You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Tim Bain <tb...@alumni.duke.edu> on 2020/10/01 00:37:21 UTC
Re: Please help me with authorisation configuration
I'm glad you got it working, and thanks for letting us know.
Tim
On Tue, Sep 29, 2020, 9:23 AM Fabrice Triboix <fa...@armedia.com>
wrote:
> Hi Tim,
>
> So you were right. I used only groups when configuring the
> authorizationEntries and that worked.
>
> Thanks a lot everyone for your support!
>
> Best regards,
>
> Fabrice
>
> ________________________________
> From: Tim Bain <tb...@alumni.duke.edu>
> Sent: 26 September 2020 15:26
> To: ActiveMQ Users <us...@activemq.apache.org>
> Subject: Re: Please help me with authorisation configuration
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
> Lucas,
>
> Thanks for the confirmation that Amazon passes the full set of
> authorizationEntries through unmodified. I wasn't sure if maybe you treated
> the advisories differently since they're more internal/administrative, but
> I'm happy to hear that you're not.
>
> And thanks for monitoring this thread even though there's typically no need
> for your team to respond, and for the quick response.
>
> Tim
>
> On Fri, Sep 25, 2020, 12:31 PM Tetreault, Lucas
> <te...@amazon.com.invalid>
> wrote:
>
> > Hey folks,
> >
> > I am a manager on the AmazonMQ team and I asked one of the engineers to
> > have a look at this thread. Their analysis lines up with what Tim said
> and
> > it doesn’t sound like anything we are doing would be causing this error.
> > Here is what the engineer had to say:
> >
> >
> > This particular error is caused by not giving permissions for
> > users to create advisory topics. Advisories are created in response to a
> > variety of events, see the ActiveMQ documentation here:
> > https://activemq.apache.org/advisory-message.html.
> >
> > In this particular case, what the customer needs to do is create
> a
> > group that contains all users that will be connecting to the broker, and
> > allow that group permission to create advisory topics. For example, if
> > they name this group "users", they would add the following
> > "AuthorizationEntry":
> >
> > <authorizationEntry topic="ActiveMQ.Advisory.>" read="users"
> > write="users" admin="users"/>
> >
> > Here's a full example from the ActiveMQ docs (
> > http://activemq.apache.org/security) under "Controlling Access To
> > Temporary Destinations". In the customer's config, it seems they are
> > entering the user directly into the AuthorizationEntry, while in the
> > documentation they add the group the user belongs to.
> >
> >
> > I hope this helps!
> >
> >
> > On 2020-09-25, 4:43 AM, "Tim Bain" <tb...@alumni.duke.edu> wrote:
> >
> > CAUTION: This email originated from outside of the organization. Do
> > not click links or open attachments unless you can confirm the sender and
> > know the content is safe.
> >
> >
> >
> > I believe that the authorizationEntry should reference groups rather
> > than
> > individual users (so alfresco rather than alfresco1). Can you try it
> > with
> > that configuration?
> >
> > If that doesn't work, can you try explicitly
> > authorizing ActiveMQ.Advisory.Connection so we're not dependent on
> the
> > wildcard? It shouldn't be necessary, but at this point we want to
> > eliminate
> > all possible variables.
> >
> > There's another possibility, which is that maybe Amazon strips out
> > certain
> > patterns of authorizationEntry from your config file when creating
> the
> > broker for you. Are there any members of Amazon's AmazonMQ team
> > monitoring
> > this forum who could tell us if anything like that is in play?
> >
> > Tim
> >
> > On Tue, Sep 22, 2020, 2:50 AM Fabrice Triboix <
> > fabrice.triboix@armedia.com>
> > wrote:
> >
> > > Hello,
> > >
> > > Apologies for the late response, I have been sucked up on other
> > pieces of
> > > work.
