You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by cl...@apache.org on 2019/08/08 17:04:49 UTC
[activemq-artemis] branch master updated: ARTEMIS-2447 allow
mapping admin to manage in LDAP plugin
This is an automated email from the ASF dual-hosted git repository.
clebertsuconic pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/master by this push:
new d379cda ARTEMIS-2447 allow mapping admin to manage in LDAP plugin
new 91a67fa This closes #2788
d379cda is described below
commit d379cda374e87b873407b68b39d1c6cc8fb96296
Author: Justin Bertram <jb...@apache.org>
AuthorDate: Tue Aug 6 15:27:18 2019 -0500
ARTEMIS-2447 allow mapping admin to manage in LDAP plugin
---
.../impl/LegacyLDAPSecuritySettingPlugin.java | 14 +++++++-
docs/user-manual/en/security.md | 18 +++++++---
.../LegacyLDAPSecuritySettingPluginTest.java | 38 ++++++++++++++++++++++
.../src/test/resources/AMQauth.ldif | 25 ++++++++++++++
4 files changed, 89 insertions(+), 6 deletions(-)
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java
index 6f33565..812b0dc 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java
@@ -65,6 +65,7 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin {
public static final String READ_PERMISSION_VALUE = "readPermissionValue";
public static final String WRITE_PERMISSION_VALUE = "writePermissionValue";
public static final String ENABLE_LISTENER = "enableListener";
+ public static final String MAP_ADMIN_TO_MANAGE = "mapAdminToManage";
private String initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory";
private String connectionURL = "ldap://localhost:1024";
@@ -79,6 +80,7 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin {
private String readPermissionValue = "read";
private String writePermissionValue = "write";
private boolean enableListener = true;
+ private boolean mapAdminToManage = false;
private DirContext context;
private EventDirContext eventContext;
@@ -101,6 +103,7 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin {
readPermissionValue = getOption(options, READ_PERMISSION_VALUE, readPermissionValue);
writePermissionValue = getOption(options, WRITE_PERMISSION_VALUE, writePermissionValue);
enableListener = getOption(options, ENABLE_LISTENER, Boolean.TRUE.toString()).equalsIgnoreCase(Boolean.TRUE.toString());
+ mapAdminToManage = getOption(options, MAP_ADMIN_TO_MANAGE, Boolean.FALSE.toString()).equalsIgnoreCase(Boolean.TRUE.toString());
}
return this;
@@ -232,6 +235,15 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin {
return this;
}
+ public boolean isMapAdminToManage() {
+ return mapAdminToManage;
+ }
+
+ public LegacyLDAPSecuritySettingPlugin setMapAdminToManage(boolean mapAdminToManage) {
+ this.mapAdminToManage = mapAdminToManage;
+ return this;
+ }
+
protected boolean isContextAlive() {
boolean alive = false;
if (context != null) {
@@ -400,7 +412,7 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin {
permissionType.equalsIgnoreCase(adminPermissionValue), // deleteDurableQueue
permissionType.equalsIgnoreCase(adminPermissionValue), // createNonDurableQueue
permissionType.equalsIgnoreCase(adminPermissionValue), // deleteNonDurableQueue
- false, // manage - there is no permission from ActiveMQ 5.x that corresponds to this
+ mapAdminToManage ? permissionType.equalsIgnoreCase(adminPermissionValue) : false, // manage - map to admin based on configuration
permissionType.equalsIgnoreCase(readPermissionValue), // browse
permissionType.equalsIgnoreCase(adminPermissionValue), // createAddress
permissionType.equalsIgnoreCase(adminPermissionValue) // deleteAddress
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index 340f038..2263f20 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -256,6 +256,10 @@ and Security Layer (SASL) authentication is currently not supported.
receive updates made in the LDAP server and update the broker's authorization
configuration in real-time. The default value is `true`.
+- `mapAdminToManage`. Whether or not to map the legacy `admin` permission to the
+ `manage` permission. See details of the mapping semantics below. The default
+ value is `false`.
+
The name of the queue or topic defined in LDAP will serve as the "match" for
the security-setting, the permission value will be mapped from the ActiveMQ 5.x
type to the Artemis type, and the role will be mapped as-is.
@@ -271,20 +275,24 @@ and `manage`. Here's how the old types are mapped to the new types:
- `read` - `consume`, `browse`
- `write` - `send`
- `admin` - `createAddress`, `deleteAddress`, `createDurableQueue`,
- `deleteDurableQueue`, `createNonDurableQueue`, `deleteNonDurableQueue`
+ `deleteDurableQueue`, `createNonDurableQueue`, `deleteNonDurableQueue`,
+ `manage` (if `mapAdminToManage` is `true`)
As mentioned, there are a few places where a translation was performed to
achieve some equivalence.:
-- This mapping doesn't include the Artemis `manage` permission type since there
- is no type analogous for that in ActiveMQ 5.x.
