Fully programmatic authorization map

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Fully programmatic authorization map

Jim Lloyd
I'd like to implement an authorization plugin that would allow me to
implement a fully automatic authorization policy. Here's an outline of what
I want:

We have a broker that is a hub in a hub & spoke topology network of brokers.
A connections to this hub broker are via SSL and the hub broker requires SSL
client authentication. We require the client certificates to always be of a
form where the Common Name (CN) of the certificate defines the user. So, for
example, if we instead used a jaas.TextFileCertificateLoginModule the
user.properties file would look like this:

user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
...
userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US

Meanwhile, the AuthorizationMap we want would look something like this:

<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
<authorizationEntry topic="user1.>" read="user1" write="user1" admin="user1"
/>
<authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
admin="userFoo" />
...
<authorizationEntry topic="userZeta.>" read="userZeta" write="userZeta"
admin="userZeta" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
admin="all"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>

If we use jaas.TextFileCertificateLoginModule, we have to update the
users.properties, groups.properties file and the authorizationMap in the
activemq.xml file every time we add a user. We can automate this with
scripting, but a more elegant solution would be to write our own plugin(s)
to implement this policy. I'm in the process of scoping this effort, and so
far I haven't found anything other than javadocs on the various classes to
guide me. Can anyone provide a high level outline of how I would implement
this?

Thanks,
Jim Lloyd
Silver Tail Systems
Reply | Threaded
Open this post in threaded view
|

Re: Fully programmatic authorization map

dejanb
Hi Jim,

the best way is to look at the source code of the current plugin
implementation.

You can find it in org.apache.activemq.security package.

For a quick preview, you can use this URL:

http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security

Cheers
--
Dejan Bosanac - http://twitter.com/dejanb

Open Source Integration - http://fusesource.com/
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net


On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd <[hidden email]>wrote:

> I'd like to implement an authorization plugin that would allow me to
> implement a fully automatic authorization policy. Here's an outline of what
> I want:
>
> We have a broker that is a hub in a hub & spoke topology network of
> brokers.
> A connections to this hub broker are via SSL and the hub broker requires
> SSL
> client authentication. We require the client certificates to always be of a
> form where the Common Name (CN) of the certificate defines the user. So,
> for
> example, if we instead used a jaas.TextFileCertificateLoginModule the
> user.properties file would look like this:
>
> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
> ...
> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
>
> Meanwhile, the AuthorizationMap we want would look something like this:
>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry topic=">" read="admins" write="admins" admin="admins"
> />
> <authorizationEntry topic="user1.>" read="user1" write="user1"
> admin="user1"
> />
> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
> admin="userFoo" />
> ...
> <authorizationEntry topic="userZeta.>" read="userZeta" write="userZeta"
> admin="userZeta" />
> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
> admin="all"/>
> </authorizationEntries>
> </authorizationMap>
> </map>
> </authorizationPlugin>
>
> If we use jaas.TextFileCertificateLoginModule, we have to update the
> users.properties, groups.properties file and the authorizationMap in the
> activemq.xml file every time we add a user. We can automate this with
> scripting, but a more elegant solution would be to write our own plugin(s)
> to implement this policy. I'm in the process of scoping this effort, and so
> far I haven't found anything other than javadocs on the various classes to
> guide me. Can anyone provide a high level outline of how I would implement
> this?
>
> Thanks,
> Jim Lloyd
> Silver Tail Systems
>
Reply | Threaded
Open this post in threaded view
|

Re: Fully programmatic authorization map

James Casey-2
Hi Jim,

What Dejan has pointed you at is the classes that have all the various
plugin methods for doing Auth in ActiveMQ by inserting a Broker object
into the chain which is called during a connection.  It would be
possible to write a custom Broker subclass here that does what you
want, but I think it would be easier inside JAAS.

What I'd suggest is you use the standard
JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin.

The JAAS plugins are in
http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas.

I would suggest to create a subclass of CertificateLoginModule and
override the getUserNameForCertificate method to extract and return
the CN.  If you look at TextFileCertificateLoginModule.java you can
see the logic it uses to extract the DN and match against entries in
the file - you would just need to write a simpler version which just
pulls out the CN from the client DN. Then you hook it into ActiveMQ
via a login.config file pointing at your custom class.

Let me know if this makes sense or if you need any more info.

cheers,

James.


On 20 May 2010 12:14, Dejan Bosanac <[hidden email]> wrote:

