[jira] [Work logged] (ARTEMIS-4405) Incorrect username logging in AMQ601264 events
[
https://issues.apache.org/jira/browse/ARTEMIS-4405?focusedWorklogId=878748=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-878748
]
ASF GitHub Bot logged work on ARTEMIS-4405:
---
Author: ASF GitHub Bot
Created on: 29/Aug/23 03:35
Start Date: 29/Aug/23 03:35
Worklog Time Spent: 10m
Work Description: jbertram opened a new pull request, #4594:
URL: https://github.com/apache/activemq-artemis/pull/4594
(no comment)
Issue Time Tracking
---
Worklog Id: (was: 878748)
Remaining Estimate: 0h
Time Spent: 10m
> Incorrect username logging in AMQ601264 events
> --
>
> Key: ARTEMIS-4405
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4405
> Project: ActiveMQ Artemis
> Issue Type: Bug
>Affects Versions: 2.30.0
>Reporter: Aleksandr Milovidov
>Priority: Minor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> We have ActiveMQ Artemis with audit logging turned on, and sometimes wrong
> username is logged when user gets an authorization error (audit log event
> AMQ601264). I have reproduced this issue when client uses STOMP to connect to
> the broker. In that case client username is always logged as anonymous, and
> source IP address seems to be correct.
> We have a lot of other audit log messages where different usernames are
> logged in single log event, but I cannot attach these logs because it
> contains sensitive information. I think this problem is not specific to STOMP
> clients because most our clients use core and openwire. I will try to
> reproduce it later.
> The problem is not specific to the current version of Artemis.
> Steps to reproduce (for STOMP client):
> 1. Create Artemis instance
> {{artemis create --user admin --password admin --require-login }}
> Edit {{artemis-roles.properties}} and {{artemis-users.properties}} to create
> some other user with password and non-admin role. For example, add string
> {{alice = alice}} to both files.
> Edit log4j2.properties to enable base audit logging:
> {code:java}
> logger.audit_base = INFO, audit_log_file{code}
> To connect to the broker with STOMP I have used python with Stompest library
> (it has to be installed using pip install stompest).
> Example STOMP producer python code (it does not handle authorization errors):
>
> {code:java}
> from stompest.config import StompConfig
> from stompest.protocol import StompSpec
> from stompest.sync import Stomp
> CONFIG = StompConfig("tcp://localhost:61613", login="alice",
> passcode="alice", version=StompSpec.VERSION_1_0)
> QUEUE = 'test.queue'
> client = Stomp(CONFIG)
> client.connect()
> client.send(QUEUE, 'Test message'.encode())
> client.disconnect()
> {code}
> Run this example code. Check broker audit.log. For example:
>
> {code:java}
> 2023-08-28 17:39:20,042 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601267:
> User alice(alice)@127.0.0.1:56685 is creating a core session on target
> resource ActiveMQServerImpl::name=0.0.0.0 with parameters:
> [ac22db0e-45b0-11ee-b333-005056abe8b9, alice, , 102400,
> org.apache.activemq.artemis.core.protocol.stomp.StompConnection@3313e538,
> true, false, false, false, null,
> org.apache.activemq.artemis.core.protocol.stomp.StompSession@2fc820ee, true,
> {}]
> 2023-08-28 17:39:20,081 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601262:
> User alice(alice)@127.0.0.1:56685 is creating address on target resource:
> ac22db0e-45b0-11ee-b333-005056abe8b9 with parameters: [Address
> [name=test.queue, id=0, routingTypes={MULTICAST}, autoCreated=false,
> paused=false, bindingRemovedTimestamp=-1, swept=false,
> createdTimestamp=1693233560081], true]
> 2023-08-28 17:39:20,116 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601264:
> User anonymous@127.0.0.1:56685 gets security check failure, reason =
> AMQ229032: User: alice does not have permission='CREATE_ADDRESS' on address
> test.queue
> org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229032:
> User: alice does not have permission='CREATE_ADDRESS' on address test.queue
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:305)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:227)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:503)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createAddress(ServerSessionImpl.java:972)
> [artemis-server-2.30.0.jar:2.30.0]
> at
>
[jira] [Assigned] (ARTEMIS-4405) Incorrect username logging in AMQ601264 events
[
https://issues.apache.org/jira/browse/ARTEMIS-4405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Bertram reassigned ARTEMIS-4405:
---
Assignee: Justin Bertram
> Incorrect username logging in AMQ601264 events
> --
>
> Key: ARTEMIS-4405
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4405
> Project: ActiveMQ Artemis
> Issue Type: Bug
>Affects Versions: 2.30.0
>Reporter: Aleksandr Milovidov
>Assignee: Justin Bertram
>Priority: Minor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> We have ActiveMQ Artemis with audit logging turned on, and sometimes wrong
> username is logged when user gets an authorization error (audit log event
> AMQ601264). I have reproduced this issue when client uses STOMP to connect to
> the broker. In that case client username is always logged as anonymous, and
> source IP address seems to be correct.
