[jira] [Commented] (FALCON-230) Secure activemq topics

Tue, 21 Jan 2014 05:20:13 -0800 

    [ 
https://issues.apache.org/jira/browse/FALCON-230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13877445#comment-13877445
 ] 

Jean-Baptiste Onofré commented on FALCON-230:
---------------------------------------------

On this topic, I propose two parts:

1/ Secure of the transport
Currently, we use openwire directly, bound to all network interfaces. Using 
embedded broker, the user can only define the port number, not the protocol 
(hardcoded to tcp), not the network interface (hardcoded to 0.0.0.0 so all 
interfaces).
I propose to let the user define the transport connector URL.
Thanks to that, it would be possible:
- to bind to given network interface (for instance localhost or specific 
interface IP)
- use OpenWire over SSL (using a transport like ssl://0.0.0.0:61616 instead of 
tcp). In conf/falcon-env.sh, the user can defines his keystore (using 
-Djavax.net.ssl.keyStore=/path/to/falcon.ks 
-Djavax.net.ssl.keyStorePassword=password). The messaging interface in the 
cluster entity should use properties to contain keystore in order to correctly 
create the connection factory.
- eventually define clientAuth (using a transport like 
ssl://localhost:61616?transport.needClientAuth=true) and provide a 
keystore/truststore

I'm preparing a patch for that including update on the documentation.

2/ Add authentication support

On the other hand, we can force the authentication to use a broker. It means 
that the messaging interface in the cluster entity should use properties like 
principal/credential to use username/password when creating the connection 
factory.
On the embedded broker side, if the user provides a system property like 
falcon.embeddedmq.authentication=true, in that case, we can lookup a 
conf/users.properties file to create the ActiveMQ JAAS plugin and use it in the 
broker service.

I'm preparing another patch for that (including documentation update too).

The two topics are isolated (an user can do both, or only secure transport, or 
only force authentication).

> Secure activemq topics
> ----------------------
>
>                 Key: FALCON-230
>                 URL: https://issues.apache.org/jira/browse/FALCON-230
>             Project: Falcon
>          Issue Type: Sub-task
>            Reporter: Venkatesh Seetharam
>            Assignee: Jean-Baptiste Onofré
>
> I'm leaving it here for the sake of completeness. Topics might need 
> authorization and not sure how to do it.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to