You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by David Martin <da...@qoritek.com> on 2021/11/18 17:16:04 UTC
Artemis - management.xml
Hi all,
I'm trying to configure role access via the Jolokia REST API for the single
attribute "Active" on the "org.apache.activemq.artemis" domain.
I have a user with a role "monitor" and want them to be able to access
nothing but the above attribute via e.g.
/console/jolokia/read/org.apache.activemq.artemis:broker=*/Active. The
manual regarding management.xml is clear about *method *access e.g. "get*"
but has no examples for *attribute *access.
Having spent about an hour on it I'm really stuck. Any help would be
appreciated.
Cheers,
Dave
Re: Artemis - management.xml
Posted by David Martin <da...@qoritek.com>.
Hi Tim,
The sed commands worked as expected.
Unfortunately it's the same if executed inside the pod:
root@artemis-0:/var/lib/artemis/bin# curl -H "Origin:http://localhost:8161"
-u monitor:s3cret
http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=*/Active
{"request":{"mbean":"org.apache.activemq.artemis:broker=*","attribute":"Active","type":"read"},"value":{"org.apache.activemq.artemis:broker=\"artemis-0\"":{"
root@artemis-0:/var/lib/artemis/bin# curl -H "Origin:http://localhost:8161"
-u monitor:s3cret
http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=*/AddressMemoryUsage
{"request":{"mbean":"org.apache.activemq.artemis:broker=*","attribute":"AddressMemoryUsage","type":"read"},"value":{"org.apache.activemq.artemis:broker=\"artemis-0\"":{"AddressMemoryUsage":0}},"timestamp":1638786958,"status":200}
I can also see that it is authenticating the correct user but trawling
through the Artemis code it doesn't appear that the role is logged anywhere
except some specific login modules but not this one:
2021-12-06 10:57:52,250 DEBUG
[org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule]
login monitor
2021-12-06 10:57:52,253 DEBUG
[org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule]
commit, result: true
Running the same container in docker with the same environment produces:
$ curl -H "Origin:http://localhost:8161" -u monitor:s3cret
http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=*/Active
{"request":{"mbean":"org.apache.activemq.artemis:broker=*","attribute":"Active","type":"read"},"value":{"org.apache.activemq.artemis:broker=\"50cbfe9b6b51\"":{"Active":true}},"timestamp":1638786790,"status":200}
$ curl -H "Origin:http://localhost:8161" -u monitor:s3cret
http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=*/AddressMemoryUsage
{"request":{"mbean":"org.apache.activemq.artemis:broker=*","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception
: Insufficient roles\/credentials for operation","status":403}
I'm using microk8s locally but I could try a different k8s next.
Thanks,
Dave
On Sun, 5 Dec 2021 at 13:40, Tim Bain <tb...@alumni.duke.edu> wrote:
> To take the K8s networking out of the equation, maybe kubectl exec a shell
> session into the container and invoke the curl command against localhost?
>
> And while you're in the container, you can check that your sed command
> produced the expected output.
>
> Tim
>
> On Fri, Dec 3, 2021, 9:45 AM Domenico Francesco Bruscino <
> bruscinodf@gmail.com> wrote:
>
> > Hi Dave,
> >
> > could you get the artemis etc folder from your kubernetes container
> > and share it?
> >
> > Thanks,
> > Domenico
> >
> >
> > On Fri, 3 Dec 2021 at 17:17, David Martin <da...@qoritek.com> wrote:
> >
> > > Hi Domenico,
> > >
> > > Thanks - after further experimentation It appears to be related to
> > > Kubernetes but it's pretty baffling (to me at least). It works in
> Docker.
> > >
> > > The build steps are essentially the same as yours, executed via a
> > > Dockerfile (
> > >
> > >
> >
> https://github.com/vromero/activemq-artemis-docker/blob/master/src/Dockerfile
> > > )
> > > -
> > >
> > > "/opt/apache-artemis-${ACTIVEMQ_ARTEMIS_VERSION}/bin/artemis" create
> > > artemis \
> > > --home /opt/apache-artemis \
> > > --user artemis \
> > > --password simetraehcapa \
> > > --role amq \
> > > --require-login \
> > > --cluster-user artemisCluster \
> > > --cluster-password simetraehcaparetsulc ; \
> > > The only other thing it changes is binding to 0.0.0.0 in Jolokia
> instead
> > of
> > > localhost.
> > >
> > > Then I have sed commands quite similar to yours.
> > >
> > > sed -i "s#\(HAWTIO_ROLE='amq\)#\1,amqro,monitor#" artemis.profile
> > > sed -i 's#\(<access method="\(list\|get\|is\)\*"
> > roles="amq\)"#\1,amqro"#;
> > > s#\(\.activemq\.artemis">\)#\1\n <access
> > > method="isActive" roles="amq,amqro,monitor"/>#' management.xml
> > > sed -i 's#\(<restrict>\)#\1\n <remote>\n <host>127.0.0.1</host>\n
> > > <host>localhost</host>\n <host>10.0.0.0/8</host> \
> > > <host>172.16.0.0/12</host>\n <host>192.168.0.0/16</host>\n
> > > </remote>#' jolokia-access.xml
> > >
> > > When I run the image in docker, it works. The API works as per your
> > > examples and when I use the console as the monitor user, everything is
> > > locked down except for the Active property in JMX.
> > >
> > > When I run it in Kubernetes with the same image and env vars (accessing
> > via
> > > a nodeport or via kubectl port-forward) it doesn't. Any API method is
> > > accessible and the console functionality is unlocked regardless of my
> > user,
> > > although in the JMX tab I cannot invoke any operations (though I can
> view
> > > all the properties). If I put debugging on jaas I can see it
> > authenticating
> > > the right user.
> > >
> > > I guess you may not want to help with a 3rd party docker image. I may
> > have
> > > to resort to an NGINX sidecar to get the user name from the
> Authorization
> > > header and filter it that way!
> > >
> > > I've tried building versions 2.16 and 2.18, same outcome.
> > >
> > >
> > > Many thanks,
> > >
> > > Dave
> > >
> > >
> > >
> > >
> > > On Thu, 2 Dec 2021 at 21:45, Domenico Francesco Bruscino <
> > > bruscinodf@gmail.com> wrote:
> > >
> > > > Hi Dave,
> > > >
> > > > I'm not able to reproduce your issue executing the following steps:
> > > >
> > > > 1) create a new broker instance:
> > > > ./bin/artemis create broker --user admin --password admin
> > --require-login
> > > >
> > > > 2) add test user with monitor role
> > > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> > > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
> > > >
> > > > 3) add rtest user with amqro role
> > > > echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties
> > > > echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties
> > > >
> > > > 4) add the monitor role to HAWTIO_ROLE in artemis.profile
> > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/"
> > > > ./broker/etc/artemis.profile
> > > >
> > > > 5) add the access for the isActive method in management.xml
> > > > sed -i
> > > >
> 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> > > > method="isActive"\ roles="amq,monitor"\/>/'
> ./broker/etc/management.xml
> > > >
> > > > 6) add the access for amqro in management.xml
> > > > sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm
> > > >
> > > > 5) run the broker
> > > > ./broker/bin/artemis run
> > > >
> > > > 6) read the Active attribute with test user (monitor role)
> > > > curl -H "Origin:http://localhost:8161" -u test:test
> > > >
> > > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > > "0.0.0.0\"/Active
> > > >
> > > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> > > >
> > > > 7) read the AddressMemoryUsage attribute with test user (monitor
> role)
> > > > curl -H "Origin:http://localhost:8161" -u test:test
> > > >
> > > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > > "0.0.0.0\"/AddressMemoryUsage
> > > >
> > > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception
> > > > : User not authorized to access attribute:
> > > > AddressMemoryUsage","status":403}
> > > >
> > > > 7) read the AddressMemoryUsage attribute with rtest user (amqro role)
> > > > curl -H "Origin:http://localhost:8161" -u rtest:rtest
> > > >
> > > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > > "0.0.0.0\"/AddressMemoryUsage
> > > >
> > > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200}
> > > >
> > > > Could you add the steps to reproduce your issue?
> > > >
> > > > Regards,
> > > > Domenico
> > > >
> > > > On Thu, 2 Dec 2021 at 13:43, David Martin <da...@qoritek.com>
> wrote:
> > > >
> > > > > Hi Domenico,
> > > > >
> > > > > Following up on this I decided to try adding a readonly console
> user
> > > with
> > > > > the role "amqro" and that is when I discovered that the users in
> > > > > HAWTIO_ROLE have unencumbered access to both the console and the
> > > Jolokia
> > > > > REST API.
> > > > >
> > > > > 1/ Even the user with the monitor role can log in to the console
> and
> > do
> > > > > things like delete queues and connections.
> > > > >
> > > > > 2/ User with monitor role able to invoke other methods than /Active
> > > e.g.
> > > > > /AddressMemoryUsage (verified username/password with base64 -d) -
> > > > >
> > > > > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic xxxxx'
> '
> > > > >
> > > > >
> > > >
> > >
> >
> http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage
> > > > > '
> > > > >
> > > > >
> > > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200}
> > > > >
> > > > > 3/ management.xml -
> > > > >
> > > > > <management-context xmlns="http://activemq.org/schema">
> > > > > <!--<connector connector-port="1099"/>-->
> > > > > <authorisation>
> > > > > <whitelist>
> > > > > <entry domain="hawtio"/>
> > > > > </whitelist>
> > > > > <default-access>
> > > > > <access method="list*" roles="amq,amqro"/>
> > > > > <access method="get*" roles="amq,amqro"/>
> > > > > <access method="is*" roles="amq,amqro"/>
> > > > > <access method="set*" roles="amq"/>
> > > > > <access method="*" roles="amq"/>
> > > > > </default-access>
> > > > > <role-access>
> > > > > <match domain="org.apache.activemq.artemis">
> > > > > <access method="isActive" roles="amq,amqro,monitor"/>
> > > > > <access method="list*" roles="amq,amqro"/>
> > > > > <access method="get*" roles="amq,amqro"/>
> > > > > <access method="is*" roles="amq,amqro"/>
> > > > > <access method="set*" roles="amq"/>
> > > > > <access method="*" roles="amq"/>
> > > > > </match>
> > > > > <!--example of how to configure a specific object-->
> > > > > <!--<match domain="org.apache.activemq.artemis"
> > > > > key="subcomponent=queues">
> > > > > <access method="list*" roles="view,update,amq"/>
> > > > > <access method="get*" roles="view,update,amq"/>
> > > > > <access method="is*" roles="view,update,amq"/>
> > > > > <access method="set*" roles="update,amq"/>
> > > > > <access method="*" roles="amq"/>
> > > > > </match>-->
> > > > > </role-access>
> > > > > </authorisation>
> > > > > </management-context>
> > > > >
> > > > > 4/ artemis-profile -
> > > > >
> > > > > # Hawtio Properties
> > > > > HAWTIO_ROLE='amq,amqro,monitor'
> > > > >
> > > > > # Java Opts
> > > > > if [ -z "$JAVA_ARGS" ]; then
> > > > > JAVA_ARGS="$BROKER_CONFIGS
> > > > >
> > > > >
> > > >
> > >
> >
> -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
> > > > > -Dcom.sun.management.jmxremote=true
> > > > > -Dcom.sun.management.jmxremote.port=1099
> > > > > -Dcom.sun.management.jmxremote.rmi.port=1098
> > > > > -Dcom.sun.management.jmxremote.ssl=false
> > > > > -Dcom.sun.management.jmxremote.authenticate=false
> > -Dipv4addr=$(hostname
> > > > -f)
> > > > > -Ddomain=artemis-headless.sis-247.svc.cluster.local
> > > > > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d
> > > > > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt
> > > > > -Dpage.size=2097152 -Dpaging.threshold=10485760
> > > > > -Dmin.large.message.size=204800
> > -Dsecurity.invalidation.interval=600000
> > > > > -Dhawtio.authenticationEnabled=true
> > -Djava.net.preferIPv4Addresses=true
> > > > > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions
> > > > > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2
> > > > > -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication
> > > > > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq
> > > -Dhawtio.offline=true
> > > > >
> > > > >
> > > >
> > >
> >
> -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
> > > > >
> > -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml"
> > > > > fi
> > > > >
> > > > > Do you or anyone in this group have any suggestions on how the
> > monitor
> > > > (and
> > > > > amqro) roles can be actually restricted? I tried adding
> > > > > -Dhawtio.authenticationEnabled=true but that had no effect.
> > > > >
> > > > >
> > > > > Thanks for your help,
> > > > >
> > > > >
> > > > > Dave
> > > > >
> > > > >
> > > > >
> > > > > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino <
> > > > > bruscinodf@gmail.com> wrote:
> > > > >
> > > > > > Hi Dave,
> > > > > >
> > > > > > you need to add the monitor role to HAWTIO_ROLE in
> artemis.profile
> > > and
> > > > > the
> > > > > > access for the isActive method in management.xml.
> > > > > >
> > > > > > Execute the following steps to get a working example:
> > > > > >
> > > > > > 1) create a new broker instance:
> > > > > > ./bin/artemis create broker --user admin --password admin
> > > > --require-login
> > > > > >
> > > > > > 2) add test user with monitor role
> > > > > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> > > > > > echo -e "\nmonitor = test" >>
> ./broker/etc/artemis-roles.properties
> > > > > >
> > > > > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile
> > > > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/"
> > > > > > ./broker/etc/artemis.profile
> > > > > >
> > > > > > 4) add the access for the isActive method in management.xml
> > > > > > sed -i
> > > > > >
> > > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> > > > > > method="isActive"\ roles="amq,monitor"\/>/'
> > > ./broker/etc/management.xml
> > > > > >
> > > > > > 5) run the broker
> > > > > > ./broker/bin/artemis run
> > > > > >
> > > > > > 6) read the Active attribute
> > > > > > curl -H "Origin:http://localhost:8161" -u test:test
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > > > > "0.0.0.0\"/Active
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> > > > > >
> > > > > > Regards,
> > > > > > Domenico
> > > > > >
> > > > > > On Thu, 18 Nov 2021 at 18:16, David Martin <da...@qoritek.com>
> > > wrote:
> > > > > >
> > > > > > > Hi all,
> > > > > > >
> > > > > > > I'm trying to configure role access via the Jolokia REST API
> for
> > > the
> > > > > > single
> > > > > > > attribute "Active" on the "org.apache.activemq.artemis" domain.
> > > > > > >
> > > > > > > I have a user with a role "monitor" and want them to be able to
> > > > access
> > > > > > > nothing but the above attribute via e.g.
> > > > > > >
> > /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active.
> > > > The
> > > > > > > manual regarding management.xml is clear about *method *access
> > e.g.