> We have a lot of other audit log messages where different usernames are
> logged in single log event, but I cannot attach these logs because it
> contains sensitive information. I think this problem is not specific to STOMP
> clients because most our clients use core and openwire. I will try to
> reproduce it later.
> The problem is not specific to the current version of Artemis.
> Steps to reproduce (for STOMP client):
> 1. Create Artemis instance
> {{artemis create --user admin --password admin --require-login }}
> Edit {{artemis-roles.properties}} and {{artemis-users.properties}} to create
> some other user with password and non-admin role. For example, add string
> {{alice = alice}} to both files.
> Edit log4j2.properties to enable base audit logging:
> {code:java}
> logger.audit_base = INFO, audit_log_file{code}
> To connect to the broker with STOMP I have used python with Stompest library
> (it has to be installed using pip install stompest).
> Example STOMP producer python code (it does not handle authorization errors):
>
> {code:java}
> from stompest.config import StompConfig
> from stompest.protocol import StompSpec
> from stompest.sync import Stomp
> CONFIG = StompConfig("tcp://localhost:61613", login="alice",
> passcode="alice", version=StompSpec.VERSION_1_0)
> QUEUE = 'test.queue'
> client = Stomp(CONFIG)
> client.connect()
> client.send(QUEUE, 'Test message'.encode())
> client.disconnect()
> {code}
> Run this example code. Check broker audit.log. For example:
>
> {code:java}
> 2023-08-28 17:39:20,042 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601267:
> User alice(alice)@127.0.0.1:56685 is creating a core session on target
> resource ActiveMQServerImpl::name=0.0.0.0 with parameters:
> [ac22db0e-45b0-11ee-b333-005056abe8b9, alice, , 102400,
> org.apache.activemq.artemis.core.protocol.stomp.StompConnection@3313e538,
> true, false, false, false, null,
> org.apache.activemq.artemis.core.protocol.stomp.StompSession@2fc820ee, true,
> {}]
> 2023-08-28 17:39:20,081 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601262:
> User alice(alice)@127.0.0.1:56685 is creating address on target resource:
> ac22db0e-45b0-11ee-b333-005056abe8b9 with parameters: [Address
> [name=test.queue, id=0, routingTypes={MULTICAST}, autoCreated=false,
> paused=false, bindingRemovedTimestamp=-1, swept=false,
> createdTimestamp=1693233560081], true]
> 2023-08-28 17:39:20,116 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601264:
> User anonymous@127.0.0.1:56685 gets security check failure, reason =
> AMQ229032: User: alice does not have permission='CREATE_ADDRESS' on address
> test.queue
> org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229032:
> User: alice does not have permission='CREATE_ADDRESS' on address test.queue
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:305)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:227)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:503)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createAddress(ServerSessionImpl.java:972)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createAddress(ServerSessionImpl.java:962)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.protocol.stomp.StompConnection.autoCreateDestinationIfPossible(StompConnection.java:184)
