You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Jo De Troy <jo...@gmail.com> on 2022/05/06 08:36:23 UTC
activemq artemis users on queue level
Hello,
I'm pretty new to the ActiveMQ (Artemis) world.
I was wondering if it's possible to define different users per queue when
using e.g. PropertiesLoginModule.
So userA would be able to only produce on queueA but not on queueB
Suppose you have a broker with a few 50 different queues you don't want all
clients to use the same credentials if they only need access to 1 queue.
If it's possible would there be an example I can find somewhere for this
type of configuration?
I'm trying to use the ActiveMQ Artemis running on a container platform, so
the security config would hopefully be created by using the
ActiveMQArtemisSecurity CRD
Best Regards,
Jo
Re: activemq artemis users on queue level
Posted by Domenico Francesco Bruscino <br...@gmail.com>.
Hi Jo,
yes it is correct, the broker admin password can be masked using the
same way.
An alternative to mask password could be to use the kubernetes secrets, see
https://artemiscloud.io/documentation/operator/reference.html
Regards,
Domenco
On Fri, 6 May 2022 at 17:26, Jo De Troy <jo...@gmail.com> wrote:
> Domenico,
>
> thanks again.
> I guess the masking can also be done for the password the admin user of the
> broker, correct?
>
> Regards,
> Jo
>
> Op vr 6 mei 2022 om 16:57 schreef Domenico Francesco Bruscino <
> bruscinodf@gmail.com>:
>
> > Hi Jo,
> >
> > this is more a question for the ArtemisCloud.io community [1], I think
> the
> > passwords for the users in ActiveMQArtemisSecurity can be masked using
> the
> > mask command [2] but I have never tried, i.e.
> >
> > $ ./broker/bin/artemis mask --hash user
> > result:
> >
> >
> 1024:C1475A2DBBCCC50D7EB75448555E408E99A71DA455E117552CD27FA57A0C864C:355874B12FB9ED6F2C9D4283A2072E99866EDAE1F9F0FD58A34AB441720BB4E070918EFE615E0C2276984EE674654BB856AE9257F1FB73A2ECAB6742B1789562
> >
> > spec:
> > loginModules:
> > propertiesLoginModules:
> > - name: prop-module
> > users:
> > - name: userA
> > roles:
> > - roleA
> > password:
> >
> >
> "ENC(1024:C1475A2DBBCCC50D7EB75448555E408E99A71DA455E117552CD27FA57A0C864C:355874B12FB9ED6F2C9D4283A2072E99866EDAE1F9F0FD58A34AB441720BB4E070918EFE615E0C2276984EE674654BB856AE9257F1FB73A2ECAB6742B1789562)"
> >
> > [1] https://artemiscloud.io/community/
> > [2]
> >
> >
> https://activemq.apache.org/components/artemis/documentation/latest/masking-passwords
> >
> > Regards,
> > Domenico
> >
> > On Fri, 6 May 2022 at 14:29, Jo De Troy <jo...@gmail.com> wrote:
> >
> > > Thanks Domenico
> > >
> > > Is there a possibility to encrypt/obfuscate the passwords for the
> users
> > in
> > > kind: ActiveMQArtemisSecurity ?
> > > Or can these be stored in an Openshift secret/Hashicorp Vault/...
> > >
> > > Best Regards,
> > > Jo
> > >
> > > Op vr 6 mei 2022 om 11:30 schreef Domenico Francesco Bruscino <
> > > bruscinodf@gmail.com>:
> > >
> > > > Hi Jo,
> > > >
> > > > Apache ActiveMQ Artemis contains a flexible role-based security model
> > for
> > > > applying security to queues, based on their addresses, see the
> > > > documentation [1] for further details.
> > > >
> > > > Suppose you have userA with the roleA that can only consume queueA
> and
> > > > userB with roleB that can only consume queueB:
> > > >
> > > > apiVersion: broker.amq.io/v1alpha1
> > > > kind: ActiveMQArtemisSecurity
> > > > metadata:
> > > > name: ex-prop
> > > > spec:
> > > > loginModules:
> > > > propertiesLoginModules:
> > > > - name: 'prop-module'
> > > > users:
> > > > - name: userA
> > > > password: userA
> > > > roles:
> > > > - roleA
> > > > - name: userB
> > > > password: userB
> > > > roles:
> > > > - roleB
> > > > securityDomains:
> > > > brokerDomain:
> > > > name: 'activemq'
> > > > loginModules:
> > > > - name: 'prop-module'
> > > > flag: 'sufficient'
> > > > securitySettings:
> > > > broker:
> > > > - match: 'queue1'
> > > > permissions:
> > > > - operationType: 'consume'
> > > > roles:
> > > > - roleA
> > > > - match: 'queue2'
> > > > permissions:
> > > > - operationType: 'consume'
> > > > roles:
> > > > - roleB
> > > >
> > > > [1]
> > > >
> > > >
> > >
> >
> https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses
> > > >
> > > > Regards,
> > > > Domenico
> > > >
> > > > On Fri, 6 May 2022 at 10:37, Jo De Troy <jo...@gmail.com>
> wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > I'm pretty new to the ActiveMQ (Artemis) world.
