Reloading users and groups properties on change

Thu, 10 Mar 2016 08:15:24 -0800 

Hi!

I talked to Gary Tully on IRC (and mail) and we decided it was best that
I mailed the mailinglist since he was pretty sure that someone here had
solved this.

We are running 5.13.0 and are trying to get {user,group}s.properties to
be reloaded automatically when they are changed.

In the init.d-script we've added:
ACTIVEMQ_OPTS+=" 
-Djava.security.auth.login.config=/local/activemq/conf/login.config "

and login.config looks like this:
activemq-domain {
  org.apache.activemq.jaas.PropertiesLoginModule required
    debug=true
    reload=true
    org.apache.activemq.jaas.properties.user="users.properties"
    
org.apache.activemq.jaas.properties.group="../conf.d/approved/groups.properties"
  ;
};

users.properties:
system=manager
nagios=nagios

groups.properties:
monitoring=system

activemq.xml excerpt:
[…]
    <plugins>
      <!-- The configuration value matches the JAAS realm in login.config -->
      <jaasAuthenticationPlugin configuration="activemq-domain" />

      <!-- Enable hot reloading of the The configuration value matches the JAAS 
realm in login.config -->
      <runtimeConfigurationPlugin checkPeriod="0" />

      <authorizationPlugin>
         <map>
           <authorizationMap>
               <authorizationEntry
                 queue="aliveness-test"
                 read="monitoring"
                 write="monitoring"
                 admin="monitoring"
               />
             </authorizationEntries>
           </authorizationMap>
         </map>
       </authorizationPlugin>
[…]

With this configuration the user nagios should be able to access the queue 
aliveness-test.
To reproduce, modify groups.properties so it looks like:
monitoring=system,nagios

Check your logs (you need to enable debug logging on 
org.apache.activemq.jaas.ReloadableProperties):
{"thread":"ActiveMQ NIO Worker 
622","level":"DEBUG","loggerName":"org.apache.activemq.jaas.ReloadableProperties","message":"Load
 of: PropsFile=/local/activemq/conf/../conf.d/approved/groups.properties"}
so the reloading works, but nagios still can't consume from (or produce to) the 
queue:
{"thread":"ActiveMQ NIO Worker 
2","level":"WARN","loggerName":"org.apache.activemq.broker.TransportConnection.Service","message":"Security
 Error occurred on connection to: tcp://0:0:0:0:0:0:0:1:45357, User nagios is 
not authorized to read from: queue://aliveness-test"}

Note: If I restart ActiveMQ nagios can consume and produce from the
queue.

Is there any configuration that I've missed?
Is this a bug?

BR,
- Simon

____________________________________

Simon Lundström
Section for Infrastructure

IT Services
Stockholm University
SE-106 91 Stockholm, Sweden

www.su.se/english/staff-info/it

Reply via email to