You are viewing a plain text version of this content. The canonical link for it is here.
Posted to gitbox@activemq.apache.org by GitBox <gi...@apache.org> on 2021/11/18 09:52:39 UTC
[GitHub] [activemq-artemis] gemmellr commented on a change in pull request #3849: ARTEMIS-3569 - balancer role_name local target, matches role of authe…
gemmellr commented on a change in pull request #3849:
URL: https://github.com/apache/activemq-artemis/pull/3849#discussion_r752046716
##########
File path: artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/broker/AMQPSessionCallback.java
##########
@@ -211,12 +211,13 @@ public void init(AMQPSessionContext protonSession, SASLResult saslResult) throws
true, //boolean xa,
(String) null, this, true, operationContext, manager.getPrefixes(), manager.getSecurityDomain());
} else {
+ String validatedUser = manager.getServer().validateUser(user, passcode, protonSPI.getProtonConnectionDelegate(), manager.getSecurityDomain());
Review comment:
Why did this become necessary? Auth should already have happened by now, seems messy doing it again.
EDIT: so essentially the same comment as Domenicos in other areas.
##########
File path: tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/balancing/MQTTRedirectTest.java
##########
@@ -121,5 +137,38 @@ public void testSimpleRedirect() throws Exception {
Assert.assertEquals(0, queueControl0.countMessages());
Wait.assertEquals(0, () -> queueControl1.countMessages());
}
+
+ @Test
+ public void testRoleNameKeyLocalTarget() throws Exception {
+
+ ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("PropertiesLogin");
+ servers[0] = addServer(ActiveMQServers.newActiveMQServer(createDefaultConfig(true).setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false));
+ setupBalancerServerWithLocalTarget(0, TargetKey.ROLE_NAME, "b", "b");
+
+ startServers(0);
+
+ MqttConnectOptions connOpts = new MqttConnectOptions();
+ connOpts.setCleanSession(true);
+ connOpts.setUserName("a");
+ connOpts.setPassword("a".toCharArray());
+
+ MqttClient client0 = new MqttClient("tcp://" + TransportConstants.DEFAULT_HOST + ":" + TransportConstants.DEFAULT_PORT, "TEST", new MemoryPersistence());
+ try {
+ client0.connect(connOpts);
+ fail("Expect to be rejected as not in role0");
Review comment:
role b?
(Also, earlier tests used "B" rather than "b", consistency might be nice)
##########
File path: tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/balancing/TargetKeyTest.java
##########
@@ -174,6 +194,43 @@ public void testUserNameKey() throws Exception {
Assert.assertEquals("admin", keys.get(0));
}
+ @Test
+ public void testRoleNameKeyLocalTarget() throws Exception {
+
+ ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("PropertiesLogin");
+ servers[0] = addServer(ActiveMQServers.newActiveMQServer(createDefaultConfig(true).setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false));
+ setupBalancerServerWithLocalTarget(0, TargetKey.ROLE_NAME, "b", "b");
+
+ // ensure advisory permission is present for openwire connection creation by 'b'
+ HierarchicalRepository<Set<Role>> securityRepository = servers[0].getSecurityRepository();
+ Role role = new Role("b", true, true, true, true, true, true, false, false, true, true);
+ Set<Role> roles = new HashSet<>();
+ roles.add(role);
+ securityRepository.addMatch("ActiveMQ.Advisory.#", roles);
+
+ startServers(0);
+
+ final int noRetriesSuchThatWeGetAnErrorOnRejection = 0;
+ ConnectionFactory connectionFactory = createFactory(protocol, false, TransportConstants.DEFAULT_HOST,
+ TransportConstants.DEFAULT_PORT + 0, null, "a", "a", noRetriesSuchThatWeGetAnErrorOnRejection);
+
+ // expect disconnect/reject as not role b
+ try (Connection connection = connectionFactory.createConnection()) {
+ connection.start();
+ fail("Expect to be rejected as not in role0");
+ } catch (Exception rejected) {
+ rejected.printStackTrace();
Review comment:
Maybe log something succinct instead? We already have enough output during tests without stacks that are entirely expected and not used to check anything.
##########
File path: artemis-server/src/main/java/org/apache/activemq/artemis/core/management/impl/BrokerBalancerControlImpl.java
##########
@@ -59,11 +59,10 @@ public BrokerBalancerControlImpl(final BrokerBalancer balancer, final StorageMan
@Override
public CompositeData getTarget(String key) throws Exception {
- Target target = balancer.getTarget(key);
-
- if (target != null) {
+ Target.Result result = balancer.getTarget(key);
+ if (Target.Status.OK.compareTo(result.status) == 0) {
CompositeData connectorData = null;
- TransportConfiguration connector = target.getConnector();
+ TransportConfiguration connector = result.target.getConnector();
Review comment:
Perhaps similar wondering about a TargetResult class when considering the 'context.getResult()' usage in AMQPRedirectHandler . It would be nice if the status checking added using that was being done against the actual [Target.]Status enum, rather than needing to do object equality check against a full not-really-Target object. You could instead have a TargetResult holder indicate the result with the enum (and/or boolean conversion method checking for success) and not have any actual Target object.
##########
File path: tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/balancing/TargetKeyTest.java
##########
@@ -174,6 +194,43 @@ public void testUserNameKey() throws Exception {
Assert.assertEquals("admin", keys.get(0));
}
+ @Test
+ public void testRoleNameKeyLocalTarget() throws Exception {
+
+ ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("PropertiesLogin");
+ servers[0] = addServer(ActiveMQServers.newActiveMQServer(createDefaultConfig(true).setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false));
+ setupBalancerServerWithLocalTarget(0, TargetKey.ROLE_NAME, "b", "b");
+
+ // ensure advisory permission is present for openwire connection creation by 'b'
+ HierarchicalRepository<Set<Role>> securityRepository = servers[0].getSecurityRepository();
+ Role role = new Role("b", true, true, true, true, true, true, false, false, true, true);
+ Set<Role> roles = new HashSet<>();
+ roles.add(role);
+ securityRepository.addMatch("ActiveMQ.Advisory.#", roles);
+
+ startServers(0);
+
+ final int noRetriesSuchThatWeGetAnErrorOnRejection = 0;
+ ConnectionFactory connectionFactory = createFactory(protocol, false, TransportConstants.DEFAULT_HOST,
+ TransportConstants.DEFAULT_PORT + 0, null, "a", "a", noRetriesSuchThatWeGetAnErrorOnRejection);
+
+ // expect disconnect/reject as not role b
+ try (Connection connection = connectionFactory.createConnection()) {
+ connection.start();
+ fail("Expect to be rejected as not in role0");
Review comment:
role b (/B)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org