> > > > > I was wondering if it's possible to define different users per
> queue
> > > when
> > > > > using e.g. PropertiesLoginModule.
> > > > > So userA would be able to only produce on queueA but not on queueB
> > > > > Suppose you have a broker with a few 50 different queues you don't
> > want
> > > > all
> > > > > clients to use the same credentials if they only need access to 1
> > > queue.
> > > > >
> > > > > If it's possible would there be an example I can find somewhere for
> > > this
> > > > > type of configuration?
> > > > > I'm trying to use the ActiveMQ Artemis running on a container
> > platform,
> > > > so
> > > > > the security config would hopefully be created by using the
> > > > > ActiveMQArtemisSecurity CRD
> > > > >
> > > > > Best Regards,
> > > > > Jo
> > > > >
> > > >
> > >
> >
>
Re: activemq artemis users on queue level
Posted by Jo De Troy <jo...@gmail.com>.
Domenico,
thanks again.
I guess the masking can also be done for the password the admin user of the
broker, correct?
Regards,
Jo
Op vr 6 mei 2022 om 16:57 schreef Domenico Francesco Bruscino <
bruscinodf@gmail.com>:
> Hi Jo,
>
> this is more a question for the ArtemisCloud.io community [1], I think the
> passwords for the users in ActiveMQArtemisSecurity can be masked using the
> mask command [2] but I have never tried, i.e.
>
> $ ./broker/bin/artemis mask --hash user
> result:
>
> 1024:C1475A2DBBCCC50D7EB75448555E408E99A71DA455E117552CD27FA57A0C864C:355874B12FB9ED6F2C9D4283A2072E99866EDAE1F9F0FD58A34AB441720BB4E070918EFE615E0C2276984EE674654BB856AE9257F1FB73A2ECAB6742B1789562
>
> spec:
> loginModules:
> propertiesLoginModules:
> - name: prop-module
> users:
> - name: userA
> roles:
> - roleA
> password:
>
> "ENC(1024:C1475A2DBBCCC50D7EB75448555E408E99A71DA455E117552CD27FA57A0C864C:355874B12FB9ED6F2C9D4283A2072E99866EDAE1F9F0FD58A34AB441720BB4E070918EFE615E0C2276984EE674654BB856AE9257F1FB73A2ECAB6742B1789562)"
>
> [1] https://artemiscloud.io/community/
> [2]
>
> https://activemq.apache.org/components/artemis/documentation/latest/masking-passwords
>
> Regards,
> Domenico
>
> On Fri, 6 May 2022 at 14:29, Jo De Troy <jo...@gmail.com> wrote:
>
> > Thanks Domenico
> >
> > Is there a possibility to encrypt/obfuscate the passwords for the users
> in
> > kind: ActiveMQArtemisSecurity ?
> > Or can these be stored in an Openshift secret/Hashicorp Vault/...
> >
> > Best Regards,
> > Jo
> >
> > Op vr 6 mei 2022 om 11:30 schreef Domenico Francesco Bruscino <
> > bruscinodf@gmail.com>:
> >
> > > Hi Jo,
> > >
> > > Apache ActiveMQ Artemis contains a flexible role-based security model
> for
> > > applying security to queues, based on their addresses, see the
> > > documentation [1] for further details.
> > >
> > > Suppose you have userA with the roleA that can only consume queueA and
> > > userB with roleB that can only consume queueB:
> > >
> > > apiVersion: broker.amq.io/v1alpha1
> > > kind: ActiveMQArtemisSecurity
> > > metadata:
> > > name: ex-prop
> > > spec:
> > > loginModules:
> > > propertiesLoginModules:
> > > - name: 'prop-module'
> > > users:
> > > - name: userA
> > > password: userA
> > > roles:
> > > - roleA
> > > - name: userB
> > > password: userB
> > > roles:
> > > - roleB
> > > securityDomains:
> > > brokerDomain:
> > > name: 'activemq'
> > > loginModules:
> > > - name: 'prop-module'
> > > flag: 'sufficient'
> > > securitySettings:
> > > broker:
> > > - match: 'queue1'
> > > permissions:
> > > - operationType: 'consume'
> > > roles:
> > > - roleA
> > > - match: 'queue2'
> > > permissions:
> > > - operationType: 'consume'
> > > roles:
> > > - roleB
> > >
> > > [1]
> > >
> > >
> >
> https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses
> > >
> > > Regards,
> > > Domenico
> > >
> > > On Fri, 6 May 2022 at 10:37, Jo De Troy <jo...@gmail.com> wrote:
> > >
> > > > Hello,
> > > >
> > > > I'm pretty new to the ActiveMQ (Artemis) world.