> [artemis-stomp-protocol-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.protocol.stomp.VersionedStompFrameHandler.onSend(VersionedStompFrameHandler.java:188)
> [artemis-stomp-protocol-2.30.0.jar:2.30.0]
>
[jira] [Work logged] (ARTEMIS-4349) Replace Guava cache with Caffeine
[ https://issues.apache.org/jira/browse/ARTEMIS-4349?focusedWorklogId=878676=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-878676 ] ASF GitHub Bot logged work on ARTEMIS-4349: --- Author: ASF GitHub Bot Created on: 28/Aug/23 15:54 Start Date: 28/Aug/23 15:54 Worklog Time Spent: 10m Work Description: gemmellr commented on PR #4584: URL: https://github.com/apache/activemq-artemis/pull/4584#issuecomment-1695940099 > Fair enough, since the SecurityStoreImpl doesnt look to use any of the listener stuff so it probably isn't really much/any different. Backed out the change to SecurityStoreImpl to leave it with the Caffeine default async behaviour now. > The other usage does use it though, so I want to look into whether its prepared to handle the new concurrency that could result from offloading to the FJ pool (though if not, it may also not be prepared to handle any existing concurrency that could occur already.) Confirmed the other usage would not currently be safe for that (or the existing behaviour..we should address that separately before proceeding) so leaving that as is. Issue Time Tracking --- Worklog Id: (was: 878676) Time Spent: 10h 10m (was: 10h) > Replace Guava cache with Caffeine > - > > Key: ARTEMIS-4349 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4349 > Project: ActiveMQ Artemis > Issue Type: Improvement >Affects Versions: 2.29.0 >Reporter: Alexey Markevich >Priority: Major > Time Spent: 10h 10m > Remaining Estimate: 0h > > based on benchmark https://github.com/ben-manes/caffeine/wiki/Benchmarks -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (ARTEMIS-4405) Incorrect username logging in AMQ601264 events
[
https://issues.apache.org/jira/browse/ARTEMIS-4405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aleksandr Milovidov updated ARTEMIS-4405:
-
Description:
We have ActiveMQ Artemis with audit logging turned on, and sometimes wrong
username is logged when user gets an authorization error (audit log event
AMQ601264). I have reproduced this issue when client uses STOMP to connect to
the broker. In that case client username is always logged as anonymous, and
source IP address seems to be correct.
We have a lot of other audit log messages where different usernames are logged
in single log event, but I cannot attach these logs because it contains
sensitive information. I think this problem is not specific to STOMP clients
because most our clients use core and openwire. I will try to reproduce it
later.
The problem is not specific to the current version of Artemis.
Steps to reproduce (for STOMP client):
1. Create Artemis instance
{{artemis create --user admin --password admin --require-login }}
Edit {{artemis-roles.properties}} and {{artemis-users.properties}} to create
some other user with password and non-admin role. For example, add string
{{alice = alice}} to both files.
Edit log4j2.properties to enable base audit logging:
{code:java}
logger.audit_base = INFO, audit_log_file{code}
To connect to the broker with STOMP I have used python with Stompest library
(it has to be installed using pip install stompest).