> > > > > > "get*"
> > > > > > > but has no examples for *attribute *access.
> > > > > > >
> > > > > > > Having spent about an hour on it I'm really stuck. Any help
> would
> > > be
> > > > > > > appreciated.
> > > > > > >
> > > > > > >
> > > > > > > Cheers,
> > > > > > >
> > > > > > > Dave
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Artemis - management.xml
Posted by Tim Bain <tb...@alumni.duke.edu>.
To take the K8s networking out of the equation, maybe kubectl exec a shell
session into the container and invoke the curl command against localhost?
And while you're in the container, you can check that your sed command
produced the expected output.
Tim
On Fri, Dec 3, 2021, 9:45 AM Domenico Francesco Bruscino <
bruscinodf@gmail.com> wrote:
> Hi Dave,
>
> could you get the artemis etc folder from your kubernetes container
> and share it?
>
> Thanks,
> Domenico
>
>
> On Fri, 3 Dec 2021 at 17:17, David Martin <da...@qoritek.com> wrote:
>
> > Hi Domenico,
> >
> > Thanks - after further experimentation It appears to be related to
> > Kubernetes but it's pretty baffling (to me at least). It works in Docker.
> >
> > The build steps are essentially the same as yours, executed via a
> > Dockerfile (
> >
> >
> https://github.com/vromero/activemq-artemis-docker/blob/master/src/Dockerfile
> > )
> > -
> >
> > "/opt/apache-artemis-${ACTIVEMQ_ARTEMIS_VERSION}/bin/artemis" create
> > artemis \
> > --home /opt/apache-artemis \
> > --user artemis \
> > --password simetraehcapa \
> > --role amq \
> > --require-login \
> > --cluster-user artemisCluster \
> > --cluster-password simetraehcaparetsulc ; \
> > The only other thing it changes is binding to 0.0.0.0 in Jolokia instead
> of
> > localhost.
> >
> > Then I have sed commands quite similar to yours.
> >
> > sed -i "s#\(HAWTIO_ROLE='amq\)#\1,amqro,monitor#" artemis.profile
> > sed -i 's#\(<access method="\(list\|get\|is\)\*"
> roles="amq\)"#\1,amqro"#;
> > s#\(\.activemq\.artemis">\)#\1\n <access
> > method="isActive" roles="amq,amqro,monitor"/>#' management.xml
> > sed -i 's#\(<restrict>\)#\1\n <remote>\n <host>127.0.0.1</host>\n
> > <host>localhost</host>\n <host>10.0.0.0/8</host> \
> > <host>172.16.0.0/12</host>\n <host>192.168.0.0/16</host>\n
> > </remote>#' jolokia-access.xml
> >
> > When I run the image in docker, it works. The API works as per your
> > examples and when I use the console as the monitor user, everything is
> > locked down except for the Active property in JMX.
> >
> > When I run it in Kubernetes with the same image and env vars (accessing
> via
> > a nodeport or via kubectl port-forward) it doesn't. Any API method is
> > accessible and the console functionality is unlocked regardless of my
> user,
> > although in the JMX tab I cannot invoke any operations (though I can view
> > all the properties). If I put debugging on jaas I can see it
> authenticating
> > the right user.
> >
> > I guess you may not want to help with a 3rd party docker image. I may
> have
> > to resort to an NGINX sidecar to get the user name from the Authorization
> > header and filter it that way!
> >
> > I've tried building versions 2.16 and 2.18, same outcome.
> >
> >
> > Many thanks,
> >
> > Dave
> >
> >
> >
> >
> > On Thu, 2 Dec 2021 at 21:45, Domenico Francesco Bruscino <
> > bruscinodf@gmail.com> wrote:
> >
> > > Hi Dave,
> > >
> > > I'm not able to reproduce your issue executing the following steps:
> > >
> > > 1) create a new broker instance:
> > > ./bin/artemis create broker --user admin --password admin
> --require-login
> > >
> > > 2) add test user with monitor role
> > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
> > >
> > > 3) add rtest user with amqro role
> > > echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties
> > > echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties
> > >
> > > 4) add the monitor role to HAWTIO_ROLE in artemis.profile
> > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/"
> > > ./broker/etc/artemis.profile
> > >
> > > 5) add the access for the isActive method in management.xml
> > > sed -i
> > > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> > > method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml
> > >
> > > 6) add the access for amqro in management.xml
> > > sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm
> > >
> > > 5) run the broker
> > > ./broker/bin/artemis run
> > >
> > > 6) read the Active attribute with test user (monitor role)
> > > curl -H "Origin:http://localhost:8161" -u test:test
> > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > "0.0.0.0\"/Active
> > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> > >
> > > 7) read the AddressMemoryUsage attribute with test user (monitor role)
> > > curl -H "Origin:http://localhost:8161" -u test:test
> > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > "0.0.0.0\"/AddressMemoryUsage
> > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception
> > > : User not authorized to access attribute:
> > > AddressMemoryUsage","status":403}
> > >
> > > 7) read the AddressMemoryUsage attribute with rtest user (amqro role)
> > > curl -H "Origin:http://localhost:8161" -u rtest:rtest
> > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > "0.0.0.0\"/AddressMemoryUsage
> > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200}
> > >
> > > Could you add the steps to reproduce your issue?
> > >
> > > Regards,
> > > Domenico
> > >
> > > On Thu, 2 Dec 2021 at 13:43, David Martin <da...@qoritek.com> wrote:
> > >
> > > > Hi Domenico,
> > > >
> > > > Following up on this I decided to try adding a readonly console user
> > with
> > > > the role "amqro" and that is when I discovered that the users in
> > > > HAWTIO_ROLE have unencumbered access to both the console and the
> > Jolokia
> > > > REST API.
> > > >
> > > > 1/ Even the user with the monitor role can log in to the console and
> do
> > > > things like delete queues and connections.
> > > >
> > > > 2/ User with monitor role able to invoke other methods than /Active
> > e.g.
> > > > /AddressMemoryUsage (verified username/password with base64 -d) -
> > > >
> > > > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic xxxxx' '
> > > >
> > > >
> > >
> >
> http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage
> > > > '
> > > >
> > > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200}
> > > >
> > > > 3/ management.xml -
> > > >
> > > > <management-context xmlns="http://activemq.org/schema">
> > > > <!--<connector connector-port="1099"/>-->
> > > > <authorisation>
> > > > <whitelist>
> > > > <entry domain="hawtio"/>
> > > > </whitelist>
> > > > <default-access>
> > > > <access method="list*" roles="amq,amqro"/>
> > > > <access method="get*" roles="amq,amqro"/>
> > > > <access method="is*" roles="amq,amqro"/>
> > > > <access method="set*" roles="amq"/>
> > > > <access method="*" roles="amq"/>
> > > > </default-access>
> > > > <role-access>
> > > > <match domain="org.apache.activemq.artemis">
> > > > <access method="isActive" roles="amq,amqro,monitor"/>
> > > > <access method="list*" roles="amq,amqro"/>
> > > > <access method="get*" roles="amq,amqro"/>
> > > > <access method="is*" roles="amq,amqro"/>
> > > > <access method="set*" roles="amq"/>
> > > > <access method="*" roles="amq"/>
> > > > </match>
> > > > <!--example of how to configure a specific object-->
> > > > <!--<match domain="org.apache.activemq.artemis"
> > > > key="subcomponent=queues">
> > > > <access method="list*" roles="view,update,amq"/>
> > > > <access method="get*" roles="view,update,amq"/>
> > > > <access method="is*" roles="view,update,amq"/>
> > > > <access method="set*" roles="update,amq"/>
> > > > <access method="*" roles="amq"/>
> > > > </match>-->
> > > > </role-access>
> > > > </authorisation>
> > > > </management-context>
> > > >
> > > > 4/ artemis-profile -
> > > >
> > > > # Hawtio Properties
> > > > HAWTIO_ROLE='amq,amqro,monitor'
> > > >
> > > > # Java Opts
> > > > if [ -z "$JAVA_ARGS" ]; then
> > > > JAVA_ARGS="$BROKER_CONFIGS
> > > >
> > > >
> > >
> >
> -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
> > > > -Dcom.sun.management.jmxremote=true
> > > > -Dcom.sun.management.jmxremote.port=1099
> > > > -Dcom.sun.management.jmxremote.rmi.port=1098
> > > > -Dcom.sun.management.jmxremote.ssl=false
> > > > -Dcom.sun.management.jmxremote.authenticate=false
> -Dipv4addr=$(hostname
> > > -f)
> > > > -Ddomain=artemis-headless.sis-247.svc.cluster.local
> > > > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d
> > > > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt
> > > > -Dpage.size=2097152 -Dpaging.threshold=10485760
> > > > -Dmin.large.message.size=204800
> -Dsecurity.invalidation.interval=600000
> > > > -Dhawtio.authenticationEnabled=true
> -Djava.net.preferIPv4Addresses=true
> > > > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions
> > > > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2
> > > > -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication
> > > > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq
> > -Dhawtio.offline=true
> > > >
> > > >
> > >
> >
> -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
> > > >
> -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml"
> > > > fi
> > > >
> > > > Do you or anyone in this group have any suggestions on how the
> monitor
> > > (and
> > > > amqro) roles can be actually restricted? I tried adding
> > > > -Dhawtio.authenticationEnabled=true but that had no effect.
> > > >
> > > >
> > > > Thanks for your help,
> > > >
> > > >
> > > > Dave
> > > >
> > > >
> > > >
> > > > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino <
> > > > bruscinodf@gmail.com> wrote:
> > > >
> > > > > Hi Dave,
> > > > >
> > > > > you need to add the monitor role to HAWTIO_ROLE in artemis.profile
> > and
> > > > the
> > > > > access for the isActive method in management.xml.
> > > > >
> > > > > Execute the following steps to get a working example:
> > > > >
> > > > > 1) create a new broker instance:
> > > > > ./bin/artemis create broker --user admin --password admin
> > > --require-login
> > > > >
> > > > > 2) add test user with monitor role
> > > > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> > > > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
> > > > >
> > > > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile
> > > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/"
> > > > > ./broker/etc/artemis.profile
> > > > >
> > > > > 4) add the access for the isActive method in management.xml
> > > > > sed -i
> > > > >
> > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> > > > > method="isActive"\ roles="amq,monitor"\/>/'
> > ./broker/etc/management.xml
> > > > >
> > > > > 5) run the broker
> > > > > ./broker/bin/artemis run
> > > > >
> > > > > 6) read the Active attribute
> > > > > curl -H "Origin:http://localhost:8161" -u test:test
> > > > >
> > > > >
> > > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > > > "0.0.0.0\"/Active
> > > > >
> > > > >
> > > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> > > > >
> > > > > Regards,
> > > > > Domenico
> > > > >
> > > > > On Thu, 18 Nov 2021 at 18:16, David Martin <da...@qoritek.com>
> > wrote:
> > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > I'm trying to configure role access via the Jolokia REST API for
> > the
> > > > > single
> > > > > > attribute "Active" on the "org.apache.activemq.artemis" domain.
> > > > > >
> > > > > > I have a user with a role "monitor" and want them to be able to
> > > access
> > > > > > nothing but the above attribute via e.g.
> > > > > >
> /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active.
> > > The
> > > > > > manual regarding management.xml is clear about *method *access
> e.g.
> > > > > "get*"
> > > > > > but has no examples for *attribute *access.
> > > > > >
> > > > > > Having spent about an hour on it I'm really stuck. Any help would
> > be
> > > > > > appreciated.
> > > > > >
> > > > > >
> > > > > > Cheers,
> > > > > >
> > > > > > Dave
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Artemis - management.xml
Posted by David Martin <da...@qoritek.com>.
There is still more to this (final message but for the sake of
completeness) -
1. In Artemis 2.16 nothing makes it work in Kubernetes but it works in
Docker
2. In Artemis 2.17+ it works in Kubernetes but only if the
com.sun.management.jmx.remote system properties are unset. The vromero
docker image enables remote JMX if using the JMX exporter but the latter
doesn't require remote JMX (which is kind of the point of it).
So it seems that something relevant changed between v2.16 & v2.17 perhaps
on one of the Hawtio/management tickets.
Thanks again,
Dave
On Mon, 6 Dec 2021 at 12:41, Tim Bain <tb...@alumni.duke.edu> wrote:
> Great, I'm glad you were able to figure it out, and thanks for sharing the
> root cause once you found it.
>
> Tim
>
> On Mon, Dec 6, 2021, 5:24 AM David Martin <da...@qoritek.com> wrote:
>
> > Domenico, Tim,
> >
> > I've figured it out.
> >
> > On further investigation, the kubernetes command params included the
> > following :
> >
> >
> >
> -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
> > -Dcom.sun.management.jmxremote=true
> > -Dcom.sun.management.jmxremote.port=1099
> > -Dcom.sun.management.jmxremote.rmi.port=1098
> > -Dcom.sun.management.jmxremote.ssl=false
> > -Dcom.sun.management.jmxremote.authenticate=false
> >
> > but the docker command params did not.
> >
> > This was due to setting the ENABLE_JMX option supported by this Docker
> > image.
> >
> > Seems that these parameters altered Hawtio's behaviour -
> > -Dcom.sun.management.jmxremote.authenticate=false perhaps?
> >
> > Thanks for all of your help,
> >
> >
> > Dave
> >
> >
> >
> > On Mon, 6 Dec 2021 at 10:33, David Martin <da...@qoritek.com> wrote:
> >
> > > Hi Domenico,
> > >
> > > root@artemis-0:/var/lib/artemis/etc# ls -l
> > > total 44
> > > -rw-r--r-- 1 artemis artemis 992 Dec 6 10:17
> artemis-roles.properties
> > > -rw-r--r-- 1 artemis artemis 1192 Dec 6 10:17
> artemis-users.properties
> > > -rw-r--r-- 1 artemis artemis 3880 Dec 6 10:17 artemis.profile
> > > -rw-r--r-- 1 artemis artemis 1495 Dec 3 14:30 bootstrap.xml
> > > -rw-r--r-- 1 root root 11395 Dec 6 10:17 broker.xml
> > > -rw-r--r-- 1 artemis artemis 1448 Dec 6 10:17 jolokia-access.xml
> > > -rw-r--r-- 1 artemis artemis 3942 Dec 6 10:17 logging.properties
> > > -rw-r--r-- 1 artemis artemis 1086 Dec 3 14:30 login.config
> > > -rw-r--r-- 1 artemis artemis 2466 Dec 6 10:17 management.xml
> > >
> > > Attached the contents of this folder as requested. The same works as
> > > expected with Docker but not with k8s.
