Great, I'm glad you were able to figure it out, and thanks for sharing the
root cause once you found it.

Tim

On Mon, Dec 6, 2021, 5:24 AM David Martin <dav...@qoritek.com> wrote:

> Domenico, Tim,
>
> I've figured it out.
>
> On further investigation, the kubernetes command params included the
> following :
>
>
> -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
> -Dcom.sun.management.jmxremote=true
> -Dcom.sun.management.jmxremote.port=1099
> -Dcom.sun.management.jmxremote.rmi.port=1098
> -Dcom.sun.management.jmxremote.ssl=false
> -Dcom.sun.management.jmxremote.authenticate=false
>
> but the docker command params did not.
>
> This was due to setting the ENABLE_JMX option supported by this Docker
> image.
>
> Seems that these parameters altered Hawtio's behaviour -
> -Dcom.sun.management.jmxremote.authenticate=false perhaps?
>
> Thanks for all of your help,
>
>
> Dave
>
>
>
> On Mon, 6 Dec 2021 at 10:33, David Martin <dav...@qoritek.com> wrote:
>
> > Hi Domenico,
> >
> > root@artemis-0:/var/lib/artemis/etc# ls -l
> > total 44
> > -rw-r--r-- 1 artemis artemis   992 Dec  6 10:17 artemis-roles.properties
> > -rw-r--r-- 1 artemis artemis  1192 Dec  6 10:17 artemis-users.properties
> > -rw-r--r-- 1 artemis artemis  3880 Dec  6 10:17 artemis.profile
> > -rw-r--r-- 1 artemis artemis  1495 Dec  3 14:30 bootstrap.xml
> > -rw-r--r-- 1 root    root    11395 Dec  6 10:17 broker.xml
> > -rw-r--r-- 1 artemis artemis  1448 Dec  6 10:17 jolokia-access.xml
> > -rw-r--r-- 1 artemis artemis  3942 Dec  6 10:17 logging.properties
> > -rw-r--r-- 1 artemis artemis  1086 Dec  3 14:30 login.config
> > -rw-r--r-- 1 artemis artemis  2466 Dec  6 10:17 management.xml
> >
> > Attached the contents of this folder as requested. The same works as
> > expected with Docker but not with k8s.
> >
> >
> > Thanks,
> >
> > Dave
> >
> >
> >
> > On Fri, 3 Dec 2021 at 16:45, Domenico Francesco Bruscino <
> > bruscin...@gmail.com> wrote:
> >
> >> Hi Dave,
> >>
> >> could you get the artemis etc folder from your kubernetes container
> >> and share it?
> >>
> >> Thanks,
> >> Domenico
> >>
> >>
> >> On Fri, 3 Dec 2021 at 17:17, David Martin <dav...@qoritek.com> wrote:
> >>
> >> > Hi Domenico,
> >> >
> >> > Thanks - after further experimentation It appears to be related to
> >> > Kubernetes but it's pretty baffling (to me at least). It works in
> >> Docker.
> >> >
> >> > The build steps are essentially the same as yours, executed via a
> >> > Dockerfile (
> >> >
> >> >
> >>
> https://github.com/vromero/activemq-artemis-docker/blob/master/src/Dockerfile
> >> > )
> >> > -
> >> >
> >> > "/opt/apache-artemis-${ACTIVEMQ_ARTEMIS_VERSION}/bin/artemis" create
> >> > artemis \
> >> > --home /opt/apache-artemis \
> >> > --user artemis \
> >> > --password simetraehcapa \
> >> > --role amq \
> >> > --require-login \
> >> > --cluster-user artemisCluster \
> >> > --cluster-password simetraehcaparetsulc ; \
> >> > The only other thing it changes is binding to 0.0.0.0 in Jolokia
> >> instead of
> >> > localhost.
> >> >
> >> > Then I have sed commands quite similar to yours.
> >> >
> >> > sed -i "s#\(HAWTIO_ROLE='amq\)#\1,amqro,monitor#" artemis.profile
> >> > sed -i 's#\(<access method="\(list\|get\|is\)\*"
> >> roles="amq\)"#\1,amqro"#;
> >> >         s#\(\.activemq\.artemis">\)#\1\n            <access
> >> > method="isActive" roles="amq,amqro,monitor"/>#' management.xml
> >> > sed -i 's#\(<restrict>\)#\1\n  <remote>\n    <host>127.0.0.1</host>\n
> >> >  <host>localhost</host>\n    <host>10.0.0.0/8</host> \
> >> >     <host>172.16.0.0/12</host>\n    <host>192.168.0.0/16</host>\n
> >> >  </remote>#' jolokia-access.xml
> >> >
> >> > When I run the image in docker, it works. The API works as per your
> >> > examples and when I use the console as the monitor user, everything is
> >> > locked down except for the Active property in JMX.
> >> >
> >> > When I run it in Kubernetes with the same image and env vars
> (accessing
> >> via
