Artemis - Implement ACL programmatically

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Artemis - Implement ACL programmatically

Modanese, Riccardo
Hello,
    In our ActiveMQ 5.x security plugin code we are enforcing ACL programmatically so I’m investigating how to migrate our current ACL from ActiveMQ 5.x to Artemis.

I took a look into Artemis source code and I didn’t find any similar object to those present in ActiveMQ 5.x (E.g. org.apache.activemq.security.AuthorizationMap, org.apache.activemq.security.AuthorizationEntry, ...)

Can you point me to the right direction?
Reply | Threaded
Open this post in threaded view
|

Re: Artemis - Implement ACL programmatically

christopher.l.shannon
All of the info you should need to get started should be here:
https://activemq.apache.org/components/artemis/documentation/latest/security.html

On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
<[hidden email]> wrote:

> Hello,
>     In our ActiveMQ 5.x security plugin code we are enforcing ACL
> programmatically so I’m investigating how to migrate our current ACL from
> ActiveMQ 5.x to Artemis.
>
> I took a look into Artemis source code and I didn’t find any similar
> object to those present in ActiveMQ 5.x (E.g.
> org.apache.activemq.security.AuthorizationMap,
> org.apache.activemq.security.AuthorizationEntry, ...)
>
> Can you point me to the right direction?
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis - Implement ACL programmatically

Modanese, Riccardo
I already read this page and I wasn’t able to find any helpful information.
In our use case each user has ACL depending on the username itself. Moreover a user can be added at runtime and the broker must be able to create and handle correctly the ACL also for the new created user.

So, at the end, what I need is the capability of creating ACL programmatically and keep them in a session in order to be used every time a client publishes a message or subscribes an address.
In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a DefaultAuthorizationMap object, but I cannot find a similar object in Artemis

[1] https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
[2] https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557


Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <[hidden email]<mailto:[hidden email]>> ha scritto:

All of the info you should need to get started should be here:
https://activemq.apache.org/components/artemis/documentation/latest/security.html

On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
<[hidden email]> wrote:

Hello,
   In our ActiveMQ 5.x security plugin code we are enforcing ACL
programmatically so I’m investigating how to migrate our current ACL from
ActiveMQ 5.x to Artemis.

I took a look into Artemis source code and I didn’t find any similar
object to those present in ActiveMQ 5.x (E.g.
org.apache.activemq.security.AuthorizationMap,
org.apache.activemq.security.AuthorizationEntry, ...)

Can you point me to the right direction?


Reply | Threaded
Open this post in threaded view
|

Re: Artemis - Implement ACL programmatically

christopher.l.shannon
You might need to write some custom code to do what you want and you could
try a custom Security plugin.
See the API and Java docs for the security setting plugin:
https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java

If you need even more control you can create your own SecurityManager and
register it with the broker.  The interface to extend is:
https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java

The validateUserAndRole() method is where you do your ACL checks

A default implementation that delegates to a JAAS module is including in
the broker already which you can use as an example or to extend:
https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java

On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo
<[hidden email]> wrote:

> I already read this page and I wasn’t able to find any helpful information.
> In our use case each user has ACL depending on the username itself.
> Moreover a user can be added at runtime and the broker must be able to
> create and handle correctly the ACL also for the new created user.
>
> So, at the end, what I need is the capability of creating ACL
> programmatically and keep them in a session in order to be used every time
> a client publishes a message or subscribes an address.
> In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a
> DefaultAuthorizationMap object, but I cannot find a similar object in
> Artemis
>
> [1]
> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
> [2]
> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557
>
>
> Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <
> [hidden email]<mailto:[hidden email]>>
> ha scritto:
>
> All of the info you should need to get started should be here:
>
> https://activemq.apache.org/components/artemis/documentation/latest/security.html
>
> On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
> <[hidden email]> wrote:
>
> Hello,
>    In our ActiveMQ 5.x security plugin code we are enforcing ACL
> programmatically so I’m investigating how to migrate our current ACL from
> ActiveMQ 5.x to Artemis.
>
> I took a look into Artemis source code and I didn’t find any similar
> object to those present in ActiveMQ 5.x (E.g.
> org.apache.activemq.security.AuthorizationMap,
> org.apache.activemq.security.AuthorizationEntry, ...)
>
> Can you point me to the right direction?
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis - Implement ACL programmatically

Modanese, Riccardo
I think the SecuritySettingPlugin will not solve my issue but an ActiveMQSecurityManager3 custom implementation could be.

So I tried to plug an ActiveMQSecurityManager3 implementation but without any success.
From my understanding this plugin should be defined into bootstrap.xml but unfortunately I found no way to replace the jaas-security tag with another one pointing to my configuration DTO (the xsd doesn’t provide alternative tag to jaas-security)

Anyway, just to be sure if the ActiveMQSecurityManager3 api could fit my needs,  is the method validateUserAndRole called before every publish/subscribe?