> > >
> > >
> > > Thanks,
> > >
> > > Dave
> > >
> > >
> > >
> > > On Fri, 3 Dec 2021 at 16:45, Domenico Francesco Bruscino <
> > > bruscinodf@gmail.com> wrote:
> > >
> > >> Hi Dave,
> > >>
> > >> could you get the artemis etc folder from your kubernetes container
> > >> and share it?
> > >>
> > >> Thanks,
> > >> Domenico
> > >>
> > >>
> > >> On Fri, 3 Dec 2021 at 17:17, David Martin <da...@qoritek.com> wrote:
> > >>
> > >> > Hi Domenico,
> > >> >
> > >> > Thanks - after further experimentation It appears to be related to
> > >> > Kubernetes but it's pretty baffling (to me at least). It works in
> > >> Docker.
> > >> >
> > >> > The build steps are essentially the same as yours, executed via a
> > >> > Dockerfile (
> > >> >
> > >> >
> > >>
> >
> https://github.com/vromero/activemq-artemis-docker/blob/master/src/Dockerfile
> > >> > )
> > >> > -
> > >> >
> > >> > "/opt/apache-artemis-${ACTIVEMQ_ARTEMIS_VERSION}/bin/artemis" create
> > >> > artemis \
> > >> > --home /opt/apache-artemis \
> > >> > --user artemis \
> > >> > --password simetraehcapa \
> > >> > --role amq \
> > >> > --require-login \
> > >> > --cluster-user artemisCluster \
> > >> > --cluster-password simetraehcaparetsulc ; \
> > >> > The only other thing it changes is binding to 0.0.0.0 in Jolokia
> > >> instead of
> > >> > localhost.
> > >> >
> > >> > Then I have sed commands quite similar to yours.
> > >> >
> > >> > sed -i "s#\(HAWTIO_ROLE='amq\)#\1,amqro,monitor#" artemis.profile
> > >> > sed -i 's#\(<access method="\(list\|get\|is\)\*"
> > >> roles="amq\)"#\1,amqro"#;
> > >> > s#\(\.activemq\.artemis">\)#\1\n <access
> > >> > method="isActive" roles="amq,amqro,monitor"/>#' management.xml
> > >> > sed -i 's#\(<restrict>\)#\1\n <remote>\n
> <host>127.0.0.1</host>\n
> > >> > <host>localhost</host>\n <host>10.0.0.0/8</host> \
> > >> > <host>172.16.0.0/12</host>\n <host>192.168.0.0/16</host>\n
> > >> > </remote>#' jolokia-access.xml
> > >> >
> > >> > When I run the image in docker, it works. The API works as per your
> > >> > examples and when I use the console as the monitor user, everything
> is
> > >> > locked down except for the Active property in JMX.
> > >> >
> > >> > When I run it in Kubernetes with the same image and env vars
> > (accessing
> > >> via
> > >> > a nodeport or via kubectl port-forward) it doesn't. Any API method
> is
> > >> > accessible and the console functionality is unlocked regardless of
> my
> > >> user,
> > >> > although in the JMX tab I cannot invoke any operations (though I can
> > >> view
> > >> > all the properties). If I put debugging on jaas I can see it
> > >> authenticating
> > >> > the right user.
> > >> >
> > >> > I guess you may not want to help with a 3rd party docker image. I
> may
> > >> have
> > >> > to resort to an NGINX sidecar to get the user name from the
> > >> Authorization
> > >> > header and filter it that way!
> > >> >
> > >> > I've tried building versions 2.16 and 2.18, same outcome.
> > >> >
> > >> >
> > >> > Many thanks,
> > >> >
> > >> > Dave
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > On Thu, 2 Dec 2021 at 21:45, Domenico Francesco Bruscino <
> > >> > bruscinodf@gmail.com> wrote:
> > >> >
> > >> > > Hi Dave,
> > >> > >
> > >> > > I'm not able to reproduce your issue executing the following
> steps:
> > >> > >
> > >> > > 1) create a new broker instance:
> > >> > > ./bin/artemis create broker --user admin --password admin
> > >> --require-login
> > >> > >
> > >> > > 2) add test user with monitor role
> > >> > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> > >> > > echo -e "\nmonitor = test" >>
> ./broker/etc/artemis-roles.properties
> > >> > >
> > >> > > 3) add rtest user with amqro role
> > >> > > echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties
> > >> > > echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties
> > >> > >
> > >> > > 4) add the monitor role to HAWTIO_ROLE in artemis.profile
> > >> > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/"
> > >> > > ./broker/etc/artemis.profile
> > >> > >
> > >> > > 5) add the access for the isActive method in management.xml
> > >> > > sed -i
> > >> > >
> > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> > >> > > method="isActive"\ roles="amq,monitor"\/>/'
> > >> ./broker/etc/management.xml
> > >> > >
> > >> > > 6) add the access for amqro in management.xml
> > >> > > sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm
> > >> > >
> > >> > > 5) run the broker
> > >> > > ./broker/bin/artemis run
> > >> > >
> > >> > > 6) read the Active attribute with test user (monitor role)
> > >> > > curl -H "Origin:http://localhost:8161" -u test:test
> > >> > >
> > >> > >
> > >> >
> > >>
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > >> > > "0.0.0.0\"/Active
> > >> > >
> > >> > >
> > >> >
> > >>
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> > >> > >
> > >> > > 7) read the AddressMemoryUsage attribute with test user (monitor
> > role)
> > >> > > curl -H "Origin:http://localhost:8161" -u test:test
> > >> > >
> > >> > >
> > >> >
> > >>
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > >> > > "0.0.0.0\"/AddressMemoryUsage
> > >> > >
> > >> > >
> > >> >
> > >>
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception
> > >> > > : User not authorized to access attribute:
> > >> > > AddressMemoryUsage","status":403}
> > >> > >
> > >> > > 7) read the AddressMemoryUsage attribute with rtest user (amqro
> > role)
> > >> > > curl -H "Origin:http://localhost:8161" -u rtest:rtest
> > >> > >
> > >> > >
> > >> >
> > >>
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > >> > > "0.0.0.0\"/AddressMemoryUsage
> > >> > >
> > >> > >
> > >> >
> > >>
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200}
> > >> > >
> > >> > > Could you add the steps to reproduce your issue?
> > >> > >
> > >> > > Regards,
> > >> > > Domenico
> > >> > >
> > >> > > On Thu, 2 Dec 2021 at 13:43, David Martin <da...@qoritek.com>
> > wrote:
> > >> > >
> > >> > > > Hi Domenico,
> > >> > > >
> > >> > > > Following up on this I decided to try adding a readonly console
> > user
> > >> > with
> > >> > > > the role "amqro" and that is when I discovered that the users in
> > >> > > > HAWTIO_ROLE have unencumbered access to both the console and the
> > >> > Jolokia
> > >> > > > REST API.
> > >> > > >
> > >> > > > 1/ Even the user with the monitor role can log in to the console
> > >> and do
> > >> > > > things like delete queues and connections.
> > >> > > >
> > >> > > > 2/ User with monitor role able to invoke other methods than
> > /Active
> > >> > e.g.
> > >> > > > /AddressMemoryUsage (verified username/password with base64 -d)
> -
> > >> > > >
> > >> > > > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic
> > xxxxx' '
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage
> > >> > > > '
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200}
> > >> > > >
> > >> > > > 3/ management.xml -
> > >> > > >
> > >> > > > <management-context xmlns="http://activemq.org/schema">
> > >> > > > <!--<connector connector-port="1099"/>-->
> > >> > > > <authorisation>
> > >> > > > <whitelist>
> > >> > > > <entry domain="hawtio"/>
> > >> > > > </whitelist>
> > >> > > > <default-access>
> > >> > > > <access method="list*" roles="amq,amqro"/>
> > >> > > > <access method="get*" roles="amq,amqro"/>
> > >> > > > <access method="is*" roles="amq,amqro"/>
> > >> > > > <access method="set*" roles="amq"/>
> > >> > > > <access method="*" roles="amq"/>
> > >> > > > </default-access>
> > >> > > > <role-access>
> > >> > > > <match domain="org.apache.activemq.artemis">
> > >> > > > <access method="isActive"
> roles="amq,amqro,monitor"/>
> > >> > > > <access method="list*" roles="amq,amqro"/>
> > >> > > > <access method="get*" roles="amq,amqro"/>
> > >> > > > <access method="is*" roles="amq,amqro"/>
> > >> > > > <access method="set*" roles="amq"/>
> > >> > > > <access method="*" roles="amq"/>
> > >> > > > </match>
> > >> > > > <!--example of how to configure a specific object-->
> > >> > > > <!--<match domain="org.apache.activemq.artemis"
> > >> > > > key="subcomponent=queues">
> > >> > > > <access method="list*" roles="view,update,amq"/>
> > >> > > > <access method="get*" roles="view,update,amq"/>
> > >> > > > <access method="is*" roles="view,update,amq"/>
> > >> > > > <access method="set*" roles="update,amq"/>
> > >> > > > <access method="*" roles="amq"/>
> > >> > > > </match>-->
> > >> > > > </role-access>
> > >> > > > </authorisation>
> > >> > > > </management-context>
> > >> > > >
> > >> > > > 4/ artemis-profile -
> > >> > > >
> > >> > > > # Hawtio Properties
> > >> > > > HAWTIO_ROLE='amq,amqro,monitor'
> > >> > > >
> > >> > > > # Java Opts
> > >> > > > if [ -z "$JAVA_ARGS" ]; then
> > >> > > > JAVA_ARGS="$BROKER_CONFIGS
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
> > >> > > > -Dcom.sun.management.jmxremote=true
> > >> > > > -Dcom.sun.management.jmxremote.port=1099
> > >> > > > -Dcom.sun.management.jmxremote.rmi.port=1098
> > >> > > > -Dcom.sun.management.jmxremote.ssl=false
> > >> > > > -Dcom.sun.management.jmxremote.authenticate=false
> > >> -Dipv4addr=$(hostname
> > >> > > -f)
> > >> > > > -Ddomain=artemis-headless.sis-247.svc.cluster.local
> > >> > > > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d
> > >> > > > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt
> > >> > > > -Dpage.size=2097152 -Dpaging.threshold=10485760
> > >> > > > -Dmin.large.message.size=204800
> > >> -Dsecurity.invalidation.interval=600000
> > >> > > > -Dhawtio.authenticationEnabled=true
> > >> -Djava.net.preferIPv4Addresses=true
> > >> > > > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions
> > >> > > > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2
> > >> > > > -XX:+PrintClassHistogram -XX:+UseG1GC
> -XX:+UseStringDeduplication
> > >> > > > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq
> > >> > -Dhawtio.offline=true
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
> > >> > > >
> > >>
> -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml"
> > >> > > > fi
> > >> > > >
> > >> > > > Do you or anyone in this group have any suggestions on how the
> > >> monitor
> > >> > > (and
> > >> > > > amqro) roles can be actually restricted? I tried adding
> > >> > > > -Dhawtio.authenticationEnabled=true but that had no effect.
> > >> > > >
> > >> > > >
> > >> > > > Thanks for your help,
> > >> > > >
> > >> > > >
> > >> > > > Dave
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino <
> > >> > > > bruscinodf@gmail.com> wrote:
> > >> > > >
> > >> > > > > Hi Dave,
> > >> > > > >
> > >> > > > > you need to add the monitor role to HAWTIO_ROLE in
> > artemis.profile
> > >> > and
> > >> > > > the
> > >> > > > > access for the isActive method in management.xml.
> > >> > > > >
> > >> > > > > Execute the following steps to get a working example:
> > >> > > > >
> > >> > > > > 1) create a new broker instance:
> > >> > > > > ./bin/artemis create broker --user admin --password admin
> > >> > > --require-login
> > >> > > > >
> > >> > > > > 2) add test user with monitor role
> > >> > > > > echo -e "\ntest = test" >>
> ./broker/etc/artemis-users.properties
> > >> > > > > echo -e "\nmonitor = test" >>
> > >> ./broker/etc/artemis-roles.properties
> > >> > > > >
> > >> > > > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile
> > >> > > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/"
> > >> > > > > ./broker/etc/artemis.profile
> > >> > > > >
> > >> > > > > 4) add the access for the isActive method in management.xml
> > >> > > > > sed -i
> > >> > > > >
> > >> >
> 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> > >> > > > > method="isActive"\ roles="amq,monitor"\/>/'
> > >> > ./broker/etc/management.xml
> > >> > > > >
> > >> > > > > 5) run the broker
> > >> > > > > ./broker/bin/artemis run
> > >> > > > >
> > >> > > > > 6) read the Active attribute
> > >> > > > > curl -H "Origin:http://localhost:8161" -u test:test
> > >> > > > >
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > >> > > > > "0.0.0.0\"/Active
> > >> > > > >
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> > >> > > > >
> > >> > > > > Regards,
> > >> > > > > Domenico
> > >> > > > >
> > >> > > > > On Thu, 18 Nov 2021 at 18:16, David Martin <
> davidm@qoritek.com>
> > >> > wrote:
> > >> > > > >
> > >> > > > > > Hi all,
> > >> > > > > >
> > >> > > > > > I'm trying to configure role access via the Jolokia REST API
> > for
> > >> > the
> > >> > > > > single
> > >> > > > > > attribute "Active" on the "org.apache.activemq.artemis"
> > domain.
> > >> > > > > >
> > >> > > > > > I have a user with a role "monitor" and want them to be able
> > to
> > >> > > access
> > >> > > > > > nothing but the above attribute via e.g.
> > >> > > > > >
> > >> /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active.
> > >> > > The
> > >> > > > > > manual regarding management.xml is clear about *method
> *access
> > >> e.g.
> > >> > > > > "get*"
> > >> > > > > > but has no examples for *attribute *access.
> > >> > > > > >
> > >> > > > > > Having spent about an hour on it I'm really stuck. Any help
> > >> would
> > >> > be
> > >> > > > > > appreciated.
> > >> > > > > >
> > >> > > > > >
> > >> > > > > > Cheers,
> > >> > > > > >
> > >> > > > > > Dave
> > >> > > > > >
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> > >
> >
>
Re: Artemis - management.xml
Posted by Tim Bain <tb...@alumni.duke.edu>.
Great, I'm glad you were able to figure it out, and thanks for sharing the
root cause once you found it.
Tim
On Mon, Dec 6, 2021, 5:24 AM David Martin <da...@qoritek.com> wrote:
> Domenico, Tim,
>
> I've figured it out.
>
> On further investigation, the kubernetes command params included the
> following :
>
>
> -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
> -Dcom.sun.management.jmxremote=true
> -Dcom.sun.management.jmxremote.port=1099
> -Dcom.sun.management.jmxremote.rmi.port=1098
> -Dcom.sun.management.jmxremote.ssl=false
> -Dcom.sun.management.jmxremote.authenticate=false
>
> but the docker command params did not.
