where is a producer authorized for writing to a virtual destination?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

where is a producer authorized for writing to a virtual destination?

Vince Cole
I am running ActiveMQ 5.14.0, with all of the following:
* the JAAS plugin - for user authentication on connection
* a custom plugin - similar to authorizationPlugin - for user authorization on connection per destination
* Selectors, defined in the broker config, as per http://activemq.apache.org/virtual-destinations.html ("Using filtered destinations").

Having tested it, I see that when a producer sends a message to a virtual destination (the 'ingest' queue) on the broker which is configured with Selectors to forward a copy of the message to one or more 'destination' queues, ActiveMQ first checks that the producer has write permission on the ingest queue but it does NOT check if the producer has write permission on any of the destination queues.

I can't figure out where in the ActiveMQ codebase to look at the code, to work out if / how it would be possible to enable this extra checking.

I have looked at CompositeDestinationFilter::send - I see that ActiveMQ iterates over the set of destinations for which the Selectors are matched on an incoming message, and sends a copy of the message to each one - but I can't see where, outside of this class, ActiveMQ makes a decision to check for write permissions on the ingest queue, but NOT on any of the destination queues.

Can anyone shed any light on this please?
I am hoping that a VirtualDestinationInterceptors config setting somewhere can be changed to enable the destination checks, otherwise I am going to have to write my own CompositeDestinationFilter ?
Reply | Threaded
Open this post in threaded view
|

Re: where is a producer authorized for writing to a virtual destination?

Vince Cole
The closest I have got so far to answering this myself is looking at AuthorizationBroker :: addProducer, where allowedACLs is determined via authorizationMap.getWriteACLs(info.getDestination());

...but, I am still none the wiser, as to why this is only being called for the ingest queue and not on any of the destination queues. I can't see where it is (not) being called from...?
Reply | Threaded
Open this post in threaded view
|

Re: where is a producer authorized for writing to a virtual destination?

Vince Cole
Am I right in thinking that there needs to be another instance of the AuthorizationBroker, added into the interceptor chain, added in such a manner so as to make ActiveMQ call it on the call to 'send' upon each of the destination queues?

Does anyone know if / how such as thing can be done?

I know how to write a plugin, but the framework around them which loads them in and calls them, is still a mystery to me...
Reply | Threaded
Open this post in threaded view
|

Re: where is a producer authorized for writing to a virtual destination?

Vince Cole
OK, answering my own question here, in case anyone finds it useful:

The Broker instance which is used for the 'destination' queues is a RegionBroker, which is created in BrokerService::createRegionBroker, and that doesn't have any interceptors added to it (e.g. AuthorizationBroker::send).

This is because the call to createRegionBroker happens like this (in BrokerService.java line 2304)

protected Broker createBroker() throws Exception {
    regionBroker = createRegionBroker();
    Broker broker = addInterceptors(regionBroker);
...

So, what I think is happening here is that broker will have interceptors added to it, but regionBroker will not.

So, the only way to fix this is to use a custom plugin. There isn't any config change possible which would cause the AuthorizationBroker plugin to be added to the interceptor chain for the regionBroker.