> Il giorno 26 ago 2019, alle ore 18:00, Christopher Shannon <[hidden email]> ha scritto:
>
> You might need to write some custom code to do what you want and you could
> try a custom Security plugin.
> See the API and Java docs for the security setting plugin:
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java
>
> If you need even more control you can create your own SecurityManager and
> register it with the broker.  The interface to extend is:
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java
>
> The validateUserAndRole() method is where you do your ACL checks
>
> A default implementation that delegates to a JAAS module is including in
> the broker already which you can use as an example or to extend:
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
>
> On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo
> <[hidden email]> wrote:
>
>> I already read this page and I wasn’t able to find any helpful information.
>> In our use case each user has ACL depending on the username itself.
>> Moreover a user can be added at runtime and the broker must be able to
>> create and handle correctly the ACL also for the new created user.
>>
>> So, at the end, what I need is the capability of creating ACL
>> programmatically and keep them in a session in order to be used every time
>> a client publishes a message or subscribes an address.
>> In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a
>> DefaultAuthorizationMap object, but I cannot find a similar object in
>> Artemis
>>
>> [1]
>> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
>> [2]
>> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557
>>
>>
>> Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <
>> [hidden email]<mailto:[hidden email]>>
>> ha scritto:
>>
>> All of the info you should need to get started should be here:
>>
>> https://activemq.apache.org/components/artemis/documentation/latest/security.html
>>
>> On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
>> <[hidden email]> wrote:
>>
>> Hello,
>>   In our ActiveMQ 5.x security plugin code we are enforcing ACL
>> programmatically so I’m investigating how to migrate our current ACL from
>> ActiveMQ 5.x to Artemis.
>>
>> I took a look into Artemis source code and I didn’t find any similar
>> object to those present in ActiveMQ 5.x (E.g.
>> org.apache.activemq.security.AuthorizationMap,
>> org.apache.activemq.security.AuthorizationEntry, ...)
>>
>> Can you point me to the right direction?
>>
>>
>>

Reply | Threaded
Open this post in threaded view
|

Re: Artemis - Implement ACL programmatically

wei yang
Yes, it would check every time a client publishes a message or subscribes
an address.

From my understanding, SecuritySettingPlugin should meet your requirements.
You can save the "securityRepository" passed by "SecuritySettingPlugin::
setSecurityRepository" in your custom SecuritySettingPlugin. When you
receive a notification that user is added/removed,  you can call
securityRepository::addMatch/removeMatch/swap to change ACL in matching
address.


Modanese, Riccardo <[hidden email]> 于2019年8月27日周二
下午11:12写道:

> I think the SecuritySettingPlugin will not solve my issue but an
> ActiveMQSecurityManager3 custom implementation could be.
>
> So I tried to plug an ActiveMQSecurityManager3 implementation but without
> any success.
> From my understanding this plugin should be defined into bootstrap.xml but
> unfortunately I found no way to replace the jaas-security tag with another
> one pointing to my configuration DTO (the xsd doesn’t provide alternative
> tag to jaas-security)
>
> Anyway, just to be sure if the ActiveMQSecurityManager3 api could fit my
> needs,  is the method validateUserAndRole called before every
> publish/subscribe?
>
> > Il giorno 26 ago 2019, alle ore 18:00, Christopher Shannon <
> [hidden email]> ha scritto:
> >
> > You might need to write some custom code to do what you want and you
> could
> > try a custom Security plugin.
> > See the API and Java docs for the security setting plugin:
> >
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java
> >
> > If you need even more control you can create your own SecurityManager and
> > register it with the broker.  The interface to extend is:
> >
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java
> >
> > The validateUserAndRole() method is where you do your ACL checks
> >
> > A default implementation that delegates to a JAAS module is including in
> > the broker already which you can use as an example or to extend:
> >
> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
> >
> > On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo
> > <[hidden email]> wrote:
> >
> >> I already read this page and I wasn’t able to find any helpful
> information.
> >> In our use case each user has ACL depending on the username itself.
> >> Moreover a user can be added at runtime and the broker must be able to
> >> create and handle correctly the ACL also for the new created user.
> >>
> >> So, at the end, what I need is the capability of creating ACL
> >> programmatically and keep them in a session in order to be used every
> time
> >> a client publishes a message or subscribes an address.
> >> In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a
> >> DefaultAuthorizationMap object, but I cannot find a similar object in
> >> Artemis
> >>
> >> [1]
> >>
> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
> >> [2]
> >>
> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557
> >>
> >>
> >> Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <
> >> [hidden email]<mailto:[hidden email]
> >>
> >> ha scritto:
> >>
> >> All of the info you should need to get started should be here:
> >>
> >>
> https://activemq.apache.org/components/artemis/documentation/latest/security.html
> >>
> >> On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
> >> <[hidden email]> wrote:
> >>
> >> Hello,
> >>   In our ActiveMQ 5.x security plugin code we are enforcing ACL
> >> programmatically so I’m investigating how to migrate our current ACL
> from
> >> ActiveMQ 5.x to Artemis.
> >>
> >> I took a look into Artemis source code and I didn’t find any similar
> >> object to those present in ActiveMQ 5.x (E.g.
> >> org.apache.activemq.security.AuthorizationMap,
> >> org.apache.activemq.security.AuthorizationEntry, ...)
> >>
> >> Can you point me to the right direction?
> >>
> >>
> >>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis - Implement ACL programmatically