Example STOMP producer python code (it does not handle authorization errors):
{code:java}
from stompest.config import StompConfig
from stompest.protocol import StompSpec
from stompest.sync import Stomp
CONFIG = StompConfig("tcp://localhost:61613", login="alice", passcode="alice",
version=StompSpec.VERSION_1_0)
QUEUE = 'test.queue'
client = Stomp(CONFIG)
client.connect()
client.send(QUEUE, 'Test message'.encode())
client.disconnect()
{code}
Run this example code. Check broker audit.log. For example:
{code:java}
2023-08-28 17:39:20,042 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601267:
User alice(alice)@127.0.0.1:56685 is creating a core session on target resource
ActiveMQServerImpl::name=0.0.0.0 with parameters:
[ac22db0e-45b0-11ee-b333-005056abe8b9, alice, , 102400,
org.apache.activemq.artemis.core.protocol.stomp.StompConnection@3313e538, true,
false, false, false, null,
org.apache.activemq.artemis.core.protocol.stomp.StompSession@2fc820ee, true, {}]
2023-08-28 17:39:20,081 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601262:
User alice(alice)@127.0.0.1:56685 is creating address on target resource:
ac22db0e-45b0-11ee-b333-005056abe8b9 with parameters: [Address
[name=test.queue, id=0, routingTypes={MULTICAST}, autoCreated=false,
paused=false, bindingRemovedTimestamp=-1, swept=false,
createdTimestamp=1693233560081], true]
2023-08-28 17:39:20,116 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601264:
User anonymous@127.0.0.1:56685 gets security check failure, reason = AMQ229032:
User: alice does not have permission='CREATE_ADDRESS' on address test.queue
org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229032:
User: alice does not have permission='CREATE_ADDRESS' on address test.queue
at
org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:305)
[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:227)
[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:503)
[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createAddress(ServerSessionImpl.java:972)
[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createAddress(ServerSessionImpl.java:962)
[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.protocol.stomp.StompConnection.autoCreateDestinationIfPossible(StompConnection.java:184)
[artemis-stomp-protocol-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.protocol.stomp.VersionedStompFrameHandler.onSend(VersionedStompFrameHandler.java:188)
[artemis-stomp-protocol-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.protocol.stomp.VersionedStompFrameHandler.handleFrame(VersionedStompFrameHandler.java:87)
[artemis-stomp-protocol-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.protocol.stomp.StompConnection.handleFrame(StompConnection.java:424)
[artemis-stomp-protocol-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.protocol.stomp.StompProtocolManager.handleBuffer(StompProtocolManager.java:162)
[artemis-stomp-protocol-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.protocol.stomp.StompConnection.bufferReceived(StompConnection.java:307)
[jira] [Created] (ARTEMIS-4405) Incorrect username logging in AMQ601264 events
Aleksandr Milovidov created ARTEMIS-4405:
Summary: Incorrect username logging in AMQ601264 events
Key: ARTEMIS-4405
URL: https://issues.apache.org/jira/browse/ARTEMIS-4405
Project: ActiveMQ Artemis
Issue Type: Bug
Affects Versions: 2.30.0
Reporter: Aleksandr Milovidov
We have ActiveMQ Artemis with audit logging turned on, and sometimes wrong
username is logged when user gets an authorization error (audit log event
AMQ601264). I have reproduced this issue when client uses STOMP to connect to
the broker. In that case client username is always logged as anonymous, and
source IP address seems to be correct.
We have a lot of other audit log messages where different usernames are logged
in single log event, but I cannot attach these logs because it contains
sensitive information. I think this problem is not specific to STOMP clients
because most our clients use core and openwire. I will try to reproduce it
later.
The problem is not specific to current version of Artemis.
Steps to reproduce (for STOMP client):
1. Create Artemis instance
{{artemis create --user admin --password admin --require-login }}
Edit {{artemis-roles.properties}} and {{artemis-users.properties}} to create
some other user with password and non-admin role. For example, add string
{{alice = alice}} to both files.
Edit log4j2.properties to enable base audit logging:
{code:java}
logger.audit_base = INFO, audit_log_file{code}
To connect to the broker with STOMP I have used python with Stompest library
(it has to be installed using pip install stompest).