> > > > I was wondering if it's possible to define different users per queue
> > when
> > > > using e.g. PropertiesLoginModule.
> > > > So userA would be able to only produce on queueA but not on queueB
> > > > Suppose you have a broker with a few 50 different queues you don't
> want
> > > all
> > > > clients to use the same credentials if they only need access to 1
> > queue.
> > > >
> > > > If it's possible would there be an example I can find somewhere for
> > this
> > > > type of configuration?
> > > > I'm trying to use the ActiveMQ Artemis running on a container
> platform,
> > > so
> > > > the security config would hopefully be created by using the
> > > > ActiveMQArtemisSecurity CRD
> > > >
> > > > Best Regards,
> > > > Jo
> > > >
> > >
> >
>
Re: activemq artemis users on queue level
Posted by Domenico Francesco Bruscino <br...@gmail.com>.
Hi Jo,
this is more a question for the ArtemisCloud.io community [1], I think the
passwords for the users in ActiveMQArtemisSecurity can be masked using the
mask command [2] but I have never tried, i.e.
$ ./broker/bin/artemis mask --hash user
result:
1024:C1475A2DBBCCC50D7EB75448555E408E99A71DA455E117552CD27FA57A0C864C:355874B12FB9ED6F2C9D4283A2072E99866EDAE1F9F0FD58A34AB441720BB4E070918EFE615E0C2276984EE674654BB856AE9257F1FB73A2ECAB6742B1789562
spec:
loginModules:
propertiesLoginModules:
- name: prop-module
users:
- name: userA
roles:
- roleA
password:
"ENC(1024:C1475A2DBBCCC50D7EB75448555E408E99A71DA455E117552CD27FA57A0C864C:355874B12FB9ED6F2C9D4283A2072E99866EDAE1F9F0FD58A34AB441720BB4E070918EFE615E0C2276984EE674654BB856AE9257F1FB73A2ECAB6742B1789562)"
[1] https://artemiscloud.io/community/
[2]
https://activemq.apache.org/components/artemis/documentation/latest/masking-passwords
Regards,
Domenico
On Fri, 6 May 2022 at 14:29, Jo De Troy <jo...@gmail.com> wrote:
> Thanks Domenico
>
> Is there a possibility to encrypt/obfuscate the passwords for the users in
> kind: ActiveMQArtemisSecurity ?
> Or can these be stored in an Openshift secret/Hashicorp Vault/...
>
> Best Regards,
> Jo
>
> Op vr 6 mei 2022 om 11:30 schreef Domenico Francesco Bruscino <
> bruscinodf@gmail.com>:
>
> > Hi Jo,
> >
> > Apache ActiveMQ Artemis contains a flexible role-based security model for
> > applying security to queues, based on their addresses, see the
> > documentation [1] for further details.
> >
> > Suppose you have userA with the roleA that can only consume queueA and
> > userB with roleB that can only consume queueB:
> >
> > apiVersion: broker.amq.io/v1alpha1
> > kind: ActiveMQArtemisSecurity
> > metadata:
> > name: ex-prop
> > spec:
> > loginModules:
> > propertiesLoginModules:
> > - name: 'prop-module'
> > users:
> > - name: userA
> > password: userA
> > roles:
> > - roleA
> > - name: userB
> > password: userB
> > roles:
> > - roleB
> > securityDomains:
> > brokerDomain:
> > name: 'activemq'
> > loginModules:
> > - name: 'prop-module'
> > flag: 'sufficient'
> > securitySettings:
> > broker:
> > - match: 'queue1'
> > permissions:
> > - operationType: 'consume'
> > roles:
> > - roleA
> > - match: 'queue2'
> > permissions:
> > - operationType: 'consume'
> > roles:
> > - roleB
> >
> > [1]
> >
> >
> https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses
> >
> > Regards,
> > Domenico
> >
> > On Fri, 6 May 2022 at 10:37, Jo De Troy <jo...@gmail.com> wrote:
> >
> > > Hello,
> > >
> > > I'm pretty new to the ActiveMQ (Artemis) world.
> > > I was wondering if it's possible to define different users per queue
> when
> > > using e.g. PropertiesLoginModule.