>
> This was due to setting the ENABLE_JMX option supported by this Docker
> image.
>
> Seems that these parameters altered Hawtio's behaviour -
> -Dcom.sun.management.jmxremote.authenticate=false perhaps?
>
> Thanks for all of your help,
>
>
> Dave
>
>
>
> On Mon, 6 Dec 2021 at 10:33, David Martin <da...@qoritek.com> wrote:
>
> > Hi Domenico,
> >
> > root@artemis-0:/var/lib/artemis/etc# ls -l
> > total 44
> > -rw-r--r-- 1 artemis artemis 992 Dec 6 10:17 artemis-roles.properties
> > -rw-r--r-- 1 artemis artemis 1192 Dec 6 10:17 artemis-users.properties
> > -rw-r--r-- 1 artemis artemis 3880 Dec 6 10:17 artemis.profile
> > -rw-r--r-- 1 artemis artemis 1495 Dec 3 14:30 bootstrap.xml
> > -rw-r--r-- 1 root root 11395 Dec 6 10:17 broker.xml
> > -rw-r--r-- 1 artemis artemis 1448 Dec 6 10:17 jolokia-access.xml
> > -rw-r--r-- 1 artemis artemis 3942 Dec 6 10:17 logging.properties
> > -rw-r--r-- 1 artemis artemis 1086 Dec 3 14:30 login.config
> > -rw-r--r-- 1 artemis artemis 2466 Dec 6 10:17 management.xml
> >
> > Attached the contents of this folder as requested. The same works as
> > expected with Docker but not with k8s.
> >
> >
> > Thanks,
> >
> > Dave
> >
> >
> >
> > On Fri, 3 Dec 2021 at 16:45, Domenico Francesco Bruscino <
> > bruscinodf@gmail.com> wrote:
> >
> >> Hi Dave,
> >>
> >> could you get the artemis etc folder from your kubernetes container
> >> and share it?
> >>
> >> Thanks,
> >> Domenico
> >>
> >>
> >> On Fri, 3 Dec 2021 at 17:17, David Martin <da...@qoritek.com> wrote:
> >>
> >> > Hi Domenico,
> >> >
> >> > Thanks - after further experimentation It appears to be related to
> >> > Kubernetes but it's pretty baffling (to me at least). It works in
> >> Docker.
> >> >
> >> > The build steps are essentially the same as yours, executed via a
> >> > Dockerfile (
> >> >
> >> >
> >>
> https://github.com/vromero/activemq-artemis-docker/blob/master/src/Dockerfile
> >> > )
> >> > -
> >> >
> >> > "/opt/apache-artemis-${ACTIVEMQ_ARTEMIS_VERSION}/bin/artemis" create
> >> > artemis \
> >> > --home /opt/apache-artemis \
> >> > --user artemis \
> >> > --password simetraehcapa \
> >> > --role amq \
> >> > --require-login \
> >> > --cluster-user artemisCluster \
> >> > --cluster-password simetraehcaparetsulc ; \
> >> > The only other thing it changes is binding to 0.0.0.0 in Jolokia
> >> instead of
> >> > localhost.
> >> >
> >> > Then I have sed commands quite similar to yours.
> >> >
> >> > sed -i "s#\(HAWTIO_ROLE='amq\)#\1,amqro,monitor#" artemis.profile
> >> > sed -i 's#\(<access method="\(list\|get\|is\)\*"
> >> roles="amq\)"#\1,amqro"#;
> >> > s#\(\.activemq\.artemis">\)#\1\n <access
> >> > method="isActive" roles="amq,amqro,monitor"/>#' management.xml
> >> > sed -i 's#\(<restrict>\)#\1\n <remote>\n <host>127.0.0.1</host>\n
> >> > <host>localhost</host>\n <host>10.0.0.0/8</host> \
> >> > <host>172.16.0.0/12</host>\n <host>192.168.0.0/16</host>\n
> >> > </remote>#' jolokia-access.xml
> >> >
> >> > When I run the image in docker, it works. The API works as per your
> >> > examples and when I use the console as the monitor user, everything is
> >> > locked down except for the Active property in JMX.
> >> >
> >> > When I run it in Kubernetes with the same image and env vars
> (accessing
> >> via
> >> > a nodeport or via kubectl port-forward) it doesn't. Any API method is
> >> > accessible and the console functionality is unlocked regardless of my
> >> user,
> >> > although in the JMX tab I cannot invoke any operations (though I can
> >> view
> >> > all the properties). If I put debugging on jaas I can see it
> >> authenticating
> >> > the right user.
> >> >
> >> > I guess you may not want to help with a 3rd party docker image. I may
> >> have
> >> > to resort to an NGINX sidecar to get the user name from the
> >> Authorization
> >> > header and filter it that way!
> >> >
> >> > I've tried building versions 2.16 and 2.18, same outcome.
> >> >
> >> >
> >> > Many thanks,
> >> >
> >> > Dave
> >> >
> >> >
> >> >
> >> >
> >> > On Thu, 2 Dec 2021 at 21:45, Domenico Francesco Bruscino <
> >> > bruscinodf@gmail.com> wrote:
> >> >
> >> > > Hi Dave,
> >> > >
> >> > > I'm not able to reproduce your issue executing the following steps:
> >> > >
> >> > > 1) create a new broker instance:
> >> > > ./bin/artemis create broker --user admin --password admin
> >> --require-login
> >> > >
> >> > > 2) add test user with monitor role
> >> > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> >> > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
> >> > >
> >> > > 3) add rtest user with amqro role
> >> > > echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties
> >> > > echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties
> >> > >
> >> > > 4) add the monitor role to HAWTIO_ROLE in artemis.profile
> >> > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/"
> >> > > ./broker/etc/artemis.profile
> >> > >
> >> > > 5) add the access for the isActive method in management.xml
> >> > > sed -i
> >> > >
> 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> >> > > method="isActive"\ roles="amq,monitor"\/>/'
> >> ./broker/etc/management.xml
> >> > >
> >> > > 6) add the access for amqro in management.xml
> >> > > sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm
> >> > >
> >> > > 5) run the broker
> >> > > ./broker/bin/artemis run
> >> > >
> >> > > 6) read the Active attribute with test user (monitor role)
> >> > > curl -H "Origin:http://localhost:8161" -u test:test
> >> > >
> >> > >
> >> >
> >>
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> >> > > "0.0.0.0\"/Active
> >> > >
> >> > >
> >> >
> >>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> >> > >
> >> > > 7) read the AddressMemoryUsage attribute with test user (monitor
> role)
> >> > > curl -H "Origin:http://localhost:8161" -u test:test
> >> > >
> >> > >
> >> >
> >>
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> >> > > "0.0.0.0\"/AddressMemoryUsage
> >> > >
> >> > >
> >> >
> >>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception
> >> > > : User not authorized to access attribute:
> >> > > AddressMemoryUsage","status":403}
> >> > >
> >> > > 7) read the AddressMemoryUsage attribute with rtest user (amqro
> role)
> >> > > curl -H "Origin:http://localhost:8161" -u rtest:rtest
> >> > >
> >> > >
> >> >
> >>
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> >> > > "0.0.0.0\"/AddressMemoryUsage
> >> > >
> >> > >
> >> >
> >>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200}
> >> > >
> >> > > Could you add the steps to reproduce your issue?
> >> > >
> >> > > Regards,
> >> > > Domenico
> >> > >
> >> > > On Thu, 2 Dec 2021 at 13:43, David Martin <da...@qoritek.com>
> wrote:
> >> > >
> >> > > > Hi Domenico,
> >> > > >
> >> > > > Following up on this I decided to try adding a readonly console
> user
> >> > with
> >> > > > the role "amqro" and that is when I discovered that the users in
> >> > > > HAWTIO_ROLE have unencumbered access to both the console and the
> >> > Jolokia
> >> > > > REST API.
> >> > > >
> >> > > > 1/ Even the user with the monitor role can log in to the console
> >> and do
> >> > > > things like delete queues and connections.
> >> > > >
> >> > > > 2/ User with monitor role able to invoke other methods than
> /Active
> >> > e.g.
> >> > > > /AddressMemoryUsage (verified username/password with base64 -d) -
> >> > > >
> >> > > > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic
> xxxxx' '
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage
> >> > > > '
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200}
> >> > > >
> >> > > > 3/ management.xml -
> >> > > >
> >> > > > <management-context xmlns="http://activemq.org/schema">
> >> > > > <!--<connector connector-port="1099"/>-->
> >> > > > <authorisation>
> >> > > > <whitelist>
> >> > > > <entry domain="hawtio"/>
> >> > > > </whitelist>
> >> > > > <default-access>
> >> > > > <access method="list*" roles="amq,amqro"/>
> >> > > > <access method="get*" roles="amq,amqro"/>
> >> > > > <access method="is*" roles="amq,amqro"/>
> >> > > > <access method="set*" roles="amq"/>
> >> > > > <access method="*" roles="amq"/>
> >> > > > </default-access>
> >> > > > <role-access>
> >> > > > <match domain="org.apache.activemq.artemis">
> >> > > > <access method="isActive" roles="amq,amqro,monitor"/>
> >> > > > <access method="list*" roles="amq,amqro"/>
> >> > > > <access method="get*" roles="amq,amqro"/>
> >> > > > <access method="is*" roles="amq,amqro"/>
> >> > > > <access method="set*" roles="amq"/>
> >> > > > <access method="*" roles="amq"/>
> >> > > > </match>
> >> > > > <!--example of how to configure a specific object-->
> >> > > > <!--<match domain="org.apache.activemq.artemis"
> >> > > > key="subcomponent=queues">
> >> > > > <access method="list*" roles="view,update,amq"/>
> >> > > > <access method="get*" roles="view,update,amq"/>
> >> > > > <access method="is*" roles="view,update,amq"/>
> >> > > > <access method="set*" roles="update,amq"/>
> >> > > > <access method="*" roles="amq"/>
> >> > > > </match>-->
> >> > > > </role-access>
> >> > > > </authorisation>
> >> > > > </management-context>
> >> > > >
> >> > > > 4/ artemis-profile -
> >> > > >
> >> > > > # Hawtio Properties
> >> > > > HAWTIO_ROLE='amq,amqro,monitor'
> >> > > >
> >> > > > # Java Opts
> >> > > > if [ -z "$JAVA_ARGS" ]; then
> >> > > > JAVA_ARGS="$BROKER_CONFIGS
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
> >> > > > -Dcom.sun.management.jmxremote=true
> >> > > > -Dcom.sun.management.jmxremote.port=1099
> >> > > > -Dcom.sun.management.jmxremote.rmi.port=1098
> >> > > > -Dcom.sun.management.jmxremote.ssl=false
> >> > > > -Dcom.sun.management.jmxremote.authenticate=false
> >> -Dipv4addr=$(hostname
> >> > > -f)
> >> > > > -Ddomain=artemis-headless.sis-247.svc.cluster.local
> >> > > > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d
> >> > > > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt
> >> > > > -Dpage.size=2097152 -Dpaging.threshold=10485760
> >> > > > -Dmin.large.message.size=204800
> >> -Dsecurity.invalidation.interval=600000
> >> > > > -Dhawtio.authenticationEnabled=true
> >> -Djava.net.preferIPv4Addresses=true
> >> > > > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions
> >> > > > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2
> >> > > > -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication
> >> > > > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq
> >> > -Dhawtio.offline=true
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
> >> > > >
> >> -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml"
> >> > > > fi
> >> > > >
> >> > > > Do you or anyone in this group have any suggestions on how the
> >> monitor
> >> > > (and
> >> > > > amqro) roles can be actually restricted? I tried adding
> >> > > > -Dhawtio.authenticationEnabled=true but that had no effect.
> >> > > >
> >> > > >
> >> > > > Thanks for your help,
> >> > > >
> >> > > >
> >> > > > Dave
> >> > > >
> >> > > >
> >> > > >
> >> > > > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino <
> >> > > > bruscinodf@gmail.com> wrote:
> >> > > >
> >> > > > > Hi Dave,
> >> > > > >
> >> > > > > you need to add the monitor role to HAWTIO_ROLE in
> artemis.profile
> >> > and
> >> > > > the
> >> > > > > access for the isActive method in management.xml.
> >> > > > >
> >> > > > > Execute the following steps to get a working example:
> >> > > > >
> >> > > > > 1) create a new broker instance:
> >> > > > > ./bin/artemis create broker --user admin --password admin
> >> > > --require-login
> >> > > > >
> >> > > > > 2) add test user with monitor role
> >> > > > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> >> > > > > echo -e "\nmonitor = test" >>
> >> ./broker/etc/artemis-roles.properties
> >> > > > >
> >> > > > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile
> >> > > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/"
> >> > > > > ./broker/etc/artemis.profile
> >> > > > >
> >> > > > > 4) add the access for the isActive method in management.xml
> >> > > > > sed -i
> >> > > > >
> >> > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> >> > > > > method="isActive"\ roles="amq,monitor"\/>/'
> >> > ./broker/etc/management.xml
> >> > > > >
> >> > > > > 5) run the broker
> >> > > > > ./broker/bin/artemis run
> >> > > > >
> >> > > > > 6) read the Active attribute
> >> > > > > curl -H "Origin:http://localhost:8161" -u test:test
> >> > > > >
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> >> > > > > "0.0.0.0\"/Active
> >> > > > >
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> >> > > > >
> >> > > > > Regards,
> >> > > > > Domenico
> >> > > > >
> >> > > > > On Thu, 18 Nov 2021 at 18:16, David Martin <da...@qoritek.com>
> >> > wrote:
> >> > > > >
> >> > > > > > Hi all,
> >> > > > > >
> >> > > > > > I'm trying to configure role access via the Jolokia REST API
> for
> >> > the
> >> > > > > single
> >> > > > > > attribute "Active" on the "org.apache.activemq.artemis"
> domain.
> >> > > > > >
> >> > > > > > I have a user with a role "monitor" and want them to be able
> to
> >> > > access
> >> > > > > > nothing but the above attribute via e.g.
> >> > > > > >
> >> /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active.
> >> > > The
> >> > > > > > manual regarding management.xml is clear about *method *access
> >> e.g.
> >> > > > > "get*"
> >> > > > > > but has no examples for *attribute *access.
> >> > > > > >
> >> > > > > > Having spent about an hour on it I'm really stuck. Any help
> >> would
> >> > be
> >> > > > > > appreciated.
> >> > > > > >
> >> > > > > >
> >> > > > > > Cheers,
> >> > > > > >
> >> > > > > > Dave
> >> > > > > >
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> >
>
Re: Artemis - management.xml
Posted by David Martin <da...@qoritek.com>.