> > >
> > > So I stripped the configuration of all non-existent entities, and
> it
> > now
> > > looks like this:
> > >
> > > <authorizationPlugin>
> > > <map>
> > > <authorizationMap>
> > > <authorizationEntries>
> > > <authorizationEntry topic="ActiveMQ.Advisory.>"
> > > admin="alfresco1"
> > > read="alfresco1" write="alfresco1"/>
> > > <authorizationEntry queue="alfresco.>" admin="alfresco1"
> > > read="alfresco1" write="alfresco1"/>
> > > <authorizationEntry topic="alfresco.Advisory.>"
> > > admin="alfresco1"
> > > read="alfresco1" write="alfresco1"/>
> > > </authorizationEntries>
> > > <!-- Fabrice: There is no group `admin`, so commenting this
> > out for
> > > now
> > > <tempDestinationAuthorizationEntry>
> > > <tempDestinationAuthorizationEntry admin="admin"
> read="admin"
> > > write="admin"/>
> > > </tempDestinationAuthorizationEntry>
> > > -->
> > > </authorizationMap>
> > > </map>
> > > </authorizationPlugin>
> > >
> > > I still get the same error message from Alfresco:
> > >
> > > 2020-09-22 08:25:11,882 ERROR
> > > [component.jms.DefaultJmsMessageListenerContainer] [Camel
> > > (alfrescoCamelContext) thread #2 -
> > JmsConsumer[acs-repo-rendition-events]]
> > > Could not refresh JMS Connection for destination
> > > 'acs-repo-rendition-events' - retrying using
> > FixedBackOff{interval=5000,
> > > currentAttempts=7, maxAttempts=unlimited}. Cause: User alfresco1 is
> > not
> > > authorized to create: topic://ActiveMQ.Advisory.Connection
> > >
> > > Here is the CloudFormation declaration I use to create the AmazonMQ
> > broker:
> > >
> > > Broker:
> > > Type: AWS::AmazonMQ::Broker
> > > DependsOn: [ MasterSecret, AlfrescoUserSecret ]
> > > Properties:
> > > BrokerName: !Sub AmazonMQ-${AWS::StackName}
> > > DeploymentMode: ACTIVE_STANDBY_MULTI_AZ
> > > EncryptionOptions:
> > > UseAwsOwnedKey: true
> > > EngineType: ACTIVEMQ
> > > EngineVersion: 5.15.10
> > > HostInstanceType: mq.t2.micro
> > > SecurityGroups: [ !GetAtt BrokerSecurityGroup.GroupId ]
> > > SubnetIds: [ !Ref SubnetIdA, !Ref SubnetIdB ]
> > > PubliclyAccessible: false
> > > Configuration:
> > > Id: !Ref BrokerConfig
> > > Revision: !GetAtt BrokerConfig.Revision
> > > Users:
> > > - Username: admin1
> > > Password: XXXXX
> > > Groups: [ admin ]
> > > - Username: alfresco1
> > > Password: XXXXXX
> > > Groups: [ alfresco ]
> > > MaintenanceWindowStartTime:
> > > DayOfWeek: !Ref MaintenanceDayOfWeek
> > > TimeOfDay: !Ref MaintenanceTimeOfDay
> > > TimeZone: UTC
> > > Logs:
> > > Audit: false
> > > General: true
> > > AutoMinorVersionUpgrade: true
> > >
> > > Is there a way to debug things further? Maybe by having a look at
> the
> > > ActiveMQ logs, or using some kind of command line tool to try
> > manually
> > > create the topic?
> > >
> > > Thanks a lot for your help!
> > >
> > > ________________________________
> > > From: Tim Bain <tb...@alumni.duke.edu>
> > > Sent: 10 September 2020 12:50
> > > To: ActiveMQ Users <us...@activemq.apache.org>
> > > Subject: Re: Please help me with authorisation configuration
> > >
> > > CAUTION: This email originated from outside of the organization. Do
> > not
> > > click links or open attachments unless you recognize the sender and
> > know
> > > the content is safe.
> > >
> > >
> > > Also, I don't believe that the admin group is created by default
> > either,
> > > and I don't know what the broker's behavior is when it encounters a
> > > non-existent group in the config file. Maybe it denies access to
> > even the
> > > groups that do exist? I don't know, but it's definitely worth
> trying
> > with
> > > only valid/existing groups, so only alfresco in this case, just to
> > try to
> > > get things working.
> > >
> > > Tim
> > >
> > > On Thu, Sep 10, 2020, 5:44 AM Tim Bain <tb...@alumni.duke.edu>
> > wrote:
> > >
> > > > For the all group, I'm not aware of any default group that's
> > created, and
> > > > all of the examples I've seen had any similar group created
> > explicitly.