> >> > a nodeport or via kubectl port-forward) it doesn't. Any API method is
> >> > accessible and the console functionality is unlocked regardless of my
> >> user,
> >> > although in the JMX tab I cannot invoke any operations (though I can
> >> view
> >> > all the properties). If I put debugging on jaas I can see it
> >> authenticating
> >> > the right user.
> >> >
> >> > I guess you may not want to help with a 3rd party docker image. I may
> >> have
> >> > to resort to an NGINX sidecar to get the user name from the
> >> Authorization
> >> > header and filter it that way!
> >> >
> >> > I've tried building versions 2.16 and 2.18, same outcome.
> >> >
> >> >
> >> > Many thanks,
> >> >
> >> > Dave
> >> >
> >> >
> >> >
> >> >
> >> > On Thu, 2 Dec 2021 at 21:45, Domenico Francesco Bruscino <
> >> > bruscin...@gmail.com> wrote:
> >> >
> >> > > Hi Dave,
> >> > >
> >> > > I'm not able to reproduce your issue executing the following steps:
> >> > >
> >> > > 1) create a new broker instance:
> >> > > ./bin/artemis create broker --user admin --password admin
> >> --require-login
> >> > >
> >> > > 2) add test user with monitor role
> >> > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> >> > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties
> >> > >
> >> > > 3) add rtest user with amqro role
> >> > > echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties
> >> > > echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties
> >> > >
> >> > > 4) add the monitor role to HAWTIO_ROLE in artemis.profile
> >> > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/"
> >> > > ./broker/etc/artemis.profile
> >> > >
> >> > > 5) add the access for the isActive method in management.xml
> >> > > sed -i
> >> > >
> 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> >> > > method="isActive"\ roles="amq,monitor"\/>/'
> >> ./broker/etc/management.xml
> >> > >
> >> > > 6) add the access for amqro in management.xml
> >> > > sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm
> >> > >
> >> > > 5) run the broker
> >> > > ./broker/bin/artemis run
> >> > >
> >> > > 6) read the Active attribute with test user (monitor role)
> >> > > curl -H "Origin:http://localhost:8161"; -u test:test
> >> > >
> >> > >
> >> >
> >>
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> >> > > "0.0.0.0\"/Active
> >> > >
> >> > >
> >> >
> >>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> >> > >
> >> > > 7) read the AddressMemoryUsage attribute with test user (monitor
> role)
> >> > > curl -H "Origin:http://localhost:8161"; -u test:test
> >> > >
> >> > >
> >> >
> >>
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> >> > > "0.0.0.0\"/AddressMemoryUsage
> >> > >
> >> > >
> >> >
> >>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception
> >> > > : User not authorized to access attribute:
> >> > > AddressMemoryUsage","status":403}
> >> > >
> >> > > 7) read the AddressMemoryUsage attribute with rtest user (amqro
> role)
> >> > > curl -H "Origin:http://localhost:8161"; -u rtest:rtest
> >> > >
> >> > >
> >> >
> >>
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> >> > > "0.0.0.0\"/AddressMemoryUsage
> >> > >
> >> > >
> >> >
> >>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200}
> >> > >
> >> > > Could you add the steps to reproduce your issue?
> >> > >
> >> > > Regards,
> >> > > Domenico
> >> > >
> >> > > On Thu, 2 Dec 2021 at 13:43, David Martin <dav...@qoritek.com>
> wrote:
> >> > >
> >> > > > Hi Domenico,
> >> > > >
> >> > > > Following up on this I decided to try adding a readonly console
> user
> >> > with
> >> > > > the role "amqro" and that is when I discovered that the users in
> >> > > > HAWTIO_ROLE have unencumbered access to both the console and the
> >> > Jolokia
> >> > > > REST API.
> >> > > >
> >> > > > 1/ Even the user with the monitor role can log in to the console
> >> and do
> >> > > > things like delete queues and connections.
> >> > > >
> >> > > > 2/ User