> Hi Jim,
>
> the best way is to look at the source code of the current plugin
> implementation.
>
> You can find it in org.apache.activemq.security package.
>
> For a quick preview, you can use this URL:
>
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security
>
> Cheers
> --
> Dejan Bosanac - http://twitter.com/dejanb
>
> Open Source Integration - http://fusesource.com/
> ActiveMQ in Action - http://www.manning.com/snyder/
> Blog - http://www.nighttale.net
>
>
> On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd <[hidden email]>wrote:
>
>> I'd like to implement an authorization plugin that would allow me to
>> implement a fully automatic authorization policy. Here's an outline of what
>> I want:
>>
>> We have a broker that is a hub in a hub & spoke topology network of
>> brokers.
>> A connections to this hub broker are via SSL and the hub broker requires
>> SSL
>> client authentication. We require the client certificates to always be of a
>> form where the Common Name (CN) of the certificate defines the user. So,
>> for
>> example, if we instead used a jaas.TextFileCertificateLoginModule the
>> user.properties file would look like this:
>>
>> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
>> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
>> ...
>> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
>>
>> Meanwhile, the AuthorizationMap we want would look something like this:
>>
>> <authorizationPlugin>
>> <map>
>> <authorizationMap>
>> <authorizationEntries>
>> <authorizationEntry topic=">" read="admins" write="admins" admin="admins"
>> />
>> <authorizationEntry topic="user1.>" read="user1" write="user1"
>> admin="user1"
>> />
>> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
>> admin="userFoo" />
>> ...
>> <authorizationEntry topic="userZeta.>" read="userZeta" write="userZeta"
>> admin="userZeta" />
>> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
>> admin="all"/>
>> </authorizationEntries>
>> </authorizationMap>
>> </map>
>> </authorizationPlugin>
>>
>> If we use jaas.TextFileCertificateLoginModule, we have to update the
>> users.properties, groups.properties file and the authorizationMap in the
>> activemq.xml file every time we add a user. We can automate this with
>> scripting, but a more elegant solution would be to write our own plugin(s)
>> to implement this policy. I'm in the process of scoping this effort, and so
>> far I haven't found anything other than javadocs on the various classes to
>> guide me. Can anyone provide a high level outline of how I would implement
>> this?
>>
>> Thanks,
>> Jim Lloyd
>> Silver Tail Systems
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Fully programmatic authorization map

dejanb
Hi James,

thanks for adding this info. I totally forgot to mention activemq-jaas.

Cheers
--
Dejan Bosanac - http://twitter.com/dejanb

Open Source Integration - http://fusesource.com/
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net


On Thu, May 20, 2010 at 8:34 AM, James Casey <[hidden email]> wrote:

> Hi Jim,
>
> What Dejan has pointed you at is the classes that have all the various
> plugin methods for doing Auth in ActiveMQ by inserting a Broker object
> into the chain which is called during a connection.  It would be
> possible to write a custom Broker subclass here that does what you
> want, but I think it would be easier inside JAAS.
>
> What I'd suggest is you use the standard
> JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin.
>
> The JAAS plugins are in
>
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas
> .
>
> I would suggest to create a subclass of CertificateLoginModule and
> override the getUserNameForCertificate method to extract and return
> the CN.  If you look at TextFileCertificateLoginModule.java you can
> see the logic it uses to extract the DN and match against entries in
> the file - you would just need to write a simpler version which just
> pulls out the CN from the client DN. Then you hook it into ActiveMQ
> via a login.config file pointing at your custom class.
>
> Let me know if this makes sense or if you need any more info.
>
> cheers,
>
> James.
>
>
> On 20 May 2010 12:14, Dejan Bosanac <[hidden email]> wrote:
> > Hi Jim,
> >
> > the best way is to look at the source code of the current plugin
> > implementation.
> >
> > You can find it in org.apache.activemq.security package.
> >
> > For a quick preview, you can use this URL:
> >
> >
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security
> >
> > Cheers
> > --
> > Dejan Bosanac - http://twitter.com/dejanb
> >
> > Open Source Integration - http://fusesource.com/
> > ActiveMQ in Action - http://www.manning.com/snyder/
> > Blog - http://www.nighttale.net
> >
> >
> > On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd <[hidden email]
> >wrote:
> >
> >> I'd like to implement an authorization plugin that would allow me to
> >> implement a fully automatic authorization policy. Here's an outline of
> what
> >> I want:
> >>
> >> We have a broker that is a hub in a hub & spoke topology network of
> >> brokers.
> >> A connections to this hub broker are via SSL and the hub broker requires
> >> SSL
> >> client authentication. We require the client certificates to always be
> of a
> >> form where the Common Name (CN) of the certificate defines the user. So,
> >> for
> >> example, if we instead used a jaas.TextFileCertificateLoginModule the
> >> user.properties file would look like this:
> >>
> >> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
> >> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
> >> ...
> >> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
> >>
> >> Meanwhile, the AuthorizationMap we want would look something like this:
> >>
> >> <authorizationPlugin>
> >> <map>
> >> <authorizationMap>
> >> <authorizationEntries>
> >> <authorizationEntry topic=">" read="admins" write="admins"
> admin="admins"
> >> />
> >> <authorizationEntry topic="user1.>" read="user1" write="user1"
> >> admin="user1"
> >> />
> >> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
> >> admin="userFoo" />
> >> ...
> >> <authorizationEntry topic="userZeta.>" read="userZeta" write="userZeta"
> >> admin="userZeta" />
> >> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
> >> admin="all"/>
> >> </authorizationEntries>
> >> </authorizationMap>
> >> </map>
> >> </authorizationPlugin>
> >>
> >> If we use jaas.TextFileCertificateLoginModule, we have to update the
> >> users.properties, groups.properties file and the authorizationMap in the
> >> activemq.xml file every time we add a user. We can automate this with
> >> scripting, but a more elegant solution would be to write our own
> plugin(s)
> >> to implement this policy. I'm in the process of scoping this effort, and
> so
> >> far I haven't found anything other than javadocs on the various classes
> to
> >> guide me. Can anyone provide a high level outline of how I would
> implement
> >> this?
> >>
> >> Thanks,
> >> Jim Lloyd
> >> Silver Tail Systems
> >>
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Fully programmatic authorization map

Jim Lloyd
Dejan and James,

I'm looking at the JAAS plugins now and yes this approach for deriving the
user and group from a certificate looks pretty clear, and this will save me
a lot of time. Thanks!

