which allows access to certain queues only.
Does something like this exist?
Are there any other solutions that may think of?
I know it's a very generic question but maybe some of you have ideas that they can share.
Thanks,
Thorsten
--
Dr.-Ing. Thorsten Meinl
KNIME AG
Hardturmstrasse 66
8005 Zurich, Switzerland
RE: Questions around security and permissions
Posted by Vilius Šumskas <vi...@rivile.lt>.
Correct. This is exactly what we are doing.
By the way, as far as we found out, permissions created on-demand will be stored in the journal independently which user/role storage mechanism you choose. That was one more reasons for us to go with ActiveMQBasicSecurityManager because we won't have to juggle between two different backups of authorization data.
--
Vilius
-----Original Message-----
From: Thorsten Meinl <th...@knime.com>
Sent: Friday, April 29, 2022 10:43 AM
To: users@activemq.apache.org
Subject: Re: Questions around security and permissions
Thanks all. This sounds like a viable solution to our problem.
Just to be sure: If I want to set permissions per user I also have to create a dedicated role per user because permissions can only be granted to roles?
Thanks,
Thorsten
Am Donnerstag, dem 28.04.2022 um 09:00 -0500 schrieb Justin Bertram:
> > But can users be created (and deleted) on-demand?
>
> I'm not exactly sure what you mean by "on-demand," but users can be
> created administratively on a running broker via management. This can
> be done via the "artemis user" command, the web console, Jolokia, etc.
> You'll need to use the PropertiesLoginModule [1] with the JAAS
> security manager [2] (i.e.
> the default configuration) or the "Basic" security manager [3].
>
> You could also likely accomplish this via LDAP [4].
>
> > And is there a practical limit?
>
> There is no arbitrarily imposed limit so any limit will be based on
> the resources available to the broker. My recommendation would be to
> test and see.
>
> > An alternative solution would be to use some kind of proxy between
> > the
> broker and the consumer which allows access to certain queues only.
> Does
> something like this exist?
>
> I'm not aware of anything like this, and I would be surprised if it
> existed as it would add needless complexity on top of something that
> could already be accomplished via the broker directly or via LDAP.
>
>
> Justin
>
> [1]
> https://activemq.apache.org/components/artemis/documentation/latest/se
> curity.html#propertiesloginmodule
> [2]
> https://activemq.apache.org/components/artemis/documentation/latest/se
> curity.html#jaas-security-manager
> [3]
> https://activemq.apache.org/components/artemis/documentation/latest/se
> curity.html#basic-security-manager
> [4]
> https://activemq.apache.org/components/artemis/documentation/latest/se
> curity.html#ldaploginmodule
>
> On Thu, Apr 28, 2022 at 7:59 AM Thorsten Meinl
> <th...@knime.com>
> wrote:
>
> > We have a more complicated scenario where we use Artemis and are
> > currently struggling with some security-related problems. Let me try
> > to sketch our setup:
> >
> > - Several producers put work items into queues in Artemis. Every
> > producer uses a dedicated queue, e.g. "jobs.123" where 123 is the
> > unique producer name.
> > - We create consumers on-demand for every producer, i.e. for
> > producer "123" there is a consumer "123" that is consuming from queu
> > "jobs.123".
> > - The consumers are started in containers and get the access
> > credentials for Artemis passed as environment variables. All
> > consumers share the same credentials and therefore have access to
> > all queues.
> > - Now comes the crucial part: the consumers essentially allow for
> > arbitrary code execution. This is not an issue per se because they
> > are restricted to the container. But a carefully crafted work item
> > allows you to read the container's environment variables, create a
> > consumer and read *any* message including work items which are not
> > supposed to be read by the current consumer. E.g. the rogue consumer
> > "123" can then read messages addressed to consumer "456". This
> > compromises confidentiality.
> >
> > Now we are looking for solutions to this problem. We have to ensure
> > that consumer XYZ can only read messages addressed to it (i.e.
> > "jobs.XYZ") and nothing else. I guess this would be possible by
> > creating dedicated Artemis users for each consumer and setting
> > permissions accordingly. But can users be created (and deleted) on-
> > demand? And is there a practical limit? We would need hundreds if
> > not thousands of Artemis users.
