Hi Tim, The sed commands worked as expected.
Unfortunately it's the same if executed inside the pod: root@artemis-0:/var/lib/artemis/bin# curl -H "Origin:http://localhost:8161"; -u monitor:s3cret http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=*/Active {"request":{"mbean":"org.apache.activemq.artemis:broker=*","attribute":"Active","type":"read"},"value":{"org.apache.activemq.artemis:broker=\"artemis-0\"":{" root@artemis-0:/var/lib/artemis/bin# curl -H "Origin:http://localhost:8161"; -u monitor:s3cret http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=*/AddressMemoryUsage {"request":{"mbean":"org.apache.activemq.artemis:broker=*","attribute":"AddressMemoryUsage","type":"read"},"value":{"org.apache.activemq.artemis:broker=\"artemis-0\"":{"AddressMemoryUsage":0}},"timestamp":1638786958,"status":200} I can also see that it is authenticating the correct user but trawling through the Artemis code it doesn't appear that the role is logged anywhere except some specific login modules but not this one: 2021-12-06 10:57:52,250 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule] login monitor 2021-12-06 10:57:52,253 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule] commit, result: true Running the same container in docker with the same environment produces: $ curl -H "Origin:http://localhost:8161"; -u monitor:s3cret http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=*/Active {"request":{"mbean":"org.apache.activemq.artemis:broker=*","attribute":"Active","type":"read"},"value":{"org.apache.activemq.artemis:broker=\"50cbfe9b6b51\"":{"Active":true}},"timestamp":1638786790,"status":200} $ curl -H "Origin:http://localhost:8161"; -u monitor:s3cret http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=*/AddressMemoryUsage {"request":{"mbean":"org.apache.activemq.artemis:broker=*","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception : Insufficient roles\/credentials for operation","status":403} I'm using microk8s locally but I could try a different k8s next. Thanks, Dave On Sun, 5 Dec 2021 at 13:40, Tim Bain <tb...@alumni.duke.edu> wrote: > To take the K8s networking out of the equation, maybe kubectl exec a shell > session into the container and invoke the curl command against localhost? > > And while you're in the container, you can check that your sed command > produced the expected output. > > Tim > > On Fri, Dec 3, 2021, 9:45 AM Domenico Francesco Bruscino < > bruscin...@gmail.com> wrote: > > > Hi Dave, > > > > could you get the artemis etc folder from your kubernetes container > > and share it? > > > > Thanks, > > Domenico > > > > > > On Fri, 3 Dec 2021 at 17:17, David Martin <dav...@qoritek.com> wrote: > > > > > Hi Domenico, > > > > > > Thanks - after further experimentation It appears to be related to > > > Kubernetes but it's pretty baffling (to me at least). It works in > Docker. > > > > > > The build steps are essentially the same as yours, executed via a > > > Dockerfile ( > > > > > > > > > https://github.com/vromero/activemq-artemis-docker/blob/master/src/Dockerfile > > > ) > > > - > > > > > > "/opt/apache-artemis-${ACTIVEMQ_ARTEMIS_VERSION}/bin/artemis" create > > > artemis \ > > > --home /opt/apache-artemis \ > > > --user artemis \ > > > --password simetraehcapa \ > > > --role amq \ > > > --require-login \ > > > --cluster-user artemisCluster \ > > > --cluster-password simetraehcaparetsulc ; \ > > > The only other thing it changes is binding to 0.0.0.0 in Jolokia > instead > > of > > > localhost. > > > > > > Then I have sed commands quite similar to yours. > > > > > > sed -i "s#\(HAWTIO_ROLE='amq\)#\1,amqro,monitor#" artemis.profile > > > sed -i 's#\(<access method="\(list\|get\|is\)\*" > > roles="amq\)"#\1,amqro"#; > > > s#\(\.activemq\.artemis">\)#\1\n <access > > > method="isActive" roles="amq,amqro,monitor"/>#' management.xml > > > sed -i 's#\(<restrict>\)#\1\n <remote>\n <host>127.0.0.1</host>\n > > > <host>localhost</host>\n <host>10.0.0.0/8</host> \ > > > <host>172.16.0.0/12</host>\n <host>192.168.0.0/16</host>\n > > > </remote>#' jolokia-access.xml > > > > > > When I run the image in docker, it works. The API works as per your > > > examples and when I use the console as the monitor user, everything is > > > locked down except for the Active property in JMX. > > > > > > When I run it in Kubernetes with the same image and env vars (accessing > > via > > > a nodeport or via kubectl port-forward) it doesn't. Any API method is > > > accessible and the console functionality is unlocked regardless of my > > user, > > > although in the JMX tab I cannot invoke any operations (though I can > view > > > all the properties). If I put debugging on jaas I can see it > > authenticating > > > the right user. > > > > > > I guess you may not want to help with a 3rd party docker image. I may > > have > > > to resort to an NGINX sidecar to get the user name from the > Authorization > > > header and filter it that way! > > > > > > I've tried building versions 2.16 and 2.18, same outcome. > > > > > > > > > Many thanks, > > > > > > Dave > > > > > > > > > > > > > > > On Thu, 2 Dec 2021 at 21:45, Domenico Francesco Bruscino < > > > bruscin...