Can either of you give me a similar guidance for how I would do the
AuthorizationMap piece? It looks like I can simply implement
AuthorizationMap, but the return type of Set<?> for the methods seems highly
under-constrained. The comments say that the methods return ACLs, but its
not obvious to me what forms the ACLs take. Looking at
SimpleAuthorizationMap, I see that it is primarily delegating to
DestinationMap, but DestinationMap (and its helper DestinationMapNode,
DestinationMapEntry) is just complex enough that I haven't been able to
figure it out from just browsing the code. I have a hunch that one of you
can give me some quick pointers here that will also save me a lot of time.

Thanks,
Jim


On Thu, May 20, 2010 at 6:13 AM, Dejan Bosanac <[hidden email]> wrote:

> Hi James,
>
> thanks for adding this info. I totally forgot to mention activemq-jaas.
>
> Cheers
> --
> Dejan Bosanac - http://twitter.com/dejanb
>
> Open Source Integration - http://fusesource.com/
> ActiveMQ in Action - http://www.manning.com/snyder/
> Blog - http://www.nighttale.net
>
>
> On Thu, May 20, 2010 at 8:34 AM, James Casey <[hidden email]> wrote:
>
> > Hi Jim,
> >
> > What Dejan has pointed you at is the classes that have all the various
> > plugin methods for doing Auth in ActiveMQ by inserting a Broker object
> > into the chain which is called during a connection.  It would be
> > possible to write a custom Broker subclass here that does what you
> > want, but I think it would be easier inside JAAS.
> >
> > What I'd suggest is you use the standard
> > JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin.
> >
> > The JAAS plugins are in
> >
> >
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas
> > .
> >
> > I would suggest to create a subclass of CertificateLoginModule and
> > override the getUserNameForCertificate method to extract and return
> > the CN.  If you look at TextFileCertificateLoginModule.java you can
> > see the logic it uses to extract the DN and match against entries in
> > the file - you would just need to write a simpler version which just
> > pulls out the CN from the client DN. Then you hook it into ActiveMQ
> > via a login.config file pointing at your custom class.
> >
> > Let me know if this makes sense or if you need any more info.
> >
> > cheers,
> >
> > James.
> >
> >
> > On 20 May 2010 12:14, Dejan Bosanac <[hidden email]> wrote:
> > > Hi Jim,
> > >
> > > the best way is to look at the source code of the current plugin
> > > implementation.
> > >
> > > You can find it in org.apache.activemq.security package.
> > >
> > > For a quick preview, you can use this URL:
> > >
> > >
> >
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security
> > >
> > > Cheers
> > > --
> > > Dejan Bosanac - http://twitter.com/dejanb
> > >
> > > Open Source Integration - http://fusesource.com/
> > > ActiveMQ in Action - http://www.manning.com/snyder/
> > > Blog - http://www.nighttale.net
> > >
> > >
> > > On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd <
> [hidden email]
> > >wrote:
> > >
> > >> I'd like to implement an authorization plugin that would allow me to
> > >> implement a fully automatic authorization policy. Here's an outline of
> > what
> > >> I want:
> > >>
> > >> We have a broker that is a hub in a hub & spoke topology network of
> > >> brokers.
> > >> A connections to this hub broker are via SSL and the hub broker
> requires
> > >> SSL
> > >> client authentication. We require the client certificates to always be
> > of a
> > >> form where the Common Name (CN) of the certificate defines the user.
> So,
> > >> for
> > >> example, if we instead used a jaas.TextFileCertificateLoginModule the
> > >> user.properties file would look like this:
> > >>
> > >> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
> > >> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
> > >> ...
> > >> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
> > >>
> > >> Meanwhile, the AuthorizationMap we want would look something like
> this:
> > >>
> > >> <authorizationPlugin>
> > >> <map>
> > >> <authorizationMap>
> > >> <authorizationEntries>
> > >> <authorizationEntry topic=">" read="admins" write="admins"
> > admin="admins"
> > >> />
> > >> <authorizationEntry topic="user1.>" read="user1" write="user1"
> > >> admin="user1"
> > >> />
> > >> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
> > >> admin="userFoo" />
> > >> ...
> > >> <authorizationEntry topic="userZeta.>" read="userZeta"
> write="userZeta"
> > >> admin="userZeta" />
> > >> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
> > >> admin="all"/>
> > >> </authorizationEntries>
> > >> </authorizationMap>
> > >> </map>
> > >> </authorizationPlugin>
> > >>
> > >> If we use jaas.TextFileCertificateLoginModule, we have to update the
> > >> users.properties, groups.properties file and the authorizationMap in
> the
> > >> activemq.xml file every time we add a user. We can automate this with
> > >> scripting, but a more elegant solution would be to write our own
> > plugin(s)
> > >> to implement this policy. I'm in the process of scoping this effort,
> and
> > so
> > >> far I haven't found anything other than javadocs on the various
> classes
> > to
> > >> guide me. Can anyone provide a high level outline of how I would
> > implement
> > >> this?
> > >>
> > >> Thanks,
> > >> Jim Lloyd
> > >> Silver Tail Systems
> > >>
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Fully programmatic authorization map