Example STOMP producer python code (it does not handle authorization errors):
{code:java}
from stompest.config import StompConfig
from stompest.protocol import StompSpec
from stompest.sync import Stomp
CONFIG = StompConfig("tcp://localhost:61613", login="alice", passcode="alice",
version=StompSpec.VERSION_1_0)
QUEUE = 'test.queue'
client = Stomp(CONFIG)
client.connect()
client.send(QUEUE, 'Test message'.encode())
client.disconnect()
{code}
Run this example code. Check broker audit.log. For example:
{code:java}
2023-08-28 17:39:20,042 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601267:
User alice(alice)@127.0.0.1:56685 is creating a core session on target resource
ActiveMQServerImpl::name=0.0.0.0 with parameters:
[ac22db0e-45b0-11ee-b333-005056abe8b9, alice, , 102400,
org.apache.activemq.artemis.core.protocol.stomp.StompConnection@3313e538, true,
false, false, false, null,
org.apache.activemq.artemis.core.protocol.stomp.StompSession@2fc820ee, true, {}]
2023-08-28 17:39:20,081 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601262:
User alice(alice)@127.0.0.1:56685 is creating address on target resource:
ac22db0e-45b0-11ee-b333-005056abe8b9 with parameters: [Address
[name=test.queue, id=0, routingTypes={MULTICAST}, autoCreated=false,
paused=false, bindingRemovedTimestamp=-1, swept=false,
createdTimestamp=1693233560081], true]
2023-08-28 17:39:20,116 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601264:
User anonymous@127.0.0.1:56685 gets security check failure, reason = AMQ229032:
User: alice does not have permission='CREATE_ADDRESS' on address test.queue
org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229032:
User: alice does not have permission='CREATE_ADDRESS' on address test.queue
at
org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:305)
[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:227)
[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:503)
[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createAddress(ServerSessionImpl.java:972)
[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createAddress(ServerSessionImpl.java:962)
[artemis-server-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.protocol.stomp.StompConnection.autoCreateDestinationIfPossible(StompConnection.java:184)
[artemis-stomp-protocol-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.protocol.stomp.VersionedStompFrameHandler.onSend(VersionedStompFrameHandler.java:188)
[artemis-stomp-protocol-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.protocol.stomp.VersionedStompFrameHandler.handleFrame(VersionedStompFrameHandler.java:87)
[artemis-stomp-protocol-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.protocol.stomp.StompConnection.handleFrame(StompConnection.java:424)
[artemis-stomp-protocol-2.30.0.jar:2.30.0]
at
org.apache.activemq.artemis.core.protocol.stomp.StompProtocolManager.handleBuffer(StompProtocolManager.java:162)
[jira] [Work logged] (ARTEMIS-4396) Improve support for "internal" address/queue property
[
https://issues.apache.org/jira/browse/ARTEMIS-4396?focusedWorklogId=878616=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-878616
]
ASF GitHub Bot logged work on ARTEMIS-4396:
---
Author: ASF GitHub Bot
Created on: 28/Aug/23 11:37
Start Date: 28/Aug/23 11:37
Worklog Time Spent: 10m
Work Description: gemmellr commented on code in PR #4586:
URL: https://github.com/apache/activemq-artemis/pull/4586#discussion_r1307133455
##
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/protocol/core/impl/wireformat/CreateQueueMessage_V2.java:
##
@@ -450,6 +468,9 @@ public void decodeRest(final ActiveMQBuffer buffer) {
if (buffer.readableBytes() > 0) {
groupRebalancePauseDispatch =
BufferHelper.readNullableBoolean(buffer);
}
+ if (buffer.readableBytes() > 0) {
+ internal = BufferHelper.readNullableBoolean(buffer);
+ }
Review Comment:
Should it be possible for clients to remotely create 'internal' queues? I
don't really see why we would want/need that to be possible now at this point
when it hasnt been before? Also, is there any kind of access control needed on
it?
Issue Time Tracking
---
Worklog Id: (was: 878616)
Time Spent: 20m (was: 10m)
> Improve support for "internal" address/queue property
> -
>
> Key: ARTEMIS-4396
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4396
> Project: ActiveMQ Artemis
> Issue Type: Improvement
>Reporter: Justin Bertram
>Assignee: Justin Bertram
>Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