+- This mapping doesn't include the Artemis `manage` permission type by default
+ since there is no type analogous for that in ActiveMQ 5.x. However, if
+ `mapAdminToManage` is `true` then the legacy `admin` permission will be
+ mapped to the `manage` permission.
- The `admin` permission in ActiveMQ 5.x relates to whether or not the broker
will auto-create a destination if it doesn't exist and the user sends a
message to it. Artemis automatically allows the automatic creation of a
destination if the user has permission to send message to it. Therefore, the
- plugin will map the `admin` permission to the 4 aforementioned permissions in
- Artemis.
+ plugin will map the `admin` permission to the 6 aforementioned permissions in
+ Artemis by default. If `mapAdminToManage` is `true` then the legacy `admin`
+ permission will be mapped to the `manage` permission as well.
## Secure Sockets Layer (SSL) Transport
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LegacyLDAPSecuritySettingPluginTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LegacyLDAPSecuritySettingPluginTest.java
index b601b5f..a4cbdc1 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LegacyLDAPSecuritySettingPluginTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LegacyLDAPSecuritySettingPluginTest.java
@@ -217,6 +217,14 @@ public class LegacyLDAPSecuritySettingPluginTest extends AbstractLdapTestUnit {
// ignore
}
+ // MANAGE
+ try {
+ ClientProducer producer = session.createProducer(server.getConfiguration().getManagementAddress());
+ producer.send(session.createMessage(true));
+ Assert.fail("should throw exception here");
+ } catch (ActiveMQException e) {
+ }
+
session.close();
cf.close();
}
@@ -278,6 +286,36 @@ public class LegacyLDAPSecuritySettingPluginTest extends AbstractLdapTestUnit {
Assert.fail("should not throw exception here");
}
+ // MANAGE
+ try {
+ ClientProducer producer = session.createProducer(server.getConfiguration().getManagementAddress());
+ producer.send(session.createMessage(true));
+ // don't enable manage permission by default; must set mapAdminToManage=true in plugin config
+ Assert.fail("should throw exception here");
+ } catch (ActiveMQException e) {
+ }
+
+ session.close();
+ cf.close();
+ }
+
+ @Test
+ public void testPluginAuthorizationPositiveMappingAdminToManage() throws Exception {
+ ((LegacyLDAPSecuritySettingPlugin)server.getConfiguration().getSecuritySettingPlugins().get(0)).setMapAdminToManage(true);
+
+ server.start();
+
+ ClientSessionFactory cf = locator.createSessionFactory();
+ ClientSession session = cf.createSession("first", "secret", false, true, true, false, 0);
+
+ // MANAGE
+ try {
+ ClientProducer producer = session.createProducer(server.getConfiguration().getManagementAddress());
+ producer.send(session.createMessage(true));
+ } catch (ActiveMQException e) {
+ Assert.fail("should not throw exception here");
+ }
+
session.close();
cf.close();
}
diff --git a/tests/integration-tests/src/test/resources/AMQauth.ldif b/tests/integration-tests/src/test/resources/AMQauth.ldif
index e79257d..70e11f3 100755
--- a/tests/integration-tests/src/test/resources/AMQauth.ldif
+++ b/tests/integration-tests/src/test/resources/AMQauth.ldif
@@ -75,6 +75,13 @@ objectclass: top
uid: queue2
cn: queue2
+dn: uid=activemq.management,ou=queues,ou=destinations,o=ActiveMQ,ou=system
+objectclass: applicationProcess
+objectclass: uidObject
+objectclass: top
+uid: activemq.management
+cn: activemq.management
+
dn: cn=read,uid=queue1,ou=queues,ou=destinations,o=ActiveMQ,ou=system
objectclass: groupOfUniqueNames
objectclass: top
@@ -91,4 +98,22 @@ dn: cn=admin,uid=queue1,ou=queues,ou=destinations,o=ActiveMQ,ou=system
objectclass: groupOfUniqueNames
objectclass: top
cn: admin
+uniquemember: uid=role1
+
+dn: cn=read,uid=activemq.management,ou=queues,ou=destinations,o=ActiveMQ,ou=system
+objectclass: groupOfUniqueNames
+objectclass: top
+cn: read
+uniquemember: uid=role1
+
+dn: cn=write,uid=activemq.management,ou=queues,ou=destinations,o=ActiveMQ,ou=system
+objectclass: groupOfUniqueNames
+objectclass: top
+cn: write
+uniquemember: uid=role1
+
+dn: cn=admin,uid=activemq.management,ou=queues,ou=destinations,o=ActiveMQ,ou=system
+objectclass: groupOfUniqueNames
+objectclass: top
+cn: admin
uniquemember: uid=role1
\ No newline at end of file