Jim Newsham-2

I'm running activemq embedded within our app, and configuring it
programmatically (rather than using xml files).  Here is how I configure
the authorization plugin.  I had to look at some of the source to figure
this stuff out, as I unfortunately couldn't find it documented
anywhere.  Hopefully this pertains to what you are trying to do:

         AuthorizationMap authMap = new
DefaultAuthorizationMap(Arrays.asList(
           makeAuthorization(">", "", "", ""),
           makeQueueAuthorization("proto.chat.request", "servers",
"clients", "servers"),
           makeTopicAuthorization("proto.chat.message", "clients",
"servers", "servers"),
           makeQueueAuthorization("rpc.request.>", "servers", "clients",
"clients,servers"),
           makeTopicAuthorization("ActiveMQ.Advisory.>",
"clients,servers", "clients,servers", "clients,servers")
           ));
         AuthorizationPlugin authPlugin = new AuthorizationPlugin(authMap);


   private static AuthorizationEntry makeTopicAuthorization(String
topicName, String readRoles,
     String writeRoles, String adminRoles) throws Exception {
     return makeAuthorization(topicName, null, readRoles, writeRoles,
adminRoles);
   }

   private static AuthorizationEntry makeQueueAuthorization(String
queueName, String readRoles,
     String writeRoles, String adminRoles) throws Exception {
     return makeAuthorization(null, queueName, readRoles, writeRoles,
adminRoles);
   }

   private static AuthorizationEntry makeAuthorization(String
destinationName, String readRoles,
     String writeRoles, String adminRoles) throws Exception {
     return makeAuthorization(destinationName, destinationName,
readRoles, writeRoles, adminRoles);
   }

   private static AuthorizationEntry makeAuthorization(String topicName,
String queueName,
     String readRoles, String writeRoles, String adminRoles) throws
Exception {
     AuthorizationEntry auth = new AuthorizationEntry();
     if (topicName != null) {
       auth.setTopic(topicName);
     }
     if (queueName != null) {
       auth.setQueue(queueName);
     }
     if (readRoles != null) {
       auth.setRead(readRoles);
     }
     if (writeRoles != null) {
       auth.setWrite(writeRoles);
     }
     if (adminRoles != null) {
       auth.setAdmin(adminRoles);
     }
     return auth;
   }

Jim

On 5/20/2010 6:21 AM, Jim Lloyd wrote:

> Dejan and James,
>
> I'm looking at the JAAS plugins now and yes this approach for deriving the
> user and group from a certificate looks pretty clear, and this will save me
> a lot of time. Thanks!
>
> Can either of you give me a similar guidance for how I would do the
> AuthorizationMap piece? It looks like I can simply implement
> AuthorizationMap, but the return type of Set<?>  for the methods seems highly
> under-constrained. The comments say that the methods return ACLs, but its
> not obvious to me what forms the ACLs take. Looking at
> SimpleAuthorizationMap, I see that it is primarily delegating to
> DestinationMap, but DestinationMap (and its helper DestinationMapNode,
> DestinationMapEntry) is just complex enough that I haven't been able to
> figure it out from just browsing the code. I have a hunch that one of you
> can give me some quick pointers here that will also save me a lot of time.
>
> Thanks,
> Jim
>
>
> On Thu, May 20, 2010 at 6:13 AM, Dejan Bosanac<[hidden email]>  wrote:
>
>    
>> Hi James,
>>
>> thanks for adding this info. I totally forgot to mention activemq-jaas.
>>
>> Cheers
>> --
>> Dejan Bosanac - http://twitter.com/dejanb
>>
>> Open Source Integration - http://fusesource.com/
>> ActiveMQ in Action - http://www.manning.com/snyder/
>> Blog - http://www.nighttale.net
>>
>>
>> On Thu, May 20, 2010 at 8:34 AM, James Casey<[hidden email]>  wrote:
>>
>>      
>>> Hi Jim,
>>>
>>> What Dejan has pointed you at is the classes that have all the various
>>> plugin methods for doing Auth in ActiveMQ by inserting a Broker object
>>> into the chain which is called during a connection.  It would be
>>> possible to write a custom Broker subclass here that does what you
>>> want, but I think it would be easier inside JAAS.
>>>
>>> What I'd suggest is you use the standard
>>> JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin.
>>>
>>> The JAAS plugins are in
>>>
>>>
>>>        
>> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas
>>      
>>> .
>>>
>>> I would suggest to create a subclass of CertificateLoginModule and
>>> override the getUserNameForCertificate method to extract and return
>>> the CN.  If you look at TextFileCertificateLoginModule.java you can
>>> see the logic it uses to extract the DN and match against entries in
>>> the file - you would just need to write a simpler version which just
>>> pulls out the CN from the client DN. Then you hook it into ActiveMQ
>>> via a login.config file pointing at your custom class.
>>>
>>> Let me know if this makes sense or if you need any more info.
>>>
>>> cheers,
>>>
>>> James.
>>>
>>>
>>> On 20 May 2010 12:14, Dejan Bosanac<[hidden email]>  wrote:
>>>        
>>>> Hi Jim,
>>>>
>>>> the best way is to look at the source code of the current plugin
>>>> implementation.
>>>>
>>>> You can find it in org.apache.activemq.security package.
>>>>
>>>> For a quick preview, you can use this URL:
>>>>
>>>>
>>>>          
>>>        
>> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security
>>      
>>>> Cheers
>>>> --
>>>> Dejan Bosanac - http://twitter.com/dejanb
>>>>
>>>> Open Source Integration - http://fusesource.com/
>>>> ActiveMQ in Action - http://www.manning.com/snyder/
>>>> Blog - http://www.nighttale.net
>>>>
>>>>
>>>> On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd<
>>>>          
>> [hidden email]
>>      
>>>> wrote:
>>>>
>>>>          
>>>>> I'd like to implement an authorization plugin that would allow me to
>>>>> implement a fully automatic authorization policy. Here's an outline of
>>>>>            
>>> what
>>>        
>>>>> I want:
>>>>>
>>>>> We have a broker that is a hub in a hub&  spoke topology network of
>>>>> brokers.
>>>>> A connections to this hub broker are via SSL and the hub broker
>>>>>            
>> requires
>>      
>>>>> SSL
>>>>> client authentication. We require the client certificates to always be
>>>>>            
>>> of a
>>>        
>>>>> form where the Common Name (CN) of the certificate defines the user.
>>>>>            
>> So,
>>      
>>>>> for
>>>>> example, if we instead used a jaas.TextFileCertificateLoginModule the
>>>>> user.properties file would look like this:
>>>>>
>>>>> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
>>>>> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
>>>>> ...
>>>>> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
>>>>>
>>>>> Meanwhile, the AuthorizationMap we want would look something like
>>>>>            
>> this:
>>      
>>>>> <authorizationPlugin>
>>>>> <map>
>>>>> <authorizationMap>
>>>>> <authorizationEntries>
>>>>> <authorizationEntry topic=">" read="admins" write="admins"
>>>>>            
>>> admin="admins"
>>>        
>>>>> />
>>>>> <authorizationEntry topic="user1.>" read="user1" write="user1"
>>>>> admin="user1"
>>>>> />
>>>>> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
>>>>> admin="userFoo" />
>>>>> ...
>>>>> <authorizationEntry topic="userZeta.>" read="userZeta"
>>>>>            
>> write="userZeta"
>>      
>>>>> admin="userZeta" />
>>>>> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
>>>>> admin="all"/>
>>>>> </authorizationEntries>
>>>>> </authorizationMap>
>>>>> </map>
>>>>> </authorizationPlugin>
>>>>>
>>>>> If we use jaas.TextFileCertificateLoginModule, we have to update the
>>>>> users.properties, groups.properties file and the authorizationMap in
>>>>>            
>> the
>>      
>>>>> activemq.xml file every time we add a user. We can automate this with
>>>>> scripting, but a more elegant solution would be to write our own
>>>>>            
>>> plugin(s)
>>>        
>>>>> to implement this policy. I'm in the process of scoping this effort,
>>>>>            
>> and
>>      
>>> so
>>>        
>>>>> far I haven't found anything other than javadocs on the various
>>>>>            
>> classes
>>      
>>> to
>>>        
>>>>> guide me. Can anyone provide a high level outline of how I would
>>>>>            
>>> implement
>>>        
>>>>> this?
>>>>>
>>>>> Thanks,
>>>>> Jim Lloyd
>>>>> Silver Tail Systems
>>>>>
>>>>>            
>>>>          
>>>        
>>      
>    

Reply | Threaded
Open this post in threaded view
|

Re: Fully programmatic authorization map

Jim Lloyd
Jim Newsham

Thanks for sharing the code. Unfortunately I don't think I can use this
method, for a couple reasons. The first is we only want auth & auth between
brokers and our client code is all C++. The second is that we need to
automatically accept new users (authenticated by their client certificates)
for a potentially unlimited number of users. The authorization code can't
know in advance what the user names will be (other than the admin users),
but given a user name and a topic it can specify whether the user is
authorized to use the topic. So, I think I will need broker plugins for both
authentication and authorization.