Domenico, Tim,
I've figured it out.
On further investigation, the kubernetes command params included the
following :
-javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=1099
-Dcom.sun.management.jmxremote.rmi.port=1098
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
but the docker command params did not.
This was due to setting the ENABLE_JMX option supported by this Docker
image.
Seems that these parameters altered Hawtio's behaviour -
-Dcom.sun.management.jmxremote.authenticate=false perhaps?
Thanks for all of your help,
Dave
On Mon, 6 Dec 2021 at 10:33, David Martin <da...@qoritek.com> wrote:
> Hi Domenico,
>
> root@artemis-0:/var/lib/artemis/etc# ls -l
> total 44
> -rw-r--r-- 1 artemis artemis 992 Dec 6 10:17 artemis-roles.properties
> -rw-r--r-- 1 artemis artemis 1192 Dec 6 10:17 artemis-users.properties
> -rw-r--r-- 1 artemis artemis 3880 Dec 6 10:17 artemis.profile
> -rw-r--r-- 1 artemis artemis 1495 Dec 3 14:30 bootstrap.xml
> -rw-r--r-- 1 root root 11395 Dec 6 10:17 broker.xml
> -rw-r--r-- 1 artemis artemis 1448 Dec 6 10:17 jolokia-access.xml
> -rw-r--r-- 1 artemis artemis 3942 Dec 6 10:17 logging.properties
> -rw-r--r-- 1 artemis artemis 1086 Dec 3 14:30 login.config
> -rw-r--r-- 1 artemis artemis 2466 Dec 6 10:17 management.xml
>
> Attached the contents of this folder as requested. The same works as
> expected with Docker but not with k8s.
>
>
> Thanks,
>
> Dave
>
>
>
> On Fri, 3 Dec 2021 at 16:45, Domenico Francesco Bruscino <
> bruscinodf@gmail.com> wrote:
>
>> Hi Dave,
>>
>> could you get the artemis etc folder from your kubernetes container
>> and share it?
>>
>> Thanks,
>> Domenico
>>
>>
>> On Fri, 3 Dec 2021 at 17:17, David Martin <da...@qoritek.com> wrote:
>>
>> > Hi Domenico,
>> >
>> > Thanks - after further experimentation It appears to be related to
>> > Kubernetes but it's pretty baffling (to me at least). It works in
>> Docker.
>> >
>> > The build steps are essentially the same as yours, executed via a
>> > Dockerfile (
>> >
>> >
>> https://github.com/vromero/activemq-artemis-docker/blob/master/src/Dockerfile
>> > )
>> > -
>> >
>> > "/opt/apache-artemis-${ACTIVEMQ_ARTEMIS_VERSION}/bin/artemis" create
>> > artemis \
>> > --home /opt/apache-artemis \
>> > --user artemis \
>> > --password simetraehcapa \
>> > --role amq \
>> > --require-login \
>> > --cluster-user artemisCluster \
>> > --cluster-password simetraehcaparetsulc ; \
>> > The only other thing it changes is binding to 0.0.0.0 in Jolokia
>> instead of
>> > localhost.
>> >
>> > Then I have sed commands quite similar to yours.
>> >
>> > sed -i "s#\(HAWTIO_ROLE='amq\)#\1,amqro,monitor#" artemis.profile
>> > sed -i 's#\(<access method="\(list\|get\|is\)\*"
>> roles="amq\)"#\1,amqro"#;
>> > s#\(\.activemq\.artemis">\)#\1\n <access
>> > method="isActive" roles="amq,amqro,monitor"/>#' management.xml
>> > sed -i 's#\(<restrict>\)#\1\n <remote>\n <host>127.0.0.1</host>\n
>> > <host>localhost</host>\n <host>10.0.0.0/8</host> \
>> > <host>172.16.0.0/12</host>\n <host>192.168.0.0/16</host>\n
>> > </remote>#' jolokia-access.xml
>> >
>> > When I run the image in docker, it works. The API works as per your
>> > examples and when I use the console as the monitor user, everything is
>> > locked down except for the Active property in JMX.
>> >
>> > When I run it in Kubernetes with the same image and env vars (accessing
>> via
>> > a nodeport or via kubectl port-forward) it doesn't. Any API method is
>> > accessible and the console functionality is unlocked regardless of my
>> user,
>> > although in the JMX tab I cannot invoke any operations (though I can
>> view
>> > all the properties). If I put debugging on jaas I can see it
>> authenticating
>> > the right user.
>> >
>> > I guess you may not want to help with a 3rd party docker image. I may
>> have
>> > to resort to an NGINX sidecar to get the user name from the
>> Authorization
>> > header and filter it that way!
>> >
>> > I've tried building versions 2.16 and 2.18, same outcome.
>> >
>> >
>> > Many thanks,
>> >
>> > Dave
>> >
>> >
>> >
>> >
>> > On Thu, 2 Dec 2021 at 21:45, Domenico Francesco Bruscino <
>> > bruscinodf@gmail.com> wrote:
>> >
>> > > Hi Dave,
>> > >
>> > > I'm not able to reproduce your issue executing the following steps:
>> > >
>> > > 1) create a new broker instance:
>> > > ./bin/artemis create broker --user admin --password admin
>> --require-login
>> > >
>> > > 2) add test user with monitor role
>> > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
>> > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
>> > >
>> > > 3) add rtest user with amqro role
>> > > echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties
>> > > echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties
>> > >
>> > > 4) add the monitor role to HAWTIO_ROLE in artemis.profile
>> > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/"
>> > > ./broker/etc/artemis.profile
>> > >
>> > > 5) add the access for the isActive method in management.xml
>> > > sed -i
>> > > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
>> > > method="isActive"\ roles="amq,monitor"\/>/'
>> ./broker/etc/management.xml
>> > >
>> > > 6) add the access for amqro in management.xml
>> > > sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm
>> > >
>> > > 5) run the broker
>> > > ./broker/bin/artemis run
>> > >
>> > > 6) read the Active attribute with test user (monitor role)
>> > > curl -H "Origin:http://localhost:8161" -u test:test
>> > >
>> > >
>> >
>> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
>> > > "0.0.0.0\"/Active
>> > >
>> > >
>> >
>> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
>> > >
>> > > 7) read the AddressMemoryUsage attribute with test user (monitor role)
>> > > curl -H "Origin:http://localhost:8161" -u test:test
>> > >
>> > >
>> >
>> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
>> > > "0.0.0.0\"/AddressMemoryUsage
>> > >
>> > >
>> >
>> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception
>> > > : User not authorized to access attribute:
>> > > AddressMemoryUsage","status":403}
>> > >
>> > > 7) read the AddressMemoryUsage attribute with rtest user (amqro role)
>> > > curl -H "Origin:http://localhost:8161" -u rtest:rtest
>> > >
>> > >
>> >
>> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
>> > > "0.0.0.0\"/AddressMemoryUsage
>> > >
>> > >
>> >
>> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200}
>> > >
>> > > Could you add the steps to reproduce your issue?
>> > >
>> > > Regards,
>> > > Domenico
>> > >
>> > > On Thu, 2 Dec 2021 at 13:43, David Martin <da...@qoritek.com> wrote:
>> > >
>> > > > Hi Domenico,
>> > > >
>> > > > Following up on this I decided to try adding a readonly console user
>> > with
>> > > > the role "amqro" and that is when I discovered that the users in
>> > > > HAWTIO_ROLE have unencumbered access to both the console and the
>> > Jolokia
>> > > > REST API.
>> > > >
>> > > > 1/ Even the user with the monitor role can log in to the console
>> and do
>> > > > things like delete queues and connections.
>> > > >
>> > > > 2/ User with monitor role able to invoke other methods than /Active
>> > e.g.
>> > > > /AddressMemoryUsage (verified username/password with base64 -d) -
>> > > >
>> > > > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic xxxxx' '
>> > > >
>> > > >
>> > >
>> >
>> http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage
>> > > > '
>> > > >
>> > > >
>> > >
>> >
>> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200}
>> > > >
>> > > > 3/ management.xml -
>> > > >
>> > > > <management-context xmlns="http://activemq.org/schema">
>> > > > <!--<connector connector-port="1099"/>-->
>> > > > <authorisation>
>> > > > <whitelist>
>> > > > <entry domain="hawtio"/>
>> > > > </whitelist>
>> > > > <default-access>
>> > > > <access method="list*" roles="amq,amqro"/>
>> > > > <access method="get*" roles="amq,amqro"/>
>> > > > <access method="is*" roles="amq,amqro"/>
>> > > > <access method="set*" roles="amq"/>
>> > > > <access method="*" roles="amq"/>
>> > > > </default-access>
>> > > > <role-access>
>> > > > <match domain="org.apache.activemq.artemis">
>> > > > <access method="isActive" roles="amq,amqro,monitor"/>
>> > > > <access method="list*" roles="amq,amqro"/>
>> > > > <access method="get*" roles="amq,amqro"/>
>> > > > <access method="is*" roles="amq,amqro"/>
>> > > > <access method="set*" roles="amq"/>
>> > > > <access method="*" roles="amq"/>
>> > > > </match>
>> > > > <!--example of how to configure a specific object-->
>> > > > <!--<match domain="org.apache.activemq.artemis"
>> > > > key="subcomponent=queues">
>> > > > <access method="list*" roles="view,update,amq"/>
>> > > > <access method="get*" roles="view,update,amq"/>
>> > > > <access method="is*" roles="view,update,amq"/>
>> > > > <access method="set*" roles="update,amq"/>
>> > > > <access method="*" roles="amq"/>
>> > > > </match>-->
>> > > > </role-access>
>> > > > </authorisation>
>> > > > </management-context>
>> > > >
>> > > > 4/ artemis-profile -
>> > > >
>> > > > # Hawtio Properties
>> > > > HAWTIO_ROLE='amq,amqro,monitor'
>> > > >
>> > > > # Java Opts
>> > > > if [ -z "$JAVA_ARGS" ]; then
>> > > > JAVA_ARGS="$BROKER_CONFIGS
>> > > >
>> > > >
>> > >
>> >
>> -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
>> > > > -Dcom.sun.management.jmxremote=true
>> > > > -Dcom.sun.management.jmxremote.port=1099
>> > > > -Dcom.sun.management.jmxremote.rmi.port=1098
>> > > > -Dcom.sun.management.jmxremote.ssl=false
>> > > > -Dcom.sun.management.jmxremote.authenticate=false
>> -Dipv4addr=$(hostname
>> > > -f)
>> > > > -Ddomain=artemis-headless.sis-247.svc.cluster.local
>> > > > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d
>> > > > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt
>> > > > -Dpage.size=2097152 -Dpaging.threshold=10485760
>> > > > -Dmin.large.message.size=204800
>> -Dsecurity.invalidation.interval=600000
>> > > > -Dhawtio.authenticationEnabled=true
>> -Djava.net.preferIPv4Addresses=true
>> > > > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions
>> > > > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2
>> > > > -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication
>> > > > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq
>> > -Dhawtio.offline=true
>> > > >
>> > > >
>> > >
>> >
>> -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
>> > > >
>> -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml"
>> > > > fi
>> > > >
>> > > > Do you or anyone in this group have any suggestions on how the
>> monitor
>> > > (and
>> > > > amqro) roles can be actually restricted? I tried adding
>> > > > -Dhawtio.authenticationEnabled=true but that had no effect.
>> > > >
>> > > >
>> > > > Thanks for your help,
>> > > >
>> > > >
>> > > > Dave
>> > > >
>> > > >
>> > > >
>> > > > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino <
>> > > > bruscinodf@gmail.com> wrote:
>> > > >
>> > > > > Hi Dave,
>> > > > >
>> > > > > you need to add the monitor role to HAWTIO_ROLE in artemis.profile
>> > and
>> > > > the
>> > > > > access for the isActive method in management.xml.
>> > > > >
>> > > > > Execute the following steps to get a working example:
>> > > > >
>> > > > > 1) create a new broker instance:
>> > > > > ./bin/artemis create broker --user admin --password admin
>> > > --require-login
>> > > > >
>> > > > > 2) add test user with monitor role
>> > > > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
>> > > > > echo -e "\nmonitor = test" >>
>> ./broker/etc/artemis-roles.properties
>> > > > >
>> > > > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile
>> > > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/"
>> > > > > ./broker/etc/artemis.profile
>> > > > >
>> > > > > 4) add the access for the isActive method in management.xml
>> > > > > sed -i
>> > > > >
>> > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
>> > > > > method="isActive"\ roles="amq,monitor"\/>/'
>> > ./broker/etc/management.xml
>> > > > >
>> > > > > 5) run the broker
>> > > > > ./broker/bin/artemis run
>> > > > >
>> > > > > 6) read the Active attribute
>> > > > > curl -H "Origin:http://localhost:8161" -u test:test
>> > > > >
>> > > > >
>> > > >
>> > >
>> >
>> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
>> > > > > "0.0.0.0\"/Active
>> > > > >
>> > > > >
>> > > >
>> > >
>> >
>> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
>> > > > >
>> > > > > Regards,
>> > > > > Domenico
>> > > > >
>> > > > > On Thu, 18 Nov 2021 at 18:16, David Martin <da...@qoritek.com>
>> > wrote:
>> > > > >
>> > > > > > Hi all,
>> > > > > >
>> > > > > > I'm trying to configure role access via the Jolokia REST API for
>> > the
>> > > > > single
>> > > > > > attribute "Active" on the "org.apache.activemq.artemis" domain.
>> > > > > >
>> > > > > > I have a user with a role "monitor" and want them to be able to
>> > > access
>> > > > > > nothing but the above attribute via e.g.
>> > > > > >
>> /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active.
>> > > The
>> > > > > > manual regarding management.xml is clear about *method *access
>> e.g.
>> > > > > "get*"
>> > > > > > but has no examples for *attribute *access.
>> > > > > >
>> > > > > > Having spent about an hour on it I'm really stuck. Any help
>> would
>> > be
>> > > > > > appreciated.
>> > > > > >
>> > > > > >
>> > > > > > Cheers,
>> > > > > >
>> > > > > > Dave
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
>
Re: Artemis - management.xml
Posted by David Martin <da...@qoritek.com>.
Hi Domenico,
root@artemis-0:/var/lib/artemis/etc# ls -l
total 44
-rw-r--r-- 1 artemis artemis 992 Dec 6 10:17 artemis-roles.properties
-rw-r--r-- 1 artemis artemis 1192 Dec 6 10:17 artemis-users.properties
-rw-r--r-- 1 artemis artemis 3880 Dec 6 10:17 artemis.profile
-rw-r--r-- 1 artemis artemis 1495 Dec 3 14:30 bootstrap.xml
-rw-r--r-- 1 root root 11395 Dec 6 10:17 broker.xml
-rw-r--r-- 1 artemis artemis 1448 Dec 6 10:17 jolokia-access.xml
-rw-r--r-- 1 artemis artemis 3942 Dec 6 10:17 logging.properties
-rw-r--r-- 1 artemis artemis 1086 Dec 3 14:30 login.config
-rw-r--r-- 1 artemis artemis 2466 Dec 6 10:17 management.xml
Attached the contents of this folder as requested. The same works as
expected with Docker but not with k8s.
