You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Christopher Wood <ch...@pobox.com> on 2012/06/21 18:56:23 UTC
periodic 5.6.0 ldap permission issues, solved by restart?
I upgraded our lab ActiveMQ to 5.6.0 and am using the cached ldap auth module. I appear to be having a problem where at times ActiveMQ loses its authorization data cache and does not refresh this from ldap. Is there any way of forcing a retry if it has a connection issue, or otherwise further diagnosing what is happening?
Details:
Three times now (solved by an ActiveMQ restart) I have started seeing these errors in the log (but for all queues that they are trying to access):
2012-06-21 11:57:31,538 | DEBUG | Error occured while processing sync command: ConsumerInfo {commandId = 28936, responseRequired = true, consumerId = ID:myhost-53793-1340295272790-0:6:-1:1, destination = ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic, prefetchSize = 0, maximumPendingMessageLimit = 0, browser = false, dispatchAsync = false, selector = null, subscriptionName = null, noLocal = true, exclusive = false, retroactive = false, priority = 0, brokerPath = null, optimizedAcknowledge = false, noRangeAcks = false, additionalPredicate = null}, exception: java.lang.SecurityException: User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic | org.apache.activemq.broker.TransportConnection.Service | ActiveMQ Transport: tcp:///10.201.147.250:51236
java.lang.SecurityException: User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic
Per our developers, they are seeing:
12:16:53,926 WARN DefaultMessageListenerContainer:822 - Setup of JMS message listener invoker failed for destination 'queue://vm5.queuename' - trying to recover. Cause: User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic
I ran some tcpdumps. While this is in the logs, I do not see any ldap searches attempting to update the authorization info. Just after a restart, I do see intermittent searches for the entries under ou=destination,ou=activemq,ou=systems,o=me.
My plugin info:
<authorizationPlugin>
<map>
<cachedLDAPAuthorizationMap
connectionURL="ldap://ldap-lab.me:389"
connectionUsername="cn=mqbroker,ou=services,o=me"
connectionPassword="password"
baseDn="ou=systems,o=me"
refreshInterval="5000"
/>
</map>
</authorizationPlugin>
Re: periodic 5.6.0 ldap permission issues, solved by restart?
Posted by Dejan Bosanac <de...@nighttale.net>.
Yes, it will try to keep the current cache until ldap server comes back.
Regards
--
Dejan Bosanac
Senior Software Engineer | FuseSource Corp.
dejanb@fusesource.com | fusesource.com
skype: dejan.bosanac | twitter: @dejanb
blog: http://www.nighttale.net
ActiveMQ in Action: http://www.manning.com/snyder/
On Fri, Jun 22, 2012 at 5:46 PM, Christopher Wood
<ch...@pobox.com> wrote:
> It certainly makes sense to reconnect if there's a problem.
>
> Will 5.7.0 also keep the current authorization cache if there's an ldap issue? In a production scenario it's probably okay to keep functioning if the ldap server goes away for a while.
>
> Thank you for the pointer, very much appreciated.
>
> On Fri, Jun 22, 2012 at 10:12:29AM +0200, Dejan Bosanac wrote:
>> Hi,
>>
>> there are some improvements in that area on the trunk (and will be
>> available in the next fuse release). Please take a look at
>>
>> https://issues.apache.org/jira/browse/AMQ-3845
>>
>>
>> Regards
>> --
>> Dejan Bosanac
>> Senior Software Engineer | FuseSource Corp.
>> dejanb@fusesource.com | fusesource.com
>> skype: dejan.bosanac | twitter: @dejanb
>> blog: http://www.nighttale.net
>> ActiveMQ in Action: http://www.manning.com/snyder/
>>
>>
>> On Thu, Jun 21, 2012 at 6:56 PM, Christopher Wood
>> <ch...@pobox.com> wrote:
>> > I upgraded our lab ActiveMQ to 5.6.0 and am using the cached ldap auth module. I appear to be having a problem where at times ActiveMQ loses its authorization data cache and does not refresh this from ldap. Is there any way of forcing a retry if it has a connection issue, or otherwise further diagnosing what is happening?
