You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by "Nilesh Khokale (Contractor)" <Ni...@OfficeDepot.com.INVALID> on 2023/01/09 08:56:18 UTC
How to grant read only access to non amq role user to Jolokia console version apache artemis 2.23.1
Hi Team,
As part of our project requirement we need to restrict non-amq user (LDAP users) for performing write & execute operation inside jolokia console (connection, session, consumer, producer)
And, we need to grant them only send message permission. We able to achieved it in version 2.18 by removing non-amq role (LDAP users role) from <role-access> block in below management.xml & by giving only send message permission in broker.xml files & which is working fine as per expectation. However, when we do same configurations in 2.23.1 it is not working. It allows non-amq user to perform any write/execute operation which we do not want. So here I am looking for your suggestion on how we can achieve the same in Apache Artemis 2.23.1 version. Please let us know if you need more details. Thank you
2.18 management.xml file –
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</role-access>
2.18.1 broker.xml file – In this file we are giving only send message permission to our LDAP users role.
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="browse" roles="amq"/>
<permission type="send" roles="amq,EAI_Administrator_G"/>
</security-settings>
With above changes when we login in 2.18 jolokia console using non-amq role user (LDAP user) and navigate to any tab like connection, session, consumer, producers we get below restriction message which is correct as per the above changes & that is what our requirement is. Please suggest how we can achieve the same in 2.23.1 version. Thank you.
Below Snapshot are from 2.18.
[cid:image003.png@01D923DB.762D23A0]
We just need grant send message permission to any Non-amq role user like below.
[cid:image002.png@01D923DC.C858CB60]
Thank you,
Nilesh
CONFIDENTIALITY NOTICE: The information contained in this email and attached document(s) may contain confidential information that is intended only for the addressee(s). If you are not the intended recipient, you are hereby advised that any disclosure, copying, distribution or the taking of any action in reliance upon the information is prohibited. If you have received this email in error, please immediately notify the sender and delete it from your system.
Re: How to grant read only access to non amq role user to Jolokia console version apache artemis 2.23.1
Posted by Domenico Francesco Bruscino <br...@gmail.com>.
Hi Nilesh,
I'm not able to see your screenshots and I'm not able to reproduce this
issue using Apache ActiveMQ Artemis 2.23.1 with
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule.
Are you able to reproduce this issue
using org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule?
Execute the following steps to get a working example:
1) create a new broker instance:
./bin/artemis create broker --user admin --password admin --require-login
2) add test user with monitor role
echo -e "\nguest = guest" >> ./broker/etc/artemis-users.properties
echo -e "\nguests = guest" >> ./broker/etc/artemis-roles.properties
3) add the monitor role to HAWTIO_ROLE in artemis.profile
sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,guests'/"
./broker/etc/artemis.profile
4) add the access for the send method in management.xml
sed -i
's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
method="send"\ roles="amq,guests"\/>/' ./broker/etc/management.xml
5) run the broker
./broker/bin/artemis run
Regards,
Domenico
On Mon, 9 Jan 2023 at 09:56, Nilesh Khokale (Contractor)
<Ni...@officedepot.com.invalid> wrote:
> Hi Team,
>
>
>
> As part of our project requirement we need to restrict non-amq user (LDAP
> users) for performing write & execute operation inside jolokia console
> (connection, session, consumer, producer)
>
> And, we need to grant them only send message permission. We able to
> achieved it in version 2.18 by removing non-amq role (LDAP users role) from
> <role-access> block in below management.xml & by giving only send message
> permission in broker.xml files & which is working fine as per expectation.
> However, when we do same configurations in 2.23.1 it is not working. It
> allows non-amq user to perform any write/execute operation which we do not
> want. So here I am looking for your suggestion on how we can achieve the
> same in Apache Artemis 2.23.1 version. Please let us know if you need more
> details. Thank you
>
>
>
> *2.18 management.xml file – *
>
>
>
> <role-access>
>
> <match domain="org.apache.activemq.artemis">
>
> <access method="list*" roles="amq"/>
>
> <access method="get*" roles="amq"/>
>
> <access method="is*" roles="amq"/>
>
> <access method="set*" roles="amq"/>
>
> <access method="*" roles="amq"/>
>
> </role-access>
>
>
>
>
>
> *2.18.1 broker.xml file – In this file we are giving only send message
> permission to our LDAP users role.*
>
>
>
> <security-settings>
>
> <security-setting match="#">
>
> <permission type="createNonDurableQueue" roles="amq"/>
>
> <permission type="deleteNonDurableQueue" roles="amq"/>
>
> <permission type="createDurableQueue" roles="amq"/>
>
> <permission type="deleteDurableQueue" roles="amq"/>
>
> <permission type="createAddress" roles="amq"/>
>
> <permission type="deleteAddress" roles="amq"/>
>
> <permission type="consume" roles="amq"/>
>
> <permission type="browse" roles="amq"/>
>
> *<permission type="send" roles="amq,EAI_Administrator_G"/>*
>
> </security-settings>
>
>
>
>
>
>
>
> With above changes when we login in 2.18 jolokia console using non-amq
> role user (LDAP user) and navigate to any tab like connection, session,
> consumer, producers we get below restriction message which is correct as
> per the above changes & that is what our requirement is. Please suggest how
> we can achieve the same in 2.23.1 version. Thank you.
>
>
>
> Below Snapshot are from 2.18.
>
>
>
>
>
>
>
> We just need grant send message permission to any Non-amq role user like
> below.
>
>
>
>
>
>
>
>
>
> *Thank you,*
>
> *Nilesh*
>
> CONFIDENTIALITY NOTICE: The information contained in this email and
> attached document(s) may contain confidential information that is intended
> only for the addressee(s). If you are not the intended recipient, you are
> hereby advised that any disclosure, copying, distribution or the taking of
> any action in reliance upon the information is prohibited. If you have
> received this email in error, please immediately notify the sender and
> delete it from your system.
>