Thanks,
Jim Lloyd

On Thu, May 20, 2010 at 1:42 PM, Jim Newsham <[hidden email]>wrote:

>
> I'm running activemq embedded within our app, and configuring it
> programmatically (rather than using xml files).  Here is how I configure the
> authorization plugin.  I had to look at some of the source to figure this
> stuff out, as I unfortunately couldn't find it documented anywhere.
>  Hopefully this pertains to what you are trying to do:
>
>        AuthorizationMap authMap = new
> DefaultAuthorizationMap(Arrays.asList(
>          makeAuthorization(">", "", "", ""),
>          makeQueueAuthorization("proto.chat.request", "servers", "clients",
> "servers"),
>          makeTopicAuthorization("proto.chat.message", "clients", "servers",
> "servers"),
>          makeQueueAuthorization("rpc.request.>", "servers", "clients",
> "clients,servers"),
>          makeTopicAuthorization("ActiveMQ.Advisory.>", "clients,servers",
> "clients,servers", "clients,servers")
>          ));
>        AuthorizationPlugin authPlugin = new AuthorizationPlugin(authMap);
>
>
>  private static AuthorizationEntry makeTopicAuthorization(String topicName,
> String readRoles,
>    String writeRoles, String adminRoles) throws Exception {
>    return makeAuthorization(topicName, null, readRoles, writeRoles,
> adminRoles);
>  }
>
>  private static AuthorizationEntry makeQueueAuthorization(String queueName,
> String readRoles,
>    String writeRoles, String adminRoles) throws Exception {
>    return makeAuthorization(null, queueName, readRoles, writeRoles,
> adminRoles);
>  }
>
>  private static AuthorizationEntry makeAuthorization(String
> destinationName, String readRoles,
>    String writeRoles, String adminRoles) throws Exception {
>    return makeAuthorization(destinationName, destinationName, readRoles,
> writeRoles, adminRoles);
>  }
>
>  private static AuthorizationEntry makeAuthorization(String topicName,
> String queueName,
>    String readRoles, String writeRoles, String adminRoles) throws Exception
> {
>    AuthorizationEntry auth = new AuthorizationEntry();
>    if (topicName != null) {
>      auth.setTopic(topicName);
>    }
>    if (queueName != null) {
>      auth.setQueue(queueName);
>    }
>    if (readRoles != null) {
>      auth.setRead(readRoles);
>    }
>    if (writeRoles != null) {
>      auth.setWrite(writeRoles);
>    }
>    if (adminRoles != null) {
>      auth.setAdmin(adminRoles);
>    }
>    return auth;
>  }
>
> Jim
>
>
> On 5/20/2010 6:21 AM, Jim Lloyd wrote:
>
>> Dejan and James,
>>
>> I'm looking at the JAAS plugins now and yes this approach for deriving the
>> user and group from a certificate looks pretty clear, and this will save
>> me
>> a lot of time. Thanks!
>>
>> Can either of you give me a similar guidance for how I would do the
>> AuthorizationMap piece? It looks like I can simply implement
>> AuthorizationMap, but the return type of Set<?>  for the methods seems
>> highly
>> under-constrained. The comments say that the methods return ACLs, but its
>> not obvious to me what forms the ACLs take. Looking at
>> SimpleAuthorizationMap, I see that it is primarily delegating to
>> DestinationMap, but DestinationMap (and its helper DestinationMapNode,
>> DestinationMapEntry) is just complex enough that I haven't been able to
>> figure it out from just browsing the code. I have a hunch that one of you
>> can give me some quick pointers here that will also save me a lot of time.
>>
>> Thanks,
>> Jim
>>
>>
>> On Thu, May 20, 2010 at 6:13 AM, Dejan Bosanac<[hidden email]>
>>  wrote:
>>
>>
>>
>>> Hi James,
>>>
>>> thanks for adding this info. I totally forgot to mention activemq-jaas.
>>>
>>> Cheers
>>> --
>>> Dejan Bosanac - http://twitter.com/dejanb
>>>
>>> Open Source Integration - http://fusesource.com/
>>> ActiveMQ in Action - http://www.manning.com/snyder/
>>> Blog - http://www.nighttale.net
>>>
>>>
>>> On Thu, May 20, 2010 at 8:34 AM, James Casey<[hidden email]>
>>>  wrote:
>>>
>>>
>>>
>>>> Hi Jim,
>>>>
>>>> What Dejan has pointed you at is the classes that have all the various
>>>> plugin methods for doing Auth in ActiveMQ by inserting a Broker object
>>>> into the chain which is called during a connection.  It would be
>>>> possible to write a custom Broker subclass here that does what you
>>>> want, but I think it would be easier inside JAAS.
>>>>