>> >
>> > Details:
>> >
>> > Three times now (solved by an ActiveMQ restart) I have started seeing these errors in the log (but for all queues that they are trying to access):
>> >
>> > 2012-06-21 11:57:31,538 | DEBUG | Error occured while processing sync command: ConsumerInfo {commandId = 28936, responseRequired = true, consumerId = ID:myhost-53793-1340295272790-0:6:-1:1, destination = ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic, prefetchSize = 0, maximumPendingMessageLimit = 0, browser = false, dispatchAsync = false, selector = null, subscriptionName = null, noLocal = true, exclusive = false, retroactive = false, priority = 0, brokerPath = null, optimizedAcknowledge = false, noRangeAcks = false, additionalPredicate = null}, exception: java.lang.SecurityException: User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic | org.apache.activemq.broker.TransportConnection.Service | ActiveMQ Transport: tcp:///10.201.147.250:51236
>> > java.lang.SecurityException: User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic
>> >
>> > Per our developers, they are seeing:
>> >
>> > 12:16:53,926 WARN DefaultMessageListenerContainer:822 - Setup of JMS message listener invoker failed for destination 'queue://vm5.queuename' - trying to recover. Cause: User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic
>> >
>> > I ran some tcpdumps. While this is in the logs, I do not see any ldap searches attempting to update the authorization info. Just after a restart, I do see intermittent searches for the entries under ou=destination,ou=activemq,ou=systems,o=me.
>> >
>> > My plugin info:
>> >
>> > <authorizationPlugin>
>> > <map>
>> > <cachedLDAPAuthorizationMap
>> > connectionURL="ldap://ldap-lab.me:389"
>> > connectionUsername="cn=mqbroker,ou=services,o=me"
>> > connectionPassword="password"
>> > baseDn="ou=systems,o=me"
>> > refreshInterval="5000"
>> > />
>> > </map>
>> > </authorizationPlugin>
>>
Re: periodic 5.6.0 ldap permission issues, solved by restart?
Posted by Christopher Wood <ch...@pobox.com>.
It certainly makes sense to reconnect if there's a problem.
Will 5.7.0 also keep the current authorization cache if there's an ldap issue? In a production scenario it's probably okay to keep functioning if the ldap server goes away for a while.
Thank you for the pointer, very much appreciated.
On Fri, Jun 22, 2012 at 10:12:29AM +0200, Dejan Bosanac wrote:
> Hi,
>
> there are some improvements in that area on the trunk (and will be
> available in the next fuse release). Please take a look at
>
> https://issues.apache.org/jira/browse/AMQ-3845
>
>
> Regards
> --
> Dejan Bosanac
> Senior Software Engineer | FuseSource Corp.
> dejanb@fusesource.com | fusesource.com
> skype: dejan.bosanac | twitter: @dejanb
> blog: http://www.nighttale.net
> ActiveMQ in Action: http://www.manning.com/snyder/
>
>
> On Thu, Jun 21, 2012 at 6:56 PM, Christopher Wood
> <ch...@pobox.com> wrote:
> > I upgraded our lab ActiveMQ to 5.6.0 and am using the cached ldap auth module. I appear to be having a problem where at times ActiveMQ loses its authorization data cache and does not refresh this from ldap. Is there any way of forcing a retry if it has a connection issue, or otherwise further diagnosing what is happening?