> >
> > An alternative solution would be to use some kind of proxy between
> > the broker and the consumer which allows access to certain queues
> > only.
> > Does something like this exist?
> >
> > Are there any other solutions that may think of?
> >
> > I know it's a very generic question but maybe some of you have ideas
> > that they can share.
> >
> > Thanks,
> >
> > Thorsten
> >
> > --
> > Dr.-Ing. Thorsten Meinl
> > KNIME AG
> > Hardturmstrasse 66
> > 8005 Zurich, Switzerland
> >
> >
--
Dr.-Ing. Thorsten Meinl
KNIME AG
Hardturmstrasse 66
8005 Zurich, Switzerland
Re: Questions around security and permissions
Posted by Thorsten Meinl <th...@knime.com>.
Thanks all. This sounds like a viable solution to our problem.
Just to be sure: If I want to set permissions per user I also have to
create a dedicated role per user because permissions can only be
granted to roles?
Thanks,
Thorsten
Am Donnerstag, dem 28.04.2022 um 09:00 -0500 schrieb Justin Bertram:
> > But can users be created (and deleted) on-demand?
>
> I'm not exactly sure what you mean by "on-demand," but users can be
> created
> administratively on a running broker via management. This can be done
> via
> the "artemis user" command, the web console, Jolokia, etc. You'll
> need to
> use the PropertiesLoginModule [1] with the JAAS security manager [2]
> (i.e.
> the default configuration) or the "Basic" security manager [3].
>
> You could also likely accomplish this via LDAP [4].
>
> > And is there a practical limit?
>
> There is no arbitrarily imposed limit so any limit will be based on
> the
> resources available to the broker. My recommendation would be to test
> and
> see.
>
> > An alternative solution would be to use some kind of proxy between
> > the
> broker and the consumer which allows access to certain queues only.
> Does
> something like this exist?
>
> I'm not aware of anything like this, and I would be surprised if it
> existed
> as it would add needless complexity on top of something that could
> already
> be accomplished via the broker directly or via LDAP.
>
>
> Justin
>
> [1]
> https://activemq.apache.org/components/artemis/documentation/latest/security.html#propertiesloginmodule
> [2]
> https://activemq.apache.org/components/artemis/documentation/latest/security.html#jaas-security-manager
> [3]
> https://activemq.apache.org/components/artemis/documentation/latest/security.html#basic-security-manager
> [4]
> https://activemq.apache.org/components/artemis/documentation/latest/security.html#ldaploginmodule
>
> On Thu, Apr 28, 2022 at 7:59 AM Thorsten Meinl
> <th...@knime.com>
> wrote:
>
> > We have a more complicated scenario where we use Artemis and are
> > currently struggling with some security-related problems. Let me
> > try to
> > sketch our setup:
> >
> > - Several producers put work items into queues in Artemis. Every
> > producer uses a dedicated queue, e.g. "jobs.123" where 123 is the
> > unique producer name.
> > - We create consumers on-demand for every producer, i.e. for
> > producer
> > "123" there is a consumer "123" that is consuming from queu
> > "jobs.123".
> > - The consumers are started in containers and get the access
> > credentials for Artemis passed as environment variables. All
> > consumers
> > share the same credentials and therefore have access to all queues.
> > - Now comes the crucial part: the consumers essentially allow for
> > arbitrary code execution. This is not an issue per se because they
> > are
> > restricted to the container. But a carefully crafted work item
> > allows
> > you to read the container's environment variables, create a
> > consumer
> > and read *any* message including work items which are not supposed
> > to
> > be read by the current consumer. E.g. the rogue consumer "123" can
> > then
> > read messages addressed to consumer "456". This compromises
> > confidentiality.
> >
> > Now we are looking for solutions to this problem. We have to ensure
> > that consumer XYZ can only read messages addressed to it (i.e.