>>>> What I'd suggest is you use the standard
>>>> JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin.
>>>>
>>>> The JAAS plugins are in
>>>>
>>>>
>>>>
>>>>
>>>
>>> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas
>>>
>>>
>>>> .
>>>>
>>>> I would suggest to create a subclass of CertificateLoginModule and
>>>> override the getUserNameForCertificate method to extract and return
>>>> the CN.  If you look at TextFileCertificateLoginModule.java you can
>>>> see the logic it uses to extract the DN and match against entries in
>>>> the file - you would just need to write a simpler version which just
>>>> pulls out the CN from the client DN. Then you hook it into ActiveMQ
>>>> via a login.config file pointing at your custom class.
>>>>
>>>> Let me know if this makes sense or if you need any more info.
>>>>
>>>> cheers,
>>>>
>>>> James.
>>>>
>>>>
>>>> On 20 May 2010 12:14, Dejan Bosanac<[hidden email]>  wrote:
>>>>
>>>>
>>>>> Hi Jim,
>>>>>
>>>>> the best way is to look at the source code of the current plugin
>>>>> implementation.
>>>>>
>>>>> You can find it in org.apache.activemq.security package.
>>>>>
>>>>> For a quick preview, you can use this URL:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security
>>>
>>>
>>>> Cheers
>>>>> --
>>>>> Dejan Bosanac - http://twitter.com/dejanb
>>>>>
>>>>> Open Source Integration - http://fusesource.com/
>>>>> ActiveMQ in Action - http://www.manning.com/snyder/
>>>>> Blog - http://www.nighttale.net
>>>>>
>>>>>
>>>>> On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd<
>>>>>
>>>>>
>>>> [hidden email]
>>>
>>>
>>>> wrote:
>>>>>
>>>>>
>>>>>
>>>>>> I'd like to implement an authorization plugin that would allow me to
>>>>>> implement a fully automatic authorization policy. Here's an outline of
>>>>>>
>>>>>>
>>>>> what
>>>>
>>>>
>>>>> I want:
>>>>>>
>>>>>> We have a broker that is a hub in a hub&  spoke topology network of
>>>>>> brokers.
>>>>>> A connections to this hub broker are via SSL and the hub broker
>>>>>>
>>>>>>
>>>>> requires
>>>
>>>
>>>> SSL
>>>>>> client authentication. We require the client certificates to always be
>>>>>>
>>>>>>
>>>>> of a
>>>>
>>>>
>>>>> form where the Common Name (CN) of the certificate defines the user.
>>>>>>
>>>>>>
>>>>> So,
>>>
>>>
>>>> for
>>>>>> example, if we instead used a jaas.TextFileCertificateLoginModule the
>>>>>> user.properties file would look like this:
>>>>>>
>>>>>> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
>>>>>> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
>>>>>> ...
>>>>>> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
>>>>>>
>>>>>> Meanwhile, the AuthorizationMap we want would look something like
>>>>>>
>>>>>>
>>>>> this:
>>>
>>>
>>>> <authorizationPlugin>
>>>>>> <map>
>>>>>> <authorizationMap>
>>>>>> <authorizationEntries>
>>>>>> <authorizationEntry topic=">" read="admins" write="admins"
>>>>>>
>>>>>>
>>>>> admin="admins"
>>>>
>>>>
>>>>> />
>>>>>> <authorizationEntry topic="user1.>" read="user1" write="user1"
>>>>>> admin="user1"
>>>>>> />
>>>>>> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
>>>>>> admin="userFoo" />
>>>>>> ...
>>>>>> <authorizationEntry topic="userZeta.>" read="userZeta"
>>>>>>
>>>>>>
>>>>> write="userZeta"
>>>
>>>
>>>> admin="userZeta" />
>>>>>> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
>>>>>> admin="all"/>
>>>>>> </authorizationEntries>
>>>>>> </authorizationMap>
>>>>>> </map>
>>>>>> </authorizationPlugin>
>>>>>>
>>>>>> If we use jaas.TextFileCertificateLoginModule, we have to update the
>>>>>> users.properties, groups.properties file and the authorizationMap in
>>>>>>
>>>>>>
>>>>> the
>>>
>>>
>>>> activemq.xml file every time we add a user. We can automate this with
>>>>>> scripting, but a more elegant solution would be to write our own
>>>>>>
>>>>>>
>>>>> plugin(s)
>>>>
>>>>
>>>>> to implement this policy. I'm in the process of scoping this effort,
>>>>>>
>>>>>>
>>>>> and
>>>
>>>
>>>> so
>>>>
>>>>
>>>>> far I haven't found anything other than javadocs on the various
>>>>>>
>>>>>>
>>>>> classes
>>>
>>>
>>>> to
>>>>
>>>>
>>>>> guide me. Can anyone provide a high level outline of how I would
>>>>>>
>>>>>>
>>>>> implement
>>>>
>>>>
>>>>> this?
>>>>>>
>>>>>> Thanks,
>>>>>> Jim Lloyd
>>>>>> Silver Tail Systems
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Fully programmatic authorization map