Thanks,
Dave
On Fri, 3 Dec 2021 at 16:45, Domenico Francesco Bruscino <
bruscinodf@gmail.com> wrote:
> Hi Dave,
>
> could you get the artemis etc folder from your kubernetes container
> and share it?
>
> Thanks,
> Domenico
>
>
> On Fri, 3 Dec 2021 at 17:17, David Martin <da...@qoritek.com> wrote:
>
> > Hi Domenico,
> >
> > Thanks - after further experimentation It appears to be related to
> > Kubernetes but it's pretty baffling (to me at least). It works in Docker.
> >
> > The build steps are essentially the same as yours, executed via a
> > Dockerfile (
> >
> >
> https://github.com/vromero/activemq-artemis-docker/blob/master/src/Dockerfile
> > )
> > -
> >
> > "/opt/apache-artemis-${ACTIVEMQ_ARTEMIS_VERSION}/bin/artemis" create
> > artemis \
> > --home /opt/apache-artemis \
> > --user artemis \
> > --password simetraehcapa \
> > --role amq \
> > --require-login \
> > --cluster-user artemisCluster \
> > --cluster-password simetraehcaparetsulc ; \
> > The only other thing it changes is binding to 0.0.0.0 in Jolokia instead
> of
> > localhost.
> >
> > Then I have sed commands quite similar to yours.
> >
> > sed -i "s#\(HAWTIO_ROLE='amq\)#\1,amqro,monitor#" artemis.profile
> > sed -i 's#\(<access method="\(list\|get\|is\)\*"
> roles="amq\)"#\1,amqro"#;
> > s#\(\.activemq\.artemis">\)#\1\n <access
> > method="isActive" roles="amq,amqro,monitor"/>#' management.xml
> > sed -i 's#\(<restrict>\)#\1\n <remote>\n <host>127.0.0.1</host>\n
> > <host>localhost</host>\n <host>10.0.0.0/8</host> \
> > <host>172.16.0.0/12</host>\n <host>192.168.0.0/16</host>\n
> > </remote>#' jolokia-access.xml
> >
> > When I run the image in docker, it works. The API works as per your
> > examples and when I use the console as the monitor user, everything is
> > locked down except for the Active property in JMX.
> >
> > When I run it in Kubernetes with the same image and env vars (accessing
> via
> > a nodeport or via kubectl port-forward) it doesn't. Any API method is
> > accessible and the console functionality is unlocked regardless of my
> user,
> > although in the JMX tab I cannot invoke any operations (though I can view
> > all the properties). If I put debugging on jaas I can see it
> authenticating
> > the right user.
> >
> > I guess you may not want to help with a 3rd party docker image. I may
> have
> > to resort to an NGINX sidecar to get the user name from the Authorization
> > header and filter it that way!
> >
> > I've tried building versions 2.16 and 2.18, same outcome.
> >
> >
> > Many thanks,
> >
> > Dave
> >
> >
> >
> >
> > On Thu, 2 Dec 2021 at 21:45, Domenico Francesco Bruscino <
> > bruscinodf@gmail.com> wrote:
> >
> > > Hi Dave,
> > >
> > > I'm not able to reproduce your issue executing the following steps:
> > >
> > > 1) create a new broker instance:
> > > ./bin/artemis create broker --user admin --password admin
> --require-login
> > >
> > > 2) add test user with monitor role
> > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
> > >
> > > 3) add rtest user with amqro role
> > > echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties
> > > echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties
> > >
> > > 4) add the monitor role to HAWTIO_ROLE in artemis.profile
> > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/"
> > > ./broker/etc/artemis.profile
> > >
> > > 5) add the access for the isActive method in management.xml
> > > sed -i
> > > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> > > method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml
> > >
> > > 6) add the access for amqro in management.xml
> > > sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm
> > >
> > > 5) run the broker
> > > ./broker/bin/artemis run
> > >
> > > 6) read the Active attribute with test user (monitor role)
> > > curl -H "Origin:http://localhost:8161" -u test:test
> > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > "0.0.0.0\"/Active
> > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> > >
> > > 7) read the AddressMemoryUsage attribute with test user (monitor role)
> > > curl -H "Origin:http://localhost:8161" -u test:test
> > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > "0.0.0.0\"/AddressMemoryUsage
> > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception
> > > : User not authorized to access attribute:
> > > AddressMemoryUsage","status":403}
> > >
> > > 7) read the AddressMemoryUsage attribute with rtest user (amqro role)
> > > curl -H "Origin:http://localhost:8161" -u rtest:rtest
> > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > "0.0.0.0\"/AddressMemoryUsage
> > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200}
> > >
> > > Could you add the steps to reproduce your issue?
> > >
> > > Regards,
> > > Domenico
> > >
> > > On Thu, 2 Dec 2021 at 13:43, David Martin <da...@qoritek.com> wrote:
> > >
> > > > Hi Domenico,
> > > >
> > > > Following up on this I decided to try adding a readonly console user
> > with
> > > > the role "amqro" and that is when I discovered that the users in
> > > > HAWTIO_ROLE have unencumbered access to both the console and the
> > Jolokia
> > > > REST API.
> > > >
> > > > 1/ Even the user with the monitor role can log in to the console and
> do
> > > > things like delete queues and connections.
> > > >
> > > > 2/ User with monitor role able to invoke other methods than /Active
> > e.g.
> > > > /AddressMemoryUsage (verified username/password with base64 -d) -
> > > >
> > > > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic xxxxx' '
> > > >
> > > >
> > >
> >
> http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage
> > > > '
> > > >
> > > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200}
> > > >
> > > > 3/ management.xml -
> > > >
> > > > <management-context xmlns="http://activemq.org/schema">
> > > > <!--<connector connector-port="1099"/>-->
> > > > <authorisation>
> > > > <whitelist>
> > > > <entry domain="hawtio"/>
> > > > </whitelist>
> > > > <default-access>
> > > > <access method="list*" roles="amq,amqro"/>
> > > > <access method="get*" roles="amq,amqro"/>
> > > > <access method="is*" roles="amq,amqro"/>
> > > > <access method="set*" roles="amq"/>
> > > > <access method="*" roles="amq"/>
> > > > </default-access>
> > > > <role-access>
> > > > <match domain="org.apache.activemq.artemis">
> > > > <access method="isActive" roles="amq,amqro,monitor"/>
> > > > <access method="list*" roles="amq,amqro"/>
> > > > <access method="get*" roles="amq,amqro"/>
> > > > <access method="is*" roles="amq,amqro"/>
> > > > <access method="set*" roles="amq"/>
> > > > <access method="*" roles="amq"/>
> > > > </match>
> > > > <!--example of how to configure a specific object-->
> > > > <!--<match domain="org.apache.activemq.artemis"
> > > > key="subcomponent=queues">
> > > > <access method="list*" roles="view,update,amq"/>
> > > > <access method="get*" roles="view,update,amq"/>
> > > > <access method="is*" roles="view,update,amq"/>
> > > > <access method="set*" roles="update,amq"/>
> > > > <access method="*" roles="amq"/>
> > > > </match>-->
> > > > </role-access>
> > > > </authorisation>
> > > > </management-context>
> > > >
> > > > 4/ artemis-profile -
> > > >
> > > > # Hawtio Properties
> > > > HAWTIO_ROLE='amq,amqro,monitor'
> > > >
> > > > # Java Opts
> > > > if [ -z "$JAVA_ARGS" ]; then
> > > > JAVA_ARGS="$BROKER_CONFIGS
> > > >
> > > >
> > >
> >
> -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
> > > > -Dcom.sun.management.jmxremote=true
> > > > -Dcom.sun.management.jmxremote.port=1099
> > > > -Dcom.sun.management.jmxremote.rmi.port=1098
> > > > -Dcom.sun.management.jmxremote.ssl=false
> > > > -Dcom.sun.management.jmxremote.authenticate=false
> -Dipv4addr=$(hostname
> > > -f)
> > > > -Ddomain=artemis-headless.sis-247.svc.cluster.local
> > > > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d
> > > > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt
> > > > -Dpage.size=2097152 -Dpaging.threshold=10485760
> > > > -Dmin.large.message.size=204800
> -Dsecurity.invalidation.interval=600000
> > > > -Dhawtio.authenticationEnabled=true
> -Djava.net.preferIPv4Addresses=true
> > > > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions
> > > > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2
> > > > -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication
> > > > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq
> > -Dhawtio.offline=true
> > > >
> > > >
> > >
> >
> -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
> > > >
> -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml"
> > > > fi
> > > >
> > > > Do you or anyone in this group have any suggestions on how the
> monitor
> > > (and
> > > > amqro) roles can be actually restricted? I tried adding
> > > > -Dhawtio.authenticationEnabled=true but that had no effect.
> > > >
> > > >
> > > > Thanks for your help,
> > > >
> > > >
> > > > Dave
> > > >
> > > >
> > > >
> > > > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino <
> > > > bruscinodf@gmail.com> wrote:
> > > >
> > > > > Hi Dave,
> > > > >
> > > > > you need to add the monitor role to HAWTIO_ROLE in artemis.profile
> > and
> > > > the
> > > > > access for the isActive method in management.xml.
> > > > >
> > > > > Execute the following steps to get a working example:
> > > > >
> > > > > 1) create a new broker instance:
> > > > > ./bin/artemis create broker --user admin --password admin
> > > --require-login
> > > > >
> > > > > 2) add test user with monitor role
> > > > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> > > > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
> > > > >
> > > > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile
> > > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/"
> > > > > ./broker/etc/artemis.profile
> > > > >
> > > > > 4) add the access for the isActive method in management.xml
> > > > > sed -i
> > > > >
> > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> > > > > method="isActive"\ roles="amq,monitor"\/>/'
> > ./broker/etc/management.xml
> > > > >
> > > > > 5) run the broker
> > > > > ./broker/bin/artemis run
> > > > >
> > > > > 6) read the Active attribute
> > > > > curl -H "Origin:http://localhost:8161" -u test:test
> > > > >
> > > > >
> > > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > > > "0.0.0.0\"/Active
> > > > >
> > > > >
> > > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> > > > >
> > > > > Regards,
> > > > > Domenico
> > > > >
> > > > > On Thu, 18 Nov 2021 at 18:16, David Martin <da...@qoritek.com>
> > wrote:
> > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > I'm trying to configure role access via the Jolokia REST API for
> > the
> > > > > single
> > > > > > attribute "Active" on the "org.apache.activemq.artemis" domain.
> > > > > >
> > > > > > I have a user with a role "monitor" and want them to be able to
> > > access
> > > > > > nothing but the above attribute via e.g.
> > > > > >
> /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active.
> > > The
> > > > > > manual regarding management.xml is clear about *method *access
> e.g.
> > > > > "get*"
> > > > > > but has no examples for *attribute *access.
> > > > > >
> > > > > > Having spent about an hour on it I'm really stuck. Any help would
> > be
> > > > > > appreciated.
> > > > > >
> > > > > >
> > > > > > Cheers,
> > > > > >
> > > > > > Dave
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Artemis - management.xml
Posted by Domenico Francesco Bruscino <br...@gmail.com>.
Hi Dave,
could you get the artemis etc folder from your kubernetes container
and share it?
Thanks,
Domenico
On Fri, 3 Dec 2021 at 17:17, David Martin <da...@qoritek.com> wrote:
> Hi Domenico,
>
> Thanks - after further experimentation It appears to be related to
> Kubernetes but it's pretty baffling (to me at least). It works in Docker.
>
> The build steps are essentially the same as yours, executed via a
> Dockerfile (
>
> https://github.com/vromero/activemq-artemis-docker/blob/master/src/Dockerfile
> )
> -
>
> "/opt/apache-artemis-${ACTIVEMQ_ARTEMIS_VERSION}/bin/artemis" create
> artemis \
> --home /opt/apache-artemis \
> --user artemis \
> --password simetraehcapa \
> --role amq \
> --require-login \
> --cluster-user artemisCluster \
> --cluster-password simetraehcaparetsulc ; \
> The only other thing it changes is binding to 0.0.0.0 in Jolokia instead of
> localhost.
>
> Then I have sed commands quite similar to yours.
>
> sed -i "s#\(HAWTIO_ROLE='amq\)#\1,amqro,monitor#" artemis.profile
> sed -i 's#\(<access method="\(list\|get\|is\)\*" roles="amq\)"#\1,amqro"#;
> s#\(\.activemq\.artemis">\)#\1\n <access
> method="isActive" roles="amq,amqro,monitor"/>#' management.xml
> sed -i 's#\(<restrict>\)#\1\n <remote>\n <host>127.0.0.1</host>\n
> <host>localhost</host>\n <host>10.0.0.0/8</host> \
> <host>172.16.0.0/12</host>\n <host>192.168.0.0/16</host>\n
> </remote>#' jolokia-access.xml
>
> When I run the image in docker, it works. The API works as per your
> examples and when I use the console as the monitor user, everything is
> locked down except for the Active property in JMX.
>
> When I run it in Kubernetes with the same image and env vars (accessing via
> a nodeport or via kubectl port-forward) it doesn't. Any API method is
> accessible and the console functionality is unlocked regardless of my user,
> although in the JMX tab I cannot invoke any operations (though I can view
> all the properties). If I put debugging on jaas I can see it authenticating
> the right user.
>
> I guess you may not want to help with a 3rd party docker image. I may have
> to resort to an NGINX sidecar to get the user name from the Authorization
> header and filter it that way!
>
> I've tried building versions 2.16 and 2.18, same outcome.