> > "jobs.XYZ") and nothing else. I guess this would be possible by
> > creating dedicated Artemis users for each consumer and setting
> > permissions accordingly. But can users be created (and deleted) on-
> > demand? And is there a practical limit? We would need hundreds if
> > not
> > thousands of Artemis users.
> >
> > An alternative solution would be to use some kind of proxy between
> > the
> > broker and the consumer which allows access to certain queues only.
> > Does something like this exist?
> >
> > Are there any other solutions that may think of?
> >
> > I know it's a very generic question but maybe some of you have
> > ideas
> > that they can share.
> >
> > Thanks,
> >
> > Thorsten
> >
> > --
> > Dr.-Ing. Thorsten Meinl
> > KNIME AG
> > Hardturmstrasse 66
> > 8005 Zurich, Switzerland
> >
> >
--
Dr.-Ing. Thorsten Meinl
KNIME AG
Hardturmstrasse 66
8005 Zurich, Switzerland
Re: Questions around security and permissions
Posted by Justin Bertram <jb...@apache.org>.
> But can users be created (and deleted) on-demand?
I'm not exactly sure what you mean by "on-demand," but users can be created
administratively on a running broker via management. This can be done via
the "artemis user" command, the web console, Jolokia, etc. You'll need to
use the PropertiesLoginModule [1] with the JAAS security manager [2] (i.e.
the default configuration) or the "Basic" security manager [3].
You could also likely accomplish this via LDAP [4].
> And is there a practical limit?
There is no arbitrarily imposed limit so any limit will be based on the
resources available to the broker. My recommendation would be to test and
see.
> An alternative solution would be to use some kind of proxy between the
broker and the consumer which allows access to certain queues only. Does
something like this exist?
I'm not aware of anything like this, and I would be surprised if it existed
as it would add needless complexity on top of something that could already
be accomplished via the broker directly or via LDAP.
Justin
[1]
https://activemq.apache.org/components/artemis/documentation/latest/security.html#propertiesloginmodule
[2]
https://activemq.apache.org/components/artemis/documentation/latest/security.html#jaas-security-manager
[3]
https://activemq.apache.org/components/artemis/documentation/latest/security.html#basic-security-manager
[4]
https://activemq.apache.org/components/artemis/documentation/latest/security.html#ldaploginmodule
On Thu, Apr 28, 2022 at 7:59 AM Thorsten Meinl <th...@knime.com>
wrote:
> We have a more complicated scenario where we use Artemis and are
> currently struggling with some security-related problems. Let me try to
> sketch our setup:
>
> - Several producers put work items into queues in Artemis. Every
> producer uses a dedicated queue, e.g. "jobs.123" where 123 is the
> unique producer name.
> - We create consumers on-demand for every producer, i.e. for producer
> "123" there is a consumer "123" that is consuming from queu "jobs.123".
> - The consumers are started in containers and get the access
> credentials for Artemis passed as environment variables. All consumers
> share the same credentials and therefore have access to all queues.
> - Now comes the crucial part: the consumers essentially allow for
> arbitrary code execution. This is not an issue per se because they are
> restricted to the container. But a carefully crafted work item allows
> you to read the container's environment variables, create a consumer
> and read *any* message including work items which are not supposed to
> be read by the current consumer. E.g. the rogue consumer "123" can then
> read messages addressed to consumer "456". This compromises
> confidentiality.
>
> Now we are looking for solutions to this problem. We have to ensure
> that consumer XYZ can only read messages addressed to it (i.e.
> "jobs.XYZ") and nothing else. I guess this would be possible by
> creating dedicated Artemis users for each consumer and setting
> permissions accordingly. But can users be created (and deleted) on-
> demand? And is there a practical limit? We would need hundreds if not
> thousands of Artemis users.
>
> An alternative solution would be to use some kind of proxy between the
> broker and the consumer which allows access to certain queues only.
> Does something like this exist?
>
> Are there any other solutions that may think of?
>
> I know it's a very generic question but maybe some of you have ideas
> that they can share.
>
> Thanks,
>
> Thorsten
>
> --
> Dr.-Ing. Thorsten Meinl
> KNIME AG
> Hardturmstrasse 66
> 8005 Zurich, Switzerland
>
>