> > > So userA would be able to only produce on queueA but not on queueB
> > > Suppose you have a broker with a few 50 different queues you don't want
> > all
> > > clients to use the same credentials if they only need access to 1
> queue.
> > >
> > > If it's possible would there be an example I can find somewhere for
> this
> > > type of configuration?
> > > I'm trying to use the ActiveMQ Artemis running on a container platform,
> > so
> > > the security config would hopefully be created by using the
> > > ActiveMQArtemisSecurity CRD
> > >
> > > Best Regards,
> > > Jo
> > >
> >
>
Re: activemq artemis users on queue level
Posted by Jo De Troy <jo...@gmail.com>.
Thanks Domenico
Is there a possibility to encrypt/obfuscate the passwords for the users in
kind: ActiveMQArtemisSecurity ?
Or can these be stored in an Openshift secret/Hashicorp Vault/...
Best Regards,
Jo
Op vr 6 mei 2022 om 11:30 schreef Domenico Francesco Bruscino <
bruscinodf@gmail.com>:
> Hi Jo,
>
> Apache ActiveMQ Artemis contains a flexible role-based security model for
> applying security to queues, based on their addresses, see the
> documentation [1] for further details.
>
> Suppose you have userA with the roleA that can only consume queueA and
> userB with roleB that can only consume queueB:
>
> apiVersion: broker.amq.io/v1alpha1
> kind: ActiveMQArtemisSecurity
> metadata:
> name: ex-prop
> spec:
> loginModules:
> propertiesLoginModules:
> - name: 'prop-module'
> users:
> - name: userA
> password: userA
> roles:
> - roleA
> - name: userB
> password: userB
> roles:
> - roleB
> securityDomains:
> brokerDomain:
> name: 'activemq'
> loginModules:
> - name: 'prop-module'
> flag: 'sufficient'
> securitySettings:
> broker:
> - match: 'queue1'
> permissions:
> - operationType: 'consume'
> roles:
> - roleA
> - match: 'queue2'
> permissions:
> - operationType: 'consume'
> roles:
> - roleB
>
> [1]
>
> https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses
>
> Regards,
> Domenico
>
> On Fri, 6 May 2022 at 10:37, Jo De Troy <jo...@gmail.com> wrote:
>
> > Hello,
> >
> > I'm pretty new to the ActiveMQ (Artemis) world.
> > I was wondering if it's possible to define different users per queue when
> > using e.g. PropertiesLoginModule.
> > So userA would be able to only produce on queueA but not on queueB
> > Suppose you have a broker with a few 50 different queues you don't want
> all
> > clients to use the same credentials if they only need access to 1 queue.
> >
> > If it's possible would there be an example I can find somewhere for this
> > type of configuration?
> > I'm trying to use the ActiveMQ Artemis running on a container platform,
> so
> > the security config would hopefully be created by using the
> > ActiveMQArtemisSecurity CRD
> >
> > Best Regards,
> > Jo
> >
>
Re: activemq artemis users on queue level
Posted by Domenico Francesco Bruscino <br...@gmail.com>.
Hi Jo,
Apache ActiveMQ Artemis contains a flexible role-based security model for
applying security to queues, based on their addresses, see the
documentation [1] for further details.
Suppose you have userA with the roleA that can only consume queueA and
userB with roleB that can only consume queueB:
apiVersion: broker.amq.io/v1alpha1
kind: ActiveMQArtemisSecurity
metadata:
name: ex-prop
spec:
loginModules:
propertiesLoginModules:
- name: 'prop-module'
users:
- name: userA
password: userA
roles:
- roleA
- name: userB
password: userB
roles:
- roleB
securityDomains:
brokerDomain:
name: 'activemq'
loginModules:
- name: 'prop-module'
flag: 'sufficient'
securitySettings:
broker:
- match: 'queue1'
permissions:
- operationType: 'consume'
roles:
- roleA
- match: 'queue2'
permissions:
- operationType: 'consume'
roles:
- roleB
[1]
https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses
Regards,
Domenico
On Fri, 6 May 2022 at 10:37, Jo De Troy <jo...@gmail.com> wrote:
> Hello,
>
> I'm pretty new to the ActiveMQ (Artemis) world.
> I was wondering if it's possible to define different users per queue when
> using e.g. PropertiesLoginModule.
> So userA would be able to only produce on queueA but not on queueB
> Suppose you have a broker with a few 50 different queues you don't want all
> clients to use the same credentials if they only need access to 1 queue.
>
> If it's possible would there be an example I can find somewhere for this
> type of configuration?
> I'm trying to use the ActiveMQ Artemis running on a container platform, so
> the security config would hopefully be created by using the
> ActiveMQArtemisSecurity CRD
>
> Best Regards,
> Jo
>