>
>
> Many thanks,
>
> Dave
>
>
>
>
> On Thu, 2 Dec 2021 at 21:45, Domenico Francesco Bruscino <
> bruscinodf@gmail.com> wrote:
>
> > Hi Dave,
> >
> > I'm not able to reproduce your issue executing the following steps:
> >
> > 1) create a new broker instance:
> > ./bin/artemis create broker --user admin --password admin --require-login
> >
> > 2) add test user with monitor role
> > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
> >
> > 3) add rtest user with amqro role
> > echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties
> > echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties
> >
> > 4) add the monitor role to HAWTIO_ROLE in artemis.profile
> > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/"
> > ./broker/etc/artemis.profile
> >
> > 5) add the access for the isActive method in management.xml
> > sed -i
> > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> > method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml
> >
> > 6) add the access for amqro in management.xml
> > sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm
> >
> > 5) run the broker
> > ./broker/bin/artemis run
> >
> > 6) read the Active attribute with test user (monitor role)
> > curl -H "Origin:http://localhost:8161" -u test:test
> >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > "0.0.0.0\"/Active
> >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> >
> > 7) read the AddressMemoryUsage attribute with test user (monitor role)
> > curl -H "Origin:http://localhost:8161" -u test:test
> >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > "0.0.0.0\"/AddressMemoryUsage
> >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception
> > : User not authorized to access attribute:
> > AddressMemoryUsage","status":403}
> >
> > 7) read the AddressMemoryUsage attribute with rtest user (amqro role)
> > curl -H "Origin:http://localhost:8161" -u rtest:rtest
> >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > "0.0.0.0\"/AddressMemoryUsage
> >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200}
> >
> > Could you add the steps to reproduce your issue?
> >
> > Regards,
> > Domenico
> >
> > On Thu, 2 Dec 2021 at 13:43, David Martin <da...@qoritek.com> wrote:
> >
> > > Hi Domenico,
> > >
> > > Following up on this I decided to try adding a readonly console user
> with
> > > the role "amqro" and that is when I discovered that the users in
> > > HAWTIO_ROLE have unencumbered access to both the console and the
> Jolokia
> > > REST API.
> > >
> > > 1/ Even the user with the monitor role can log in to the console and do
> > > things like delete queues and connections.
> > >
> > > 2/ User with monitor role able to invoke other methods than /Active
> e.g.
> > > /AddressMemoryUsage (verified username/password with base64 -d) -
> > >
> > > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic xxxxx' '
> > >
> > >
> >
> http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage
> > > '
> > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200}
> > >
> > > 3/ management.xml -
> > >
> > > <management-context xmlns="http://activemq.org/schema">
> > > <!--<connector connector-port="1099"/>-->
> > > <authorisation>
> > > <whitelist>
> > > <entry domain="hawtio"/>
> > > </whitelist>
> > > <default-access>
> > > <access method="list*" roles="amq,amqro"/>
> > > <access method="get*" roles="amq,amqro"/>
> > > <access method="is*" roles="amq,amqro"/>
> > > <access method="set*" roles="amq"/>
> > > <access method="*" roles="amq"/>
> > > </default-access>
> > > <role-access>
> > > <match domain="org.apache.activemq.artemis">
> > > <access method="isActive" roles="amq,amqro,monitor"/>
> > > <access method="list*" roles="amq,amqro"/>
> > > <access method="get*" roles="amq,amqro"/>
> > > <access method="is*" roles="amq,amqro"/>
> > > <access method="set*" roles="amq"/>
> > > <access method="*" roles="amq"/>
> > > </match>
> > > <!--example of how to configure a specific object-->
> > > <!--<match domain="org.apache.activemq.artemis"
> > > key="subcomponent=queues">
> > > <access method="list*" roles="view,update,amq"/>
> > > <access method="get*" roles="view,update,amq"/>
> > > <access method="is*" roles="view,update,amq"/>
> > > <access method="set*" roles="update,amq"/>
> > > <access method="*" roles="amq"/>
> > > </match>-->
> > > </role-access>
> > > </authorisation>
> > > </management-context>
> > >
> > > 4/ artemis-profile -
> > >
> > > # Hawtio Properties
> > > HAWTIO_ROLE='amq,amqro,monitor'
> > >
> > > # Java Opts
> > > if [ -z "$JAVA_ARGS" ]; then
> > > JAVA_ARGS="$BROKER_CONFIGS
> > >
> > >
> >
> -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
> > > -Dcom.sun.management.jmxremote=true
> > > -Dcom.sun.management.jmxremote.port=1099
> > > -Dcom.sun.management.jmxremote.rmi.port=1098
> > > -Dcom.sun.management.jmxremote.ssl=false
> > > -Dcom.sun.management.jmxremote.authenticate=false -Dipv4addr=$(hostname
> > -f)
> > > -Ddomain=artemis-headless.sis-247.svc.cluster.local
> > > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d
> > > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt
> > > -Dpage.size=2097152 -Dpaging.threshold=10485760
> > > -Dmin.large.message.size=204800 -Dsecurity.invalidation.interval=600000
> > > -Dhawtio.authenticationEnabled=true -Djava.net.preferIPv4Addresses=true
> > > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions
> > > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2
> > > -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication
> > > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq
> -Dhawtio.offline=true
> > >
> > >
> >
> -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
> > > -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml"
> > > fi
> > >
> > > Do you or anyone in this group have any suggestions on how the monitor
> > (and
> > > amqro) roles can be actually restricted? I tried adding
> > > -Dhawtio.authenticationEnabled=true but that had no effect.
> > >
> > >
> > > Thanks for your help,
> > >
> > >
> > > Dave
> > >
> > >
> > >
> > > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino <
> > > bruscinodf@gmail.com> wrote:
> > >
> > > > Hi Dave,
> > > >
> > > > you need to add the monitor role to HAWTIO_ROLE in artemis.profile
> and
> > > the
> > > > access for the isActive method in management.xml.
> > > >
> > > > Execute the following steps to get a working example:
> > > >
> > > > 1) create a new broker instance:
> > > > ./bin/artemis create broker --user admin --password admin
> > --require-login
> > > >
> > > > 2) add test user with monitor role
> > > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> > > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
> > > >
> > > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile
> > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/"
> > > > ./broker/etc/artemis.profile
> > > >
> > > > 4) add the access for the isActive method in management.xml
> > > > sed -i
> > > >
> 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> > > > method="isActive"\ roles="amq,monitor"\/>/'
> ./broker/etc/management.xml
> > > >
> > > > 5) run the broker
> > > > ./broker/bin/artemis run
> > > >
> > > > 6) read the Active attribute
> > > > curl -H "Origin:http://localhost:8161" -u test:test
> > > >
> > > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > > "0.0.0.0\"/Active
> > > >
> > > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> > > >
> > > > Regards,
> > > > Domenico
> > > >
> > > > On Thu, 18 Nov 2021 at 18:16, David Martin <da...@qoritek.com>
> wrote:
> > > >
> > > > > Hi all,
> > > > >
> > > > > I'm trying to configure role access via the Jolokia REST API for
> the
> > > > single
> > > > > attribute "Active" on the "org.apache.activemq.artemis" domain.
> > > > >
> > > > > I have a user with a role "monitor" and want them to be able to
> > access
> > > > > nothing but the above attribute via e.g.
> > > > > /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active.
> > The
> > > > > manual regarding management.xml is clear about *method *access e.g.
> > > > "get*"
> > > > > but has no examples for *attribute *access.
> > > > >
> > > > > Having spent about an hour on it I'm really stuck. Any help would
> be
> > > > > appreciated.
> > > > >
> > > > >
> > > > > Cheers,
> > > > >
> > > > > Dave
> > > > >
> > > >
> > >
> >
>
Re: Artemis - management.xml
Posted by David Martin <da...@qoritek.com>.
Hi Domenico,
Thanks - after further experimentation It appears to be related to
Kubernetes but it's pretty baffling (to me at least). It works in Docker.
The build steps are essentially the same as yours, executed via a
Dockerfile (
https://github.com/vromero/activemq-artemis-docker/blob/master/src/Dockerfile)
-
"/opt/apache-artemis-${ACTIVEMQ_ARTEMIS_VERSION}/bin/artemis" create
artemis \
--home /opt/apache-artemis \
--user artemis \
--password simetraehcapa \
--role amq \
--require-login \
--cluster-user artemisCluster \
--cluster-password simetraehcaparetsulc ; \
The only other thing it changes is binding to 0.0.0.0 in Jolokia instead of
localhost.
Then I have sed commands quite similar to yours.
sed -i "s#\(HAWTIO_ROLE='amq\)#\1,amqro,monitor#" artemis.profile
sed -i 's#\(<access method="\(list\|get\|is\)\*" roles="amq\)"#\1,amqro"#;
s#\(\.activemq\.artemis">\)#\1\n <access
method="isActive" roles="amq,amqro,monitor"/>#' management.xml
sed -i 's#\(<restrict>\)#\1\n <remote>\n <host>127.0.0.1</host>\n
<host>localhost</host>\n <host>10.0.0.0/8</host> \
<host>172.16.0.0/12</host>\n <host>192.168.0.0/16</host>\n
</remote>#' jolokia-access.xml
When I run the image in docker, it works. The API works as per your
examples and when I use the console as the monitor user, everything is
locked down except for the Active property in JMX.
When I run it in Kubernetes with the same image and env vars (accessing via
a nodeport or via kubectl port-forward) it doesn't. Any API method is
accessible and the console functionality is unlocked regardless of my user,
although in the JMX tab I cannot invoke any operations (though I can view
all the properties). If I put debugging on jaas I can see it authenticating
the right user.
I guess you may not want to help with a 3rd party docker image. I may have
to resort to an NGINX sidecar to get the user name from the Authorization
header and filter it that way!
I've tried building versions 2.16 and 2.18, same outcome.
Many thanks,
Dave
On Thu, 2 Dec 2021 at 21:45, Domenico Francesco Bruscino <
bruscinodf@gmail.com> wrote:
> Hi Dave,
>
> I'm not able to reproduce your issue executing the following steps:
>
> 1) create a new broker instance:
> ./bin/artemis create broker --user admin --password admin --require-login
>
> 2) add test user with monitor role
> echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
>
> 3) add rtest user with amqro role
> echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties
> echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties
>
> 4) add the monitor role to HAWTIO_ROLE in artemis.profile
> sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/"
> ./broker/etc/artemis.profile
>
> 5) add the access for the isActive method in management.xml
> sed -i
> 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml
>
> 6) add the access for amqro in management.xml
> sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm
>
> 5) run the broker
> ./broker/bin/artemis run
>
> 6) read the Active attribute with test user (monitor role)
> curl -H "Origin:http://localhost:8161" -u test:test
>
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> "0.0.0.0\"/Active
>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
>
> 7) read the AddressMemoryUsage attribute with test user (monitor role)
> curl -H "Origin:http://localhost:8161" -u test:test
>
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> "0.0.0.0\"/AddressMemoryUsage
>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception
> : User not authorized to access attribute:
> AddressMemoryUsage","status":403}
>
> 7) read the AddressMemoryUsage attribute with rtest user (amqro role)
> curl -H "Origin:http://localhost:8161" -u rtest:rtest
>
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> "0.0.0.0\"/AddressMemoryUsage
>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200}
>
> Could you add the steps to reproduce your issue?
>
> Regards,
> Domenico
>
> On Thu, 2 Dec 2021 at 13:43, David Martin <da...@qoritek.com> wrote:
>
> > Hi Domenico,
> >
> > Following up on this I decided to try adding a readonly console user with
> > the role "amqro" and that is when I discovered that the users in
> > HAWTIO_ROLE have unencumbered access to both the console and the Jolokia
> > REST API.
> >
> > 1/ Even the user with the monitor role can log in to the console and do
> > things like delete queues and connections.
> >
> > 2/ User with monitor role able to invoke other methods than /Active e.g.
> > /AddressMemoryUsage (verified username/password with base64 -d) -
> >
> > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic xxxxx' '
> >
> >
> http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage
> > '
> >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200}
> >
> > 3/ management.xml -
> >
> > <management-context xmlns="http://activemq.org/schema">
> > <!--<connector connector-port="1099"/>-->
> > <authorisation>
> > <whitelist>
> > <entry domain="hawtio"/>
> > </whitelist>
> > <default-access>
> > <access method="list*" roles="amq,amqro"/>
> > <access method="get*" roles="amq,amqro"/>
> > <access method="is*" roles="amq,amqro"/>
> > <access method="set*" roles="amq"/>
> > <access method="*" roles="amq"/>
> > </default-access>
> > <role-access>
> > <match domain="org.apache.activemq.artemis">
> > <access method="isActive" roles="amq,amqro,monitor"/>
> > <access method="list*" roles="amq,amqro"/>
> > <access method="get*" roles="amq,amqro"/>
> > <access method="is*" roles="amq,amqro"/>
> > <access method="set*" roles="amq"/>
> > <access method="*" roles="amq"/>
> > </match>
> > <!--example of how to configure a specific object-->
> > <!--<match domain="org.apache.activemq.artemis"
> > key="subcomponent=queues">
> > <access method="list*" roles="view,update,amq"/>
> > <access method="get*" roles="view,update,amq"/>
> > <access method="is*" roles="view,update,amq"/>
> > <access method="set*" roles="update,amq"/>
> > <access method="*" roles="amq"/>
> > </match>-->
> > </role-access>
> > </authorisation>
> > </management-context>
> >
> > 4/ artemis-profile -
> >
> > # Hawtio Properties
> > HAWTIO_ROLE='amq,amqro,monitor'
> >
> > # Java Opts
> > if [ -z "$JAVA_ARGS" ]; then
> > JAVA_ARGS="$BROKER_CONFIGS
> >
> >
> -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
> > -Dcom.sun.management.jmxremote=true
> > -Dcom.sun.management.jmxremote.port=1099
> > -Dcom.sun.management.jmxremote.rmi.port=1098
> > -Dcom.sun.management.jmxremote.ssl=false
> > -Dcom.sun.management.jmxremote.authenticate=false -Dipv4addr=$(hostname
> -f)
> > -Ddomain=artemis-headless.sis-247.svc.cluster.local
> > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d
> > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt
> > -Dpage.size=2097152 -Dpaging.threshold=10485760
> > -Dmin.large.message.size=204800 -Dsecurity.invalidation.interval=600000
> > -Dhawtio.authenticationEnabled=true -Djava.net.preferIPv4Addresses=true
> > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions
> > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2
> > -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication
> > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq -Dhawtio.offline=true
> >
> >
> -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
> > -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml"
> > fi
> >
> > Do you or anyone in this group have any suggestions on how the monitor
> (and
> > amqro) roles can be actually restricted? I tried adding
> > -Dhawtio.authenticationEnabled=true but that had no effect.
> >
> >
> > Thanks for your help,
> >
> >
> > Dave
> >
> >
> >
> > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino <
> > bruscinodf@gmail.com> wrote:
> >
> > > Hi Dave,
> > >
> > > you need to add the monitor role to HAWTIO_ROLE in artemis.profile and
> > the
> > > access for the isActive method in management.xml.