@gmail.com> wrote: > > > > > > > Hi Dave, > > > > > > > > I'm not able to reproduce your issue executing the following steps: > > > > > > > > 1) create a new broker instance: > > > > ./bin/artemis create broker --user admin --password admin > > --require-login > > > > > > > > 2) add test user with monitor role > > > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties > > > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties > > > > > > > > 3) add rtest user with amqro role > > > > echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties > > > > echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties > > > > > > > > 4) add the monitor role to HAWTIO_ROLE in artemis.profile > > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/" > > > > ./broker/etc/artemis.profile > > > > > > > > 5) add the access for the isActive method in management.xml > > > > sed -i > > > > > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\ > > > > method="isActive"\ roles="amq,monitor"\/>/' > ./broker/etc/management.xml > > > > > > > > 6) add the access for amqro in management.xml > > > > sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm > > > > > > > > 5) run the broker > > > > ./broker/bin/artemis run > > > > > > > > 6) read the Active attribute with test user (monitor role) > > > > curl -H "Origin:http://localhost:8161"; -u test:test > > > > > > > > > > > > > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > > > > "0.0.0.0\"/Active > > > > > > > > > > > > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200} > > > > > > > > 7) read the AddressMemoryUsage attribute with test user (monitor > role) > > > > curl -H "Origin:http://localhost:8161"; -u test:test > > > > > > > > > > > > > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > > > > "0.0.0.0\"/AddressMemoryUsage > > > > > > > > > > > > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception > > > > : User not authorized to access attribute: > > > > AddressMemoryUsage","status":403} > > > > > > > > 7) read the AddressMemoryUsage attribute with rtest user (amqro role) > > > > curl -H "Origin:http://localhost:8161"; -u rtest:rtest > > > > > > > > > > > > > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > > > > "0.0.0.0\"/AddressMemoryUsage > > > > > > > > > > > > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200} > > > > > > > > Could you add the steps to reproduce your issue? > > > > > > > > Regards, > > > > Domenico > > > > > > > > On Thu, 2 Dec 2021 at 13:43, David Martin <dav...@qoritek.com> > wrote: > > > > > > > > > Hi Domenico, > > > > > > > > > > Following up on this I decided to try adding a readonly console > user > > > with > > > > > the role "amqro" and that is when I discovered that the users in > > > > > HAWTIO_ROLE have unencumbered access to both the console and the > > > Jolokia > > > > > REST API. > > > > > > > > > > 1/ Even the user with the monitor role can log in to the console > and > > do > > > > > things like delete queues and connections. > > > > > > > > > > 2/ User with monitor role able to invoke other methods than /Active > > > e.g. > > > > > /AddressMemoryUsage (verified username/password with base64 -d) - > > > > > > > > > > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic xxxxx' > ' > > > > > > > > > > > > > > > > > > > > http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage > > > > > ' > > > > > > > > > > > > > > > > > > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200} > > > > > > > > > > 3/ management.xml - > > > > > > > > > > <management-context xmlns="http://activemq.org/schema";> > > > > > <!--<connector connector-port="1099"/>--> > > > > > <authorisation> > > > > > <whitelist> > > > > > <entry domain="hawtio"/> > > > > > </whitelist> > > > > > <default-access> > > > > > <access method="list*" roles="amq,amqro"/> > > > > > <access method="get*" roles="amq,amqro"/> > > > > > <access method="is*" roles="amq,amqro"/> > > > > > <access method="set*" roles="amq"/> > > > > > <access method="*" roles="amq"/> > > > > > </default-access> > > > > > <role-access> > > > > > <match domain="org.apache.activemq.artemis"> > > > > > <access method="isActive" roles="amq,amqro,monitor"/> > > > > > <access method="list*" roles="amq,amqro"/> > > > > > <access method="get*" roles="amq,amqro"/> > > > > > <access method="is*" roles="amq,amqro"/> > > > > > <access method="set*" roles="amq"/> > > > > > <access method="*" roles="amq"/> > > > > > </match> > > > > > <!--example of how to configure a specific object--> > > > > > <!