dejanb
In reply to this post by Jim Lloyd
Hi Jim,

it can be set of any objects you need. The only thing is that they can be
matched using equals() method. Take a look at SecurityContext.isInOneOf()
method, which is used for authorization purposes. For example
JaasSecurityContext is dealing with Subject objects set by
JaasAuthenticationBroker.addConnection().

Hope this helps

Cheers
--
Dejan Bosanac - http://twitter.com/dejanb

Open Source Integration - http://fusesource.com/
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net


On Thu, May 20, 2010 at 12:21 PM, Jim Lloyd <[hidden email]>wrote:

> Dejan and James,
>
> I'm looking at the JAAS plugins now and yes this approach for deriving the
> user and group from a certificate looks pretty clear, and this will save me
> a lot of time. Thanks!
>
> Can either of you give me a similar guidance for how I would do the
> AuthorizationMap piece? It looks like I can simply implement
> AuthorizationMap, but the return type of Set<?> for the methods seems
> highly
> under-constrained. The comments say that the methods return ACLs, but its
> not obvious to me what forms the ACLs take. Looking at
> SimpleAuthorizationMap, I see that it is primarily delegating to
> DestinationMap, but DestinationMap (and its helper DestinationMapNode,
> DestinationMapEntry) is just complex enough that I haven't been able to
> figure it out from just browsing the code. I have a hunch that one of you
> can give me some quick pointers here that will also save me a lot of time.
>
> Thanks,
> Jim
>
>
> On Thu, May 20, 2010 at 6:13 AM, Dejan Bosanac <[hidden email]>
> wrote:
>
> > Hi James,
> >
> > thanks for adding this info. I totally forgot to mention activemq-jaas.
> >
> > Cheers
> > --
> > Dejan Bosanac - http://twitter.com/dejanb
> >
> > Open Source Integration - http://fusesource.com/
> > ActiveMQ in Action - http://www.manning.com/snyder/
> > Blog - http://www.nighttale.net
> >
> >
> > On Thu, May 20, 2010 at 8:34 AM, James Casey <[hidden email]>
> wrote:
> >
> > > Hi Jim,
> > >
> > > What Dejan has pointed you at is the classes that have all the various
> > > plugin methods for doing Auth in ActiveMQ by inserting a Broker object
> > > into the chain which is called during a connection.  It would be
> > > possible to write a custom Broker subclass here that does what you
> > > want, but I think it would be easier inside JAAS.
> > >
> > > What I'd suggest is you use the standard
> > > JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin.
> > >
> > > The JAAS plugins are in
> > >
> > >
> >
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas
> > > .
> > >
> > > I would suggest to create a subclass of CertificateLoginModule and
> > > override the getUserNameForCertificate method to extract and return
> > > the CN.  If you look at TextFileCertificateLoginModule.java you can
> > > see the logic it uses to extract the DN and match against entries in
> > > the file - you would just need to write a simpler version which just
> > > pulls out the CN from the client DN. Then you hook it into ActiveMQ
> > > via a login.config file pointing at your custom class.
> > >
> > > Let me know if this makes sense or if you need any more info.
> > >
> > > cheers,
> > >
> > > James.
> > >
> > >
> > > On 20 May 2010 12:14, Dejan Bosanac <[hidden email]> wrote:
> > > > Hi Jim,
> > > >
> > > > the best way is to look at the source code of the current plugin
> > > > implementation.
> > > >
> > > > You can find it in org.apache.activemq.security package.
> > > >
> > > > For a quick preview, you can use this URL:
> > > >
> > > >
> > >
> >
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security
> > > >
> > > > Cheers
> > > > --
> > > > Dejan Bosanac - http://twitter.com/dejanb
> > > >
> > > > Open Source Integration - http://fusesource.com/
> > > > ActiveMQ in Action - http://www.manning.com/snyder/
> > > > Blog - http://www.nighttale.net
> > > >
> > > >
> > > > On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd <
> > [hidden email]
> > > >wrote:
> > > >
> > > >> I'd like to implement an authorization plugin that would allow me to
> > > >> implement a fully automatic authorization policy. Here's an outline
> of
> > > what
> > > >> I want:
> > > >>
> > > >> We have a broker that is a hub in a hub & spoke topology network of
> > > >> brokers.
> > > >> A connections to this hub broker are via SSL and the hub broker
> > requires
> > > >> SSL
> > > >> client authentication. We require the client certificates to always
> be
> > > of a
> > > >> form where the Common Name (CN) of the certificate defines the user.
> > So,
> > > >> for
> > > >> example, if we instead used a jaas.TextFileCertificateLoginModule
> the
> > > >> user.properties file would look like this:
> > > >>
> > > >> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
> > > >> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
> > > >> ...
> > > >> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
> > > >>
> > > >> Meanwhile, the AuthorizationMap we want would look something like
> > this:
> > > >>
> > > >> <authorizationPlugin>
> > > >> <map>
> > > >> <authorizationMap>
> > > >> <authorizationEntries>
> > > >> <authorizationEntry topic=">" read="admins" write="admins"
> > > admin="admins"
> > > >> />
> > > >> <authorizationEntry topic="user1.>" read="user1" write="user1"
> > > >> admin="user1"
> > > >> />
> > > >> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
> > > >> admin="userFoo" />
> > > >> ...
> > > >> <authorizationEntry topic="userZeta.>" read="userZeta"
> > write="userZeta"
> > > >> admin="userZeta" />
> > > >> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all"
> write="all"
> > > >> admin="all"/>
> > > >> </authorizationEntries>
> > > >> </authorizationMap>
> > > >> </map>
> > > >> </authorizationPlugin>
> > > >>
> > > >> If we use jaas.TextFileCertificateLoginModule, we have to update the
> > > >> users.properties, groups.properties file and the authorizationMap in
> > the
> > > >> activemq.xml file every time we add a user. We can automate this
> with
> > > >> scripting, but a more elegant solution would be to write our own
> > > plugin(s)
> > > >> to implement this policy. I'm in the process of scoping this effort,
> > and
> > > so
> > > >> far I haven't found anything other than javadocs on the various
> > classes
> > > to
> > > >> guide me. Can anyone provide a high level outline of how I would
> > > implement
> > > >> this?
> > > >>
> > > >> Thanks,
> > > >> Jim Lloyd
> > > >> Silver Tail Systems
> > > >>
> > > >
> > >
> >
>