> > > But
> > > > I never used the authentication features personally, so I'm
> relying
> > > heavily
> > > > on the examples available online, and it's possible that the
> actual
> > > > behavior differs from what I've understood. However, the fact
> that
> > what
> > > > you've observed matches what I thought I'd understood seems
> fairly
> > > > compelling, so I'd suggest you define an 'all' group and
> > explicitly add
> > > > each user to it, and see if that resolves the issue.
> > > >
> > > > For the user/group thing, you're right, I got my wires crossed on
> > the
> > > > distinction between the two, and you're absolutely right that
> > groups are
> > > > specified in the config file and as long as the user is a member
> > of the
> > > > group, it should work as expected. Sorry for the confusion.
> > > >
> > > > Tim
> > > >
> > > > On Wed, Sep 9, 2020, 5:48 AM Fabrice Triboix <
> > > fabrice.triboix@armedia.com>
> > > > wrote:
> > > >
> > > >> Hi Tim,
> > > >>
> > > >> No, I didn't define an `all` group, I just did a copy/paste from
> > the
> > > >> ActiveMQ website. I guess from your answer that there is no
> `all`
> > group
> > > by
> > > >> default.
> > > >>
> > > >> `alfresco1` is a user and a member of the `alfresco` group.
> > Should I
> > > >> specify only users `authorizationEntry`?
> > > >>
> > > >> Thanks!
> > > >>
> > > >> ________________________________
> > > >> From: Tim Bain <tb...@alumni.duke.edu>
> > > >> Sent: 09 September 2020 12:41
> > > >> To: ActiveMQ Users <us...@activemq.apache.org>
> > > >> Subject: Re: Please help me with authorisation configuration
> > > >>
> > > >> CAUTION: This email originated from outside of the organization.
> > Do not
> > > >> click links or open attachments unless you recognize the sender
> > and know
> > > >> the content is safe.
> > > >>
> > > >>
> > > >> Also, is 'all' a group you defined, and is alfresco1 in that
> > group?
> > > >>
> > > >> Tim
> > > >>
> > > >> On Wed, Sep 9, 2020, 5:35 AM Tim Bain <tb...@alumni.duke.edu>
> > wrote:
> > > >>
> > > >> > Note that the username in the error message is alfresco1, not
> > > alfresco,
> > > >> so
> > > >> > make sure you authorize the right user when you test
> explicitly
> > > >> authorizing
> > > >> > the user.
> > > >> >
> > > >> > Tim
> > > >> >
> > > >> > On Wed, Sep 9, 2020, 5:31 AM Jean-Baptiste Onofre <
> > jb@nanthrax.net>
> > > >> wrote:
> > > >> >
> > > >> >> OK,
> > > >> >>
> > > >> >> That’s weird as the advisory should be created by the broker
> > itself.
> > > >> >>
> > > >> >> Can you try to put admin and alfresco roles for admin action
> ?
> > > >> >>
> > > >> >> By the way, are you using Advisory ? If not, you can disable
> > advisory
> > > >> >> support.
> > > >> >>
> > > >> >> Regards
> > > >> >> JB
> > > >> >>
> > > >> >> > Le 9 sept. 2020 à 12:12, Fabrice Triboix <
> > > >> fabrice.triboix@armedia.com>
> > > >> >> a écrit :
> > > >> >> >
> > > >> >> > I replace ">" with ">" and that didn't make any
> > difference...
> > > >> >> >
> > > >> >> > ________________________________
> > > >> >> > From: Fabrice Triboix <fa...@armedia.com>
> > > >> >> > Sent: 09 September 2020 10:47
> > > >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> > > >> >> > Subject: Re: Please help me with authorisation
> configuration
> > > >> >> >
> > > >> >> > CAUTION: This email originated from outside of the
> > organization. Do
> > > >> not
> > > >> >> click links or open attachments unless you recognize the
> > sender and
> > > >> know
> > > >> >> the content is safe.
> > > >> >> >
> > > >> >> >
> > > >> >> > Hi Jean-Baptiste,
> > > >> >> >
> > > >> >> > I can try with ">", let's see what happens.