--<match domain="org.apache.activemq.artemis" > > > > > key="subcomponent=queues"> > > > > > <access method="list*" roles="view,update,amq"/> > > > > > <access method="get*" roles="view,update,amq"/> > > > > > <access method="is*" roles="view,update,amq"/> > > > > > <access method="set*" roles="update,amq"/> > > > > > <access method="*" roles="amq"/> > > > > > </match>--> > > > > > </role-access> > > > > > </authorisation> > > > > > </management-context> > > > > > > > > > > 4/ artemis-profile - > > > > > > > > > > # Hawtio Properties > > > > > HAWTIO_ROLE='amq,amqro,monitor' > > > > > > > > > > # Java Opts > > > > > if [ -z "$JAVA_ARGS" ]; then > > > > > JAVA_ARGS="$BROKER_CONFIGS > > > > > > > > > > > > > > > > > > > > -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml > > > > > -Dcom.sun.management.jmxremote=true > > > > > -Dcom.sun.management.jmxremote.port=1099 > > > > > -Dcom.sun.management.jmxremote.rmi.port=1098 > > > > > -Dcom.sun.management.jmxremote.ssl=false > > > > > -Dcom.sun.management.jmxremote.authenticate=false > > -Dipv4addr=$(hostname > > > > -f) > > > > > -Ddomain=artemis-headless.sis-247.svc.cluster.local > > > > > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d > > > > > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt > > > > > -Dpage.size=2097152 -Dpaging.threshold=10485760 > > > > > -Dmin.large.message.size=204800 > > -Dsecurity.invalidation.interval=600000 > > > > > -Dhawtio.authenticationEnabled=true > > -Djava.net.preferIPv4Addresses=true > > > > > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions > > > > > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2 > > > > > -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication > > > > > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq > > > -Dhawtio.offline=true > > > > > > > > > > > > > > > > > > > > -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal > > > > > > > -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml" > > > > > fi > > > > > > > > > > Do you or anyone in this group have any suggestions on how the > > monitor > > > > (and > > > > > amqro) roles can be actually restricted? I tried adding > > > > > -Dhawtio.authenticationEnabled=true but that had no effect. > > > > > > > > > > > > > > > Thanks for your help, > > > > > > > > > > > > > > > Dave > > > > > > > > > > > > > > > > > > > > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino < > > > > > bruscin...@gmail.com> wrote: > > > > > > > > > > > Hi Dave, > > > > > > > > > > > > you need to add the monitor role to HAWTIO_ROLE in > artemis.profile > > > and > > > > > the > > > > > > access for the isActive method in management.xml. > > > > > > > > > > > > Execute the following steps to get a working example: > > > > > > > > > > > > 1) create a new broker instance: > > > > > > ./bin/artemis create broker --user admin --password admin > > > > --require-login > > > > > > > > > > > > 2) add test user with monitor role > > > > > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties > > > > > > echo -e "\nmonitor = test" >> > ./broker/etc/artemis-roles.properties > > > > > > > > > > > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile > > > > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/" > > > > > > ./broker/etc/artemis.profile > > > > > > > > > > > > 4) add the access for the isActive method in management.xml > > > > > > sed -i > > > > > > > > > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\ > > > > > > method="isActive"\ roles="amq,monitor"\/>/' > > > ./broker/etc/management.xml > > > > > > > > > > > > 5) run the broker > > > > > > ./broker/bin/artemis run > > > > > > > > > > > > 6) read the Active attribute > > > > > > curl -H "Origin:http://localhost:8161"; -u test:test > > > > > > > > > > > > > > > > > > > > > > > > > > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > > > > > > "0.0.0.0\"/Active > > > > > > > > > > > > > > > > > > > > > > > > > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200} > > > > > > > > > > > > Regards, > > > > > > Domenico > > > > > > > > > > > > On Thu, 18 Nov 2021 at 18:16, David Martin <dav...@qoritek.com> > > > wrote: > > > > > > > > > > > > > Hi all, > > > > > > > > > > > > > > I'm trying to configure role access via the Jolokia REST API > for > > > the > > > > > > single > > > > > > > attribute "Active" on the "org.apache.activemq.artemis" domain. > > > > > > > > > > > > > > I have a user with a role "monitor" and want them to be able to > > > > access > > > > > > > nothing but the above attribute via e.g. > > > > > > > > > /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active. > > > > The > > > > > > > manual regarding management.xml is clear about *method *access > > e.g. > > > > > > "get*" > > > > > > > but has no examples for *attribute *access. > > > > > > > > > > > > > > Having spent about an hour on it I'm really stuck. Any help > would > > > be > > > > > > > appreciated. > > > > > > > > > > > > > > > > > > > > > Cheers, > > > > > > > > > > > > > > Dave > > > > > > > > > > > > > > > > > > > > > > > > > > > >