Modanese, Riccardo
Hi, unfortunately I cannot rely on a security repository and the users and ACLs profiles could be thousands.

My idea is to replace the ActiveMQJAASSecurityManager with my own custom ActiveMQSecurityManager implementation.
But I didn’t find a way.
It seems that there is no other way than specifying a jaas-security tag in the bootstrap.xml configuration file (<jaas-security domain="activemq"/>).
If I remove the tag, or I try to change the DTO instance (with the appropriate annotation in the new DTO file itself), I get a xml validation schema error.
From my attempts there is no way to remove the jaas-security tag.

In few word what I’d like to achieve is to let Artemis instantiate and use a custom ActiveMQSecurityManager provided through a configuration parameter.
Is there a way or I must patch the Artemis code to allow the ActiveMQSecurityManager pluggability?


Il giorno 28 ago 2019, alle ore 05:23, yw yw <[hidden email]<mailto:[hidden email]>> ha scritto:

Yes, it would check every time a client publishes a message or subscribes
an address.

From my understanding, SecuritySettingPlugin should meet your requirements.
You can save the "securityRepository" passed by "SecuritySettingPlugin::
setSecurityRepository" in your custom SecuritySettingPlugin. When you
receive a notification that user is added/removed,  you can call
securityRepository::addMatch/removeMatch/swap to change ACL in matching
address.


Modanese, Riccardo <[hidden email]<mailto:[hidden email]>> 于2019年8月27日周二
下午11:12写道:

I think the SecuritySettingPlugin will not solve my issue but an
ActiveMQSecurityManager3 custom implementation could be.

So I tried to plug an ActiveMQSecurityManager3 implementation but without
any success.
From my understanding this plugin should be defined into bootstrap.xml but
unfortunately I found no way to replace the jaas-security tag with another
one pointing to my configuration DTO (the xsd doesn’t provide alternative
tag to jaas-security)

Anyway, just to be sure if the ActiveMQSecurityManager3 api could fit my
needs,  is the method validateUserAndRole called before every
publish/subscribe?

Il giorno 26 ago 2019, alle ore 18:00, Christopher Shannon <
[hidden email]<mailto:[hidden email]>> ha scritto:

You might need to write some custom code to do what you want and you
could
try a custom Security plugin.
See the API and Java docs for the security setting plugin:

https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java

If you need even more control you can create your own SecurityManager and
register it with the broker.  The interface to extend is:

https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java

The validateUserAndRole() method is where you do your ACL checks

A default implementation that delegates to a JAAS module is including in
the broker already which you can use as an example or to extend:

https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java

On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo
<[hidden email]> wrote:

I already read this page and I wasn’t able to find any helpful
information.
In our use case each user has ACL depending on the username itself.
Moreover a user can be added at runtime and the broker must be able to
create and handle correctly the ACL also for the new created user.

So, at the end, what I need is the capability of creating ACL
programmatically and keep them in a session in order to be used every
time
a client publishes a message or subscribes an address.
In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a
DefaultAuthorizationMap object, but I cannot find a similar object in
Artemis

[1]

https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
[2]

https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557


Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <
[hidden email]<mailto:[hidden email]

ha scritto:

All of the info you should need to get started should be here:


https://activemq.apache.org/components/artemis/documentation/latest/security.html

On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
<[hidden email]> wrote:

Hello,
 In our ActiveMQ 5.x security plugin code we are enforcing ACL
programmatically so I’m investigating how to migrate our current ACL
from
ActiveMQ 5.x to Artemis.

I took a look into Artemis source code and I didn’t find any similar
object to those present in ActiveMQ 5.x (E.g.
org.apache.activemq.security.AuthorizationMap,
org.apache.activemq.security.AuthorizationEntry, ...)

Can you point me to the right direction?