> > > >> >> >
> > > >> >> > Thanks,
> > > >> >> >
> > > >> >> > Fabrice
> > > >> >> >
> > > >> >> > ________________________________
> > > >> >> > From: Jean-Baptiste Onofre <jb...@nanthrax.net>
> > > >> >> > Sent: 09 September 2020 10:43
> > > >> >> > To: users@activemq.apache.org <us...@activemq.apache.org>
> > > >> >> > Subject: Re: Please help me with authorisation
> configuration
> > > >> >> >
> > > >> >> > CAUTION: This email originated from outside of the
> > organization. Do
> > > >> not
> > > >> >> click links or open attachments unless you recognize the
> > sender and
> > > >> know
> > > >> >> the content is safe.
> > > >> >> >
> > > >> >> >
> > > >> >> > Hi Fabrice,
> > > >> >> >
> > > >> >> > Are you sure about Activemq.Advisory setup ? Did you try
> > > >> >> ActiveMQ.Advisory.> ?
> > > >> >> >
> > > >> >> > Regards
> > > >> >> > JB
> > > >> >> >
> > > >> >> >> Le 9 sept. 2020 à 11:31, Fabrice Triboix <
> > > >> fabrice.triboix@armedia.com>
> > > >> >> a écrit :
> > > >> >> >>
> > > >> >> >> Hello,
> > > >> >> >>
> > > >> >> >> I am using AmazonMQ, which is running ActiveMQ version
> > 5.15.12. I
> > > am
> > > >> >> trying to run Alfresco Repository CE (version 6.3), and it
> > needs to
> > > >> connect
> > > >> >> to AmazonMQ, but it fails with the following error:
> > > >> >> >>
> > > >> >> >> 2020-09-09 09:06:49,222 ERROR
> > > >> >> [component.jms.DefaultJmsMessageListenerContainer] [Camel
> > > >> >> (alfrescoCamelContext) thread #2 -
> > > >> JmsConsumer[acs-repo-rendition-events]]
> > > >> >> Could not refresh JMS Connection for destination
> > > >> >> 'acs-repo-rendition-events' - retrying using
> > > >> FixedBackOff{interval=5000,
> > > >> >> currentAttempts=652, maxAttempts=unlimited}. Cause: User
> > alfresco1 is
> > > >> not
> > > >> >> authorized to create: topic://ActiveMQ.Advisory.Connection
> > > >> >> >>
> > > >> >> >> Here is the part of the ActiveMQ configuration related to
> > > >> >> authorization:
> > > >> >> >>
> > > >> >> >> <authorizationPlugin>
> > > >> >> >> <map>
> > > >> >> >> <authorizationMap>
> > > >> >> >> <authorizationEntries>
> > > >> >> >> <authorizationEntry
> > > >> topic="ActiveMQ.Advisory.>"
> > > >> >> admin="all" read="all" write="all"/>
> > > >> >> >> <authorizationEntry
> > queue="alfresco.>"
> > > >> >> admin="admin" read="admin,alfresco"
> > > >> >> >> write="admin,alfresco"/>
> > > >> >> >> <authorizationEntry
> > > >> >> topic="alfresco.Advisory.>" admin="admin"
> > read="admin,alfresco"
> > > >> >> >> write="admin,alfresco"/>
> > > >> >> >> </authorizationEntries>
> > > >> >> >> <tempDestinationAuthorizationEntry>
> > > >> >> >> <tempDestinationAuthorizationEntry
> > > >> admin="admin"
> > > >> >> read="admin" write="admin"/>
> > > >> >> >> </tempDestinationAuthorizationEntry>
> > > >> >> >> </authorizationMap>
> > > >> >> >> </map>
> > > >> >> >> </authorizationPlugin>
> > > >> >> >>
> > > >> >> >> Anyone would have any idea on what I am doing wrong?
> > > >> >> >>
> > > >> >> >> Many thanks for your help!
> > > >> >> >>
> > > >> >> >> Fabrice
> > > >> >> >>
> > > >> >> >
> > > >> >>
> > > >> >>
> > > >>
> > > >
> > >
> >
> >
>