You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@falcon.apache.org by "Jean-Baptiste Onofré (JIRA)" <ji...@apache.org> on 2014/01/21 14:19:19 UTC

[jira] [Commented] (FALCON-230) Secure activemq topics

    [ https://issues.apache.org/jira/browse/FALCON-230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13877445#comment-13877445 ] 

Jean-Baptiste Onofré commented on FALCON-230:
---------------------------------------------

On this topic, I propose two parts:

1/ Secure of the transport
Currently, we use openwire directly, bound to all network interfaces. Using embedded broker, the user can only define the port number, not the protocol (hardcoded to tcp), not the network interface (hardcoded to 0.0.0.0 so all interfaces).
I propose to let the user define the transport connector URL.
Thanks to that, it would be possible:
- to bind to given network interface (for instance localhost or specific interface IP)
- use OpenWire over SSL (using a transport like ssl://0.0.0.0:61616 instead of tcp). In conf/falcon-env.sh, the user can defines his keystore (using -Djavax.net.ssl.keyStore=/path/to/falcon.ks -Djavax.net.ssl.keyStorePassword=password). The messaging interface in the cluster entity should use properties to contain keystore in order to correctly create the connection factory.
- eventually define clientAuth (using a transport like ssl://localhost:61616?transport.needClientAuth=true) and provide a keystore/truststore

I'm preparing a patch for that including update on the documentation.

2/ Add authentication support

On the other hand, we can force the authentication to use a broker. It means that the messaging interface in the cluster entity should use properties like principal/credential to use username/password when creating the connection factory.
On the embedded broker side, if the user provides a system property like falcon.embeddedmq.authentication=true, in that case, we can lookup a conf/users.properties file to create the ActiveMQ JAAS plugin and use it in the broker service.

I'm preparing another patch for that (including documentation update too).

The two topics are isolated (an user can do both, or only secure transport, or only force authentication).

> Secure activemq topics
> ----------------------
>
>                 Key: FALCON-230
>                 URL: https://issues.apache.org/jira/browse/FALCON-230
>             Project: Falcon
>          Issue Type: Sub-task
>            Reporter: Venkatesh Seetharam
>            Assignee: Jean-Baptiste Onofré
>
> I'm leaving it here for the sake of completeness. Topics might need authorization and not sure how to do it.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)