You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by Stan Petrula <s....@spedion.de> on 2020/03/31 07:58:20 UTC

Artemis: Restricting access based on protocol

Hello,
We are using admin user to manage Artemis broker using management console,
so far OK. We would like to disallow admin login over MQTT protocol. Is it
possible to restrict user/role access to certain connectors? 




--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html

Re: Artemis: Restricting access based on protocol

Posted by brusdev <br...@gmail.com>.

Hi Stan,

the PR https://github.com/apache/activemq-artemis/pull/3058 is merged so it
will be included in the 2.12.0 release.

Regards,
Domenico



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html

Re: Artemis: Restricting access based on protocol

Posted by brusdev <br...@gmail.com>.

Hi Justin and Stan,

I found another bug, testing the the MqttConnectMessage rejection:
https://issues.apache.org/jira/browse/ARTEMIS-2686

I created a PR to fix this bug:
https://github.com/apache/activemq-artemis/pull/3058

Regards,
Domenico



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html

Re: Artemis: Restricting access based on protocol

Posted by Justin Bertram <jb...@apache.org>.

The problem is ARTEMIS-2607 which will be resolved in the 2.12.0 release.


Justin

[1] https://issues.apache.org/jira/browse/ARTEMIS-2607

On Wed, Apr 1, 2020 at 7:40 AM Stan Petrula <s....@spedion.de> wrote:

> Hi Domenico,
>
> thank you for the suggestion, but unfortunately it does not work. I am
> using
> slightly modified interceptor code:
>
> public class MQTTLoginFilterInterceptor implements MQTTInterceptor {
>    @Override
>    public boolean intercept(final MqttMessage mqttMessage,
> RemotingConnection connection) {
>        System.out.println("MQTT intercept called");
>
>         if (mqttMessage instanceof MqttConnectMessage){
>             MqttConnectMessage connectMessage =
> (MqttConnectMessage)mqttMessage;
>
>             if (connectMessage.payload().userName() != null
>                 && connectMessage.payload().userName().compareTo("admin")
> ==
> 0){
>                     System.out.println("reject admin login");
>                     return false;
>             }
>             else{
>                 System.out.println("allow user login");
>             }
>         }
>
>       return true;
>    }
> }
>
> Log output on admin login:
> MQTT intercept called
> reject admin login
> MQTT intercept called
>
> Logs shows that we can catch admin login, but returning false from
> interceptor, after getting MqttConnectMessage, does not have any effect.
> With this interceptor I can login as admin, subscribe and do any action
> allowed. Do you have any idea?
>
>
>
>
> --
> Sent from:
> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>
>

Re: Artemis: Restricting access based on protocol

Posted by Stan Petrula <s....@spedion.de>.

Hi Domenico,

thank you for the suggestion, but unfortunately it does not work. I am using
slightly modified interceptor code:

public class MQTTLoginFilterInterceptor implements MQTTInterceptor {
   @Override
   public boolean intercept(final MqttMessage mqttMessage,
RemotingConnection connection) {
       System.out.println("MQTT intercept called");

        if (mqttMessage instanceof MqttConnectMessage){
            MqttConnectMessage connectMessage =
(MqttConnectMessage)mqttMessage;

            if (connectMessage.payload().userName() != null
                && connectMessage.payload().userName().compareTo("admin") ==
0){
                    System.out.println("reject admin login");
                    return false;
            }
            else{
                System.out.println("allow user login");
            }
        }

      return true;
   }
}

Log output on admin login:
MQTT intercept called
reject admin login
MQTT intercept called

Logs shows that we can catch admin login, but returning false from
interceptor, after getting MqttConnectMessage, does not have any effect.
With this interceptor I can login as admin, subscribe and do any action
allowed. Do you have any idea?




--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html

Re: Artemis: Restricting access based on protocol

Posted by brusdev <br...@gmail.com>.

Hi Stan,

Artemis supports interceptors[1] to intercept packets entering and exiting
the server. This allows custom code to be executed, e.g. for auditing
packets, filtering or other reasons. So you could use an MQTTInterceptor[2]
to reject connection messages with admin username.

An example of MQTTInterceptor to clarify what I mean:

public class MQTTAdminRejectingInterceptor implements MQTTInterceptor {
   @Override
   public boolean intercept(final MqttMessage packet, RemotingConnection
connection) {
      if (packet instanceof MqttConnectMessage &&
((MqttConnectMessage)packet).payload().userName().compareTo("admin") == 0) {
         return false;
      } else {
         return true;
      }
   }
}

[1]
https://activemq.apache.org/components/artemis/documentation/latest/intercepting-operations.html
[2]
https://activemq.apache.org/components/artemis/documentation/latest/examples.html#interceptor-mqtt

Regards,
Domenico



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html