> >
> > Details:
> >
> > Three times now (solved by an ActiveMQ restart) I have started seeing these errors in the log (but for all queues that they are trying to access):
> >
> > 2012-06-21 11:57:31,538 | DEBUG | Error occured while processing sync command: ConsumerInfo {commandId = 28936, responseRequired = true, consumerId = ID:myhost-53793-1340295272790-0:6:-1:1, destination = ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic, prefetchSize = 0, maximumPendingMessageLimit = 0, browser = false, dispatchAsync = false, selector = null, subscriptionName = null, noLocal = true, exclusive = false, retroactive = false, priority = 0, brokerPath = null, optimizedAcknowledge = false, noRangeAcks = false, additionalPredicate = null}, exception: java.lang.SecurityException: User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic | org.apache.activemq.broker.TransportConnection.Service | ActiveMQ Transport: tcp:///10.201.147.250:51236
> > java.lang.SecurityException: User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic
> >
> > Per our developers, they are seeing:
> >
> > 12:16:53,926 WARN DefaultMessageListenerContainer:822 - Setup of JMS message listener invoker failed for destination 'queue://vm5.queuename' - trying to recover. Cause: User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic
> >
> > I ran some tcpdumps. While this is in the logs, I do not see any ldap searches attempting to update the authorization info. Just after a restart, I do see intermittent searches for the entries under ou=destination,ou=activemq,ou=systems,o=me.
> >
> > My plugin info:
> >
> > <authorizationPlugin>
> > <map>
> > <cachedLDAPAuthorizationMap
> > connectionURL="ldap://ldap-lab.me:389"
> > connectionUsername="cn=mqbroker,ou=services,o=me"
> > connectionPassword="password"
> > baseDn="ou=systems,o=me"
> > refreshInterval="5000"
> > />
> > </map>
> > </authorizationPlugin>
>
Re: periodic 5.6.0 ldap permission issues, solved by restart?
Posted by Dejan Bosanac <de...@nighttale.net>.
Hi,
there are some improvements in that area on the trunk (and will be
available in the next fuse release). Please take a look at
https://issues.apache.org/jira/browse/AMQ-3845
Regards
--
Dejan Bosanac
Senior Software Engineer | FuseSource Corp.
dejanb@fusesource.com | fusesource.com
skype: dejan.bosanac | twitter: @dejanb
blog: http://www.nighttale.net
ActiveMQ in Action: http://www.manning.com/snyder/
On Thu, Jun 21, 2012 at 6:56 PM, Christopher Wood
<ch...@pobox.com> wrote:
> I upgraded our lab ActiveMQ to 5.6.0 and am using the cached ldap auth module. I appear to be having a problem where at times ActiveMQ loses its authorization data cache and does not refresh this from ldap. Is there any way of forcing a retry if it has a connection issue, or otherwise further diagnosing what is happening?
>
> Details:
>
> Three times now (solved by an ActiveMQ restart) I have started seeing these errors in the log (but for all queues that they are trying to access):
>
> 2012-06-21 11:57:31,538 | DEBUG | Error occured while processing sync command: ConsumerInfo {commandId = 28936, responseRequired = true, consumerId = ID:myhost-53793-1340295272790-0:6:-1:1, destination = ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic, prefetchSize = 0, maximumPendingMessageLimit = 0, browser = false, dispatchAsync = false, selector = null, subscriptionName = null, noLocal = true, exclusive = false, retroactive = false, priority = 0, brokerPath = null, optimizedAcknowledge = false, noRangeAcks = false, additionalPredicate = null}, exception: java.lang.SecurityException: User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic | org.apache.activemq.broker.TransportConnection.Service | ActiveMQ Transport: tcp:///10.201.147.250:51236
> java.lang.SecurityException: User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic
>
> Per our developers, they are seeing:
>
> 12:16:53,926 WARN DefaultMessageListenerContainer:822 - Setup of JMS message listener invoker failed for destination 'queue://vm5.queuename' - trying to recover. Cause: User vm5a is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic
>
> I ran some tcpdumps. While this is in the logs, I do not see any ldap searches attempting to update the authorization info. Just after a restart, I do see intermittent searches for the entries under ou=destination,ou=activemq,ou=systems,o=me.
>
> My plugin info:
>
> <authorizationPlugin>
> <map>
> <cachedLDAPAuthorizationMap
> connectionURL="ldap://ldap-lab.me:389"
> connectionUsername="cn=mqbroker,ou=services,o=me"
> connectionPassword="password"
> baseDn="ou=systems,o=me"
> refreshInterval="5000"
> />
> </map>
> </authorizationPlugin>