> > >
> > > Execute the following steps to get a working example:
> > >
> > > 1) create a new broker instance:
> > > ./bin/artemis create broker --user admin --password admin
> --require-login
> > >
> > > 2) add test user with monitor role
> > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
> > >
> > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile
> > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/"
> > > ./broker/etc/artemis.profile
> > >
> > > 4) add the access for the isActive method in management.xml
> > > sed -i
> > > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> > > method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml
> > >
> > > 5) run the broker
> > > ./broker/bin/artemis run
> > >
> > > 6) read the Active attribute
> > > curl -H "Origin:http://localhost:8161" -u test:test
> > >
> > >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > > "0.0.0.0\"/Active
> > >
> > >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> > >
> > > Regards,
> > > Domenico
> > >
> > > On Thu, 18 Nov 2021 at 18:16, David Martin <da...@qoritek.com> wrote:
> > >
> > > > Hi all,
> > > >
> > > > I'm trying to configure role access via the Jolokia REST API for the
> > > single
> > > > attribute "Active" on the "org.apache.activemq.artemis" domain.
> > > >
> > > > I have a user with a role "monitor" and want them to be able to
> access
> > > > nothing but the above attribute via e.g.
> > > > /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active.
> The
> > > > manual regarding management.xml is clear about *method *access e.g.
> > > "get*"
> > > > but has no examples for *attribute *access.
> > > >
> > > > Having spent about an hour on it I'm really stuck. Any help would be
> > > > appreciated.
> > > >
> > > >
> > > > Cheers,
> > > >
> > > > Dave
> > > >
> > >
> >
>
Re: Artemis - management.xml
Posted by Domenico Francesco Bruscino <br...@gmail.com>.
Hi Dave,
I'm not able to reproduce your issue executing the following steps:
1) create a new broker instance:
./bin/artemis create broker --user admin --password admin --require-login
2) add test user with monitor role
echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
3) add rtest user with amqro role
echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties
echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties
4) add the monitor role to HAWTIO_ROLE in artemis.profile
sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/"
./broker/etc/artemis.profile
5) add the access for the isActive method in management.xml
sed -i
's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml
6) add the access for amqro in management.xml
sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm
5) run the broker
./broker/bin/artemis run
6) read the Active attribute with test user (monitor role)
curl -H "Origin:http://localhost:8161" -u test:test
http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
"0.0.0.0\"/Active
{"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
7) read the AddressMemoryUsage attribute with test user (monitor role)
curl -H "Origin:http://localhost:8161" -u test:test
http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
"0.0.0.0\"/AddressMemoryUsage
{"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception
: User not authorized to access attribute: AddressMemoryUsage","status":403}
7) read the AddressMemoryUsage attribute with rtest user (amqro role)
curl -H "Origin:http://localhost:8161" -u rtest:rtest
http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
"0.0.0.0\"/AddressMemoryUsage
{"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200}
Could you add the steps to reproduce your issue?
Regards,
Domenico
On Thu, 2 Dec 2021 at 13:43, David Martin <da...@qoritek.com> wrote:
> Hi Domenico,
>
> Following up on this I decided to try adding a readonly console user with
> the role "amqro" and that is when I discovered that the users in
> HAWTIO_ROLE have unencumbered access to both the console and the Jolokia
> REST API.
>
> 1/ Even the user with the monitor role can log in to the console and do
> things like delete queues and connections.
>
> 2/ User with monitor role able to invoke other methods than /Active e.g.
> /AddressMemoryUsage (verified username/password with base64 -d) -
>
> $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic xxxxx' '
>
> http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage
> '
>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200}
>
> 3/ management.xml -
>
> <management-context xmlns="http://activemq.org/schema">
> <!--<connector connector-port="1099"/>-->
> <authorisation>
> <whitelist>
> <entry domain="hawtio"/>
> </whitelist>
> <default-access>
> <access method="list*" roles="amq,amqro"/>
> <access method="get*" roles="amq,amqro"/>
> <access method="is*" roles="amq,amqro"/>
> <access method="set*" roles="amq"/>
> <access method="*" roles="amq"/>
> </default-access>
> <role-access>
> <match domain="org.apache.activemq.artemis">
> <access method="isActive" roles="amq,amqro,monitor"/>
> <access method="list*" roles="amq,amqro"/>
> <access method="get*" roles="amq,amqro"/>
> <access method="is*" roles="amq,amqro"/>
> <access method="set*" roles="amq"/>
> <access method="*" roles="amq"/>
> </match>
> <!--example of how to configure a specific object-->
> <!--<match domain="org.apache.activemq.artemis"
> key="subcomponent=queues">
> <access method="list*" roles="view,update,amq"/>
> <access method="get*" roles="view,update,amq"/>
> <access method="is*" roles="view,update,amq"/>
> <access method="set*" roles="update,amq"/>
> <access method="*" roles="amq"/>
> </match>-->
> </role-access>
> </authorisation>
> </management-context>
>
> 4/ artemis-profile -
>
> # Hawtio Properties
> HAWTIO_ROLE='amq,amqro,monitor'
>
> # Java Opts
> if [ -z "$JAVA_ARGS" ]; then
> JAVA_ARGS="$BROKER_CONFIGS
>
> -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
> -Dcom.sun.management.jmxremote=true
> -Dcom.sun.management.jmxremote.port=1099
> -Dcom.sun.management.jmxremote.rmi.port=1098
> -Dcom.sun.management.jmxremote.ssl=false
> -Dcom.sun.management.jmxremote.authenticate=false -Dipv4addr=$(hostname -f)
> -Ddomain=artemis-headless.sis-247.svc.cluster.local
> -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d
> -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt
> -Dpage.size=2097152 -Dpaging.threshold=10485760
> -Dmin.large.message.size=204800 -Dsecurity.invalidation.interval=600000
> -Dhawtio.authenticationEnabled=true -Djava.net.preferIPv4Addresses=true
> -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions
> -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2
> -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication
> -Dhawtio.disableProxy=true -Dhawtio.realm=activemq -Dhawtio.offline=true
>
> -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
> -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml"
> fi
>
> Do you or anyone in this group have any suggestions on how the monitor (and
> amqro) roles can be actually restricted? I tried adding
> -Dhawtio.authenticationEnabled=true but that had no effect.
>
>
> Thanks for your help,
>
>
> Dave
>
>
>
> On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino <
> bruscinodf@gmail.com> wrote:
>
> > Hi Dave,
> >
> > you need to add the monitor role to HAWTIO_ROLE in artemis.profile and
> the
> > access for the isActive method in management.xml.
> >
> > Execute the following steps to get a working example:
> >
> > 1) create a new broker instance:
> > ./bin/artemis create broker --user admin --password admin --require-login
> >
> > 2) add test user with monitor role
> > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
> >
> > 3) add the monitor role to HAWTIO_ROLE in artemis.profile
> > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/"
> > ./broker/etc/artemis.profile
> >
> > 4) add the access for the isActive method in management.xml
> > sed -i
> > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> > method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml
> >
> > 5) run the broker
> > ./broker/bin/artemis run
> >
> > 6) read the Active attribute
> > curl -H "Origin:http://localhost:8161" -u test:test
> >
> >
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> > "0.0.0.0\"/Active
> >
> >
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> >
> > Regards,
> > Domenico
> >
> > On Thu, 18 Nov 2021 at 18:16, David Martin <da...@qoritek.com> wrote:
> >
> > > Hi all,
> > >
> > > I'm trying to configure role access via the Jolokia REST API for the
> > single
> > > attribute "Active" on the "org.apache.activemq.artemis" domain.
> > >
> > > I have a user with a role "monitor" and want them to be able to access
> > > nothing but the above attribute via e.g.
> > > /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active. The
> > > manual regarding management.xml is clear about *method *access e.g.
> > "get*"
> > > but has no examples for *attribute *access.
> > >
> > > Having spent about an hour on it I'm really stuck. Any help would be
> > > appreciated.
> > >
> > >
> > > Cheers,
> > >
> > > Dave
> > >
> >
>
Re: Artemis - management.xml
Posted by David Martin <da...@qoritek.com>.
Hi Domenico,
Following up on this I decided to try adding a readonly console user with
the role "amqro" and that is when I discovered that the users in
HAWTIO_ROLE have unencumbered access to both the console and the Jolokia
REST API.
1/ Even the user with the monitor role can log in to the console and do
things like delete queues and connections.
2/ User with monitor role able to invoke other methods than /Active e.g.
/AddressMemoryUsage (verified username/password with base64 -d) -
$ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic xxxxx' '
http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage
'
{"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200}
3/ management.xml -
<management-context xmlns="http://activemq.org/schema">
<!--<connector connector-port="1099"/>-->
<authorisation>
<whitelist>
<entry domain="hawtio"/>
</whitelist>
<default-access>
<access method="list*" roles="amq,amqro"/>
<access method="get*" roles="amq,amqro"/>
<access method="is*" roles="amq,amqro"/>
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</default-access>
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="isActive" roles="amq,amqro,monitor"/>
<access method="list*" roles="amq,amqro"/>
<access method="get*" roles="amq,amqro"/>
<access method="is*" roles="amq,amqro"/>
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</match>
<!--example of how to configure a specific object-->
<!--<match domain="org.apache.activemq.artemis"
key="subcomponent=queues">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>-->
</role-access>
</authorisation>
</management-context>
4/ artemis-profile -
# Hawtio Properties
HAWTIO_ROLE='amq,amqro,monitor'
# Java Opts
if [ -z "$JAVA_ARGS" ]; then
JAVA_ARGS="$BROKER_CONFIGS
-javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=1099
-Dcom.sun.management.jmxremote.rmi.port=1098
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false -Dipv4addr=$(hostname -f)
-Ddomain=artemis-headless.sis-247.svc.cluster.local
-Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d
-Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt
-Dpage.size=2097152 -Dpaging.threshold=10485760
-Dmin.large.message.size=204800 -Dsecurity.invalidation.interval=600000
-Dhawtio.authenticationEnabled=true -Djava.net.preferIPv4Addresses=true
-Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions
-XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2
-XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication
-Dhawtio.disableProxy=true -Dhawtio.realm=activemq -Dhawtio.offline=true
-Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
-Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml"
fi
Do you or anyone in this group have any suggestions on how the monitor (and
amqro) roles can be actually restricted? I tried adding
-Dhawtio.authenticationEnabled=true but that had no effect.
Thanks for your help,
Dave
On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino <
bruscinodf@gmail.com> wrote:
> Hi Dave,
>
> you need to add the monitor role to HAWTIO_ROLE in artemis.profile and the
> access for the isActive method in management.xml.
>
> Execute the following steps to get a working example:
>
> 1) create a new broker instance:
> ./bin/artemis create broker --user admin --password admin --require-login
>
> 2) add test user with monitor role
> echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
>
> 3) add the monitor role to HAWTIO_ROLE in artemis.profile
> sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/"
> ./broker/etc/artemis.profile
>
> 4) add the access for the isActive method in management.xml
> sed -i
> 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml
>
> 5) run the broker
> ./broker/bin/artemis run
>
> 6) read the Active attribute
> curl -H "Origin:http://localhost:8161" -u test:test
>
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> "0.0.0.0\"/Active
>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
>
> Regards,
> Domenico
>
> On Thu, 18 Nov 2021 at 18:16, David Martin <da...@qoritek.com> wrote:
>
> > Hi all,
> >
> > I'm trying to configure role access via the Jolokia REST API for the
> single
> > attribute "Active" on the "org.apache.activemq.artemis" domain.
> >
> > I have a user with a role "monitor" and want them to be able to access
> > nothing but the above attribute via e.g.
> > /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active. The
> > manual regarding management.xml is clear about *method *access e.g.
> "get*"
> > but has no examples for *attribute *access.
> >
> > Having spent about an hour on it I'm really stuck. Any help would be
> > appreciated.
> >
> >
> > Cheers,
> >
> > Dave
> >
>
Re: Artemis - management.xml
Posted by David Martin <da...@qoritek.com>.
Excellent, thanks for your help Domenico
On Thu, Nov 18, 2021, 9:34 PM Domenico Francesco Bruscino, <
bruscinodf@gmail.com> wrote:
> Hi Dave,
>
> you need to add the monitor role to HAWTIO_ROLE in artemis.profile and the
> access for the isActive method in management.xml.
>
> Execute the following steps to get a working example:
>
> 1) create a new broker instance:
> ./bin/artemis create broker --user admin --password admin --require-login
>
> 2) add test user with monitor role
> echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
>
> 3) add the monitor role to HAWTIO_ROLE in artemis.profile
> sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/"
> ./broker/etc/artemis.profile
>
> 4) add the access for the isActive method in management.xml
> sed -i
> 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml
>
> 5) run the broker
> ./broker/bin/artemis run
>
> 6) read the Active attribute
> curl -H "Origin:http://localhost:8161" -u test:test
>
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> "0.0.0.0\"/Active
>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
>
> Regards,
> Domenico
>
> On Thu, 18 Nov 2021 at 18:16, David Martin <da...@qoritek.com> wrote:
>
> > Hi all,
> >
> > I'm trying to configure role access via the Jolokia REST API for the
> single
> > attribute "Active" on the "org.apache.activemq.artemis" domain.
> >
> > I have a user with a role "monitor" and want them to be able to access
> > nothing but the above attribute via e.g.
> > /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active. The
> > manual regarding management.xml is clear about *method *access e.g.
> "get*"
> > but has no examples for *attribute *access.
> >
> > Having spent about an hour on it I'm really stuck. Any help would be
> > appreciated.
> >
> >
> > Cheers,
> >
> > Dave
> >
>
Re: Artemis - management.xml
Posted by Domenico Francesco Bruscino <br...@gmail.com>.
Hi Dave,
you need to add the monitor role to HAWTIO_ROLE in artemis.profile and the
access for the isActive method in management.xml.
Execute the following steps to get a working example:
1) create a new broker instance:
./bin/artemis create broker --user admin --password admin --require-login
2) add test user with monitor role
echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
3) add the monitor role to HAWTIO_ROLE in artemis.profile
sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/"
./broker/etc/artemis.profile
4) add the access for the isActive method in management.xml
sed -i
's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml
5) run the broker
./broker/bin/artemis run
6) read the Active attribute
curl -H "Origin:http://localhost:8161" -u test:test
http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
"0.0.0.0\"/Active
{"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
Regards,
Domenico
On Thu, 18 Nov 2021 at 18:16, David Martin <da...@qoritek.com> wrote:
> Hi all,
>
> I'm trying to configure role access via the Jolokia REST API for the single
> attribute "Active" on the "org.apache.activemq.artemis" domain.
>
> I have a user with a role "monitor" and want them to be able to access
> nothing but the above attribute via e.g.
> /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active. The
> manual regarding management.xml is clear about *method *access e.g. "get*"
> but has no examples for *attribute *access.
>
> Having spent about an hour on it I'm really stuck. Any help would be
> appreciated.
>
>
> Cheers,
>
> Dave
>