You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Simon Lundström <si...@su.se> on 2016/03/10 17:14:48 UTC
Reloading users and groups properties on change
Hi!
I talked to Gary Tully on IRC (and mail) and we decided it was best that
I mailed the mailinglist since he was pretty sure that someone here had
solved this.
We are running 5.13.0 and are trying to get {user,group}s.properties to
be reloaded automatically when they are changed.
In the init.d-script we've added:
ACTIVEMQ_OPTS+=" -Djava.security.auth.login.config=/local/activemq/conf/login.config "
and login.config looks like this:
activemq-domain {
org.apache.activemq.jaas.PropertiesLoginModule required
debug=true
reload=true
org.apache.activemq.jaas.properties.user="users.properties"
org.apache.activemq.jaas.properties.group="../conf.d/approved/groups.properties"
;
};
users.properties:
system=manager
nagios=nagios
groups.properties:
monitoring=system
activemq.xml excerpt:
[…]
<plugins>
<!-- The configuration value matches the JAAS realm in login.config -->
<jaasAuthenticationPlugin configuration="activemq-domain" />
<!-- Enable hot reloading of the The configuration value matches the JAAS realm in login.config -->
<runtimeConfigurationPlugin checkPeriod="0" />
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntry
queue="aliveness-test"
read="monitoring"
write="monitoring"
admin="monitoring"
/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
[…]
With this configuration the user nagios should be able to access the queue aliveness-test.
To reproduce, modify groups.properties so it looks like:
monitoring=system,nagios
Check your logs (you need to enable debug logging on org.apache.activemq.jaas.ReloadableProperties):
{"thread":"ActiveMQ NIO Worker 622","level":"DEBUG","loggerName":"org.apache.activemq.jaas.ReloadableProperties","message":"Load of: PropsFile=/local/activemq/conf/../conf.d/approved/groups.properties"}
so the reloading works, but nagios still can't consume from (or produce to) the queue:
{"thread":"ActiveMQ NIO Worker 2","level":"WARN","loggerName":"org.apache.activemq.broker.TransportConnection.Service","message":"Security Error occurred on connection to: tcp://0:0:0:0:0:0:0:1:45357, User nagios is not authorized to read from: queue://aliveness-test"}
Note: If I restart ActiveMQ nagios can consume and produce from the
queue.
Is there any configuration that I've missed?
Is this a bug?
BR,
- Simon
____________________________________
Simon Lundström
Section for Infrastructure
IT Services
Stockholm University
SE-106 91 Stockholm, Sweden
www.su.se/english/staff-info/it
Re: Reloading users and groups properties on change
Posted by Simon Lundström <si...@su.se>.
Oh, Nagios is just the username. The actual client is an Apache QPid
Proton producer/consumer which connects via AMQP.
Will get on it, thanks Tim!
BR,
- Simon
On Fri, 2016-04-01 at 08:16:34 -0600, Tim Bain wrote:
> Yes, file a JIRA, and attach a minimal configuration to reproduce the
> problem.
>
> BTW, from what you describe, I'd expect that this would happen for any
> client (including a tiny Java test app you could write), which would take
> Nagios out of the equation. Can you confirm that that's the case? Once
> you do, attach that test client to the JIRA; let's avoid giving the
> impression that this is somehow related to Nagios if it's really not.
>
> Tim
> On Apr 1, 2016 12:15 AM, "Simon Lundström" <si...@su.se> wrote:
>
> > Noone uses PropertiesLoginModule and reloading?
> >
> > Gary, so I should file a jira for this right?
> >
> > BR,
> > - Simon
> >
> > On Thu, 2016-03-10 at 17:14:48 +0100, Simon Lundström wrote:
> > > Hi!
> > >
> > > I talked to Gary Tully on IRC (and mail) and we decided it was best that
> > > I mailed the mailinglist since he was pretty sure that someone here had
> > > solved this.
> > >
> > > We are running 5.13.0 and are trying to get {user,group}s.properties to
> > > be reloaded automatically when they are changed.
> > >
> > > In the init.d-script we've added:
> > > ACTIVEMQ_OPTS+="
> > -Djava.security.auth.login.config=/local/activemq/conf/login.config "
> > >
> > > and login.config looks like this:
> > > activemq-domain {
> > > org.apache.activemq.jaas.PropertiesLoginModule required
> > > debug=true
> > > reload=true
> > > org.apache.activemq.jaas.properties.user="users.properties"
> > >
> > org.apache.activemq.jaas.properties.group="../conf.d/approved/groups.properties"
> > > ;
> > > };
> > >
> > > users.properties:
> > > system=manager
> > > nagios=nagios
> > >
> > > groups.properties:
> > > monitoring=system
> > >
> > > activemq.xml excerpt:
> > > […]
> > > <plugins>
> > > <!-- The configuration value matches the JAAS realm in
> > login.config -->
> > > <jaasAuthenticationPlugin configuration="activemq-domain" />
> > >
> > > <!-- Enable hot reloading of the The configuration value matches
> > the JAAS realm in login.config -->
> > > <runtimeConfigurationPlugin checkPeriod="0" />
> > >
> > > <authorizationPlugin>
> > > <map>
> > > <authorizationMap>
> > > <authorizationEntry
> > > queue="aliveness-test"
> > > read="monitoring"
> > > write="monitoring"
> > > admin="monitoring"
> > > />
> > > </authorizationEntries>
> > > </authorizationMap>
> > > </map>
> > > </authorizationPlugin>
> > > […]
> > >
> > > With this configuration the user nagios should be able to access the
> > queue aliveness-test.
> > > To reproduce, modify groups.properties so it looks like:
> > > monitoring=system,nagios
> > >
> > > Check your logs (you need to enable debug logging on
> > org.apache.activemq.jaas.ReloadableProperties):
> > > {"thread":"ActiveMQ NIO Worker
> > 622","level":"DEBUG","loggerName":"org.apache.activemq.jaas.ReloadableProperties","message":"Load
> > of: PropsFile=/local/activemq/conf/../conf.d/approved/groups.properties"}
> > > so the reloading works, but nagios still can't consume from (or produce
> > to) the queue:
> > > {"thread":"ActiveMQ NIO Worker
> > 2","level":"WARN","loggerName":"org.apache.activemq.broker.TransportConnection.Service","message":"Security
> > Error occurred on connection to: tcp://0:0:0:0:0:0:0:1:45357, User nagios
> > is not authorized to read from: queue://aliveness-test"}
> > >
> > > Note: If I restart ActiveMQ nagios can consume and produce from the
> > > queue.
> > >
> > > Is there any configuration that I've missed?
> > > Is this a bug?
> > >
> > > BR,
> > > - Simon
> > >
> > > ____________________________________
> > >
> > > Simon Lundström
> > > Section for Infrastructure
> > >
> > > IT Services
> > > Stockholm University
> > > SE-106 91 Stockholm, Sweden
> > >
> > > www.su.se/english/staff-info/it
> >
Re: Reloading users and groups properties on change
Posted by Tim Bain <tb...@alumni.duke.edu>.
Yes, file a JIRA, and attach a minimal configuration to reproduce the
problem.
BTW, from what you describe, I'd expect that this would happen for any
client (including a tiny Java test app you could write), which would take
Nagios out of the equation. Can you confirm that that's the case? Once
you do, attach that test client to the JIRA; let's avoid giving the
impression that this is somehow related to Nagios if it's really not.
Tim
On Apr 1, 2016 12:15 AM, "Simon Lundström" <si...@su.se> wrote:
> Noone uses PropertiesLoginModule and reloading?
>
> Gary, so I should file a jira for this right?
>
> BR,
> - Simon
>
> On Thu, 2016-03-10 at 17:14:48 +0100, Simon Lundström wrote:
> > Hi!
> >
> > I talked to Gary Tully on IRC (and mail) and we decided it was best that
> > I mailed the mailinglist since he was pretty sure that someone here had
> > solved this.
> >
> > We are running 5.13.0 and are trying to get {user,group}s.properties to
> > be reloaded automatically when they are changed.
> >
> > In the init.d-script we've added:
> > ACTIVEMQ_OPTS+="
> -Djava.security.auth.login.config=/local/activemq/conf/login.config "
> >
> > and login.config looks like this:
> > activemq-domain {
> > org.apache.activemq.jaas.PropertiesLoginModule required
> > debug=true
> > reload=true
> > org.apache.activemq.jaas.properties.user="users.properties"
> >
> org.apache.activemq.jaas.properties.group="../conf.d/approved/groups.properties"
> > ;
> > };
> >
> > users.properties:
> > system=manager
> > nagios=nagios
> >
> > groups.properties:
> > monitoring=system
> >
> > activemq.xml excerpt:
> > […]
> > <plugins>
> > <!-- The configuration value matches the JAAS realm in
> login.config -->
> > <jaasAuthenticationPlugin configuration="activemq-domain" />
> >
> > <!-- Enable hot reloading of the The configuration value matches
> the JAAS realm in login.config -->
> > <runtimeConfigurationPlugin checkPeriod="0" />
> >
> > <authorizationPlugin>
> > <map>
> > <authorizationMap>
> > <authorizationEntry
> > queue="aliveness-test"
> > read="monitoring"
> > write="monitoring"
> > admin="monitoring"
> > />
> > </authorizationEntries>
> > </authorizationMap>
> > </map>
> > </authorizationPlugin>
> > […]
> >
> > With this configuration the user nagios should be able to access the
> queue aliveness-test.
> > To reproduce, modify groups.properties so it looks like:
> > monitoring=system,nagios
> >
> > Check your logs (you need to enable debug logging on
> org.apache.activemq.jaas.ReloadableProperties):
> > {"thread":"ActiveMQ NIO Worker
> 622","level":"DEBUG","loggerName":"org.apache.activemq.jaas.ReloadableProperties","message":"Load
> of: PropsFile=/local/activemq/conf/../conf.d/approved/groups.properties"}
> > so the reloading works, but nagios still can't consume from (or produce
> to) the queue:
> > {"thread":"ActiveMQ NIO Worker
> 2","level":"WARN","loggerName":"org.apache.activemq.broker.TransportConnection.Service","message":"Security
> Error occurred on connection to: tcp://0:0:0:0:0:0:0:1:45357, User nagios
> is not authorized to read from: queue://aliveness-test"}
> >
> > Note: If I restart ActiveMQ nagios can consume and produce from the
> > queue.
> >
> > Is there any configuration that I've missed?
> > Is this a bug?
> >
> > BR,
> > - Simon
> >
> > ____________________________________
> >
> > Simon Lundström
> > Section for Infrastructure
> >
> > IT Services
> > Stockholm University
> > SE-106 91 Stockholm, Sweden
> >
> > www.su.se/english/staff-info/it
>
Re: Reloading users and groups properties on change
Posted by Simon Lundström <si...@su.se>.
Noone uses PropertiesLoginModule and reloading?
Gary, so I should file a jira for this right?
BR,
- Simon
On Thu, 2016-03-10 at 17:14:48 +0100, Simon Lundström wrote:
> Hi!
>
> I talked to Gary Tully on IRC (and mail) and we decided it was best that
> I mailed the mailinglist since he was pretty sure that someone here had
> solved this.
>
> We are running 5.13.0 and are trying to get {user,group}s.properties to
> be reloaded automatically when they are changed.
>
> In the init.d-script we've added:
> ACTIVEMQ_OPTS+=" -Djava.security.auth.login.config=/local/activemq/conf/login.config "
>
> and login.config looks like this:
> activemq-domain {
> org.apache.activemq.jaas.PropertiesLoginModule required
> debug=true
> reload=true
> org.apache.activemq.jaas.properties.user="users.properties"
> org.apache.activemq.jaas.properties.group="../conf.d/approved/groups.properties"
> ;
> };
>
> users.properties:
> system=manager
> nagios=nagios
>
> groups.properties:
> monitoring=system
>
> activemq.xml excerpt:
> […]
> <plugins>
> <!-- The configuration value matches the JAAS realm in login.config -->
> <jaasAuthenticationPlugin configuration="activemq-domain" />
>
> <!-- Enable hot reloading of the The configuration value matches the JAAS realm in login.config -->
> <runtimeConfigurationPlugin checkPeriod="0" />
>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntry
> queue="aliveness-test"
> read="monitoring"
> write="monitoring"
> admin="monitoring"
> />
> </authorizationEntries>
> </authorizationMap>
> </map>
> </authorizationPlugin>
> […]
>
> With this configuration the user nagios should be able to access the queue aliveness-test.
> To reproduce, modify groups.properties so it looks like:
> monitoring=system,nagios
>
> Check your logs (you need to enable debug logging on org.apache.activemq.jaas.ReloadableProperties):
> {"thread":"ActiveMQ NIO Worker 622","level":"DEBUG","loggerName":"org.apache.activemq.jaas.ReloadableProperties","message":"Load of: PropsFile=/local/activemq/conf/../conf.d/approved/groups.properties"}
> so the reloading works, but nagios still can't consume from (or produce to) the queue:
> {"thread":"ActiveMQ NIO Worker 2","level":"WARN","loggerName":"org.apache.activemq.broker.TransportConnection.Service","message":"Security Error occurred on connection to: tcp://0:0:0:0:0:0:0:1:45357, User nagios is not authorized to read from: queue://aliveness-test"}
>
> Note: If I restart ActiveMQ nagios can consume and produce from the
> queue.
>
> Is there any configuration that I've missed?
> Is this a bug?
>
> BR,
> - Simon
>
> ____________________________________
>
> Simon Lundström
> Section for Infrastructure
>
> IT Services
> Stockholm University
> SE-106 91 Stockholm, Sweden
>
> www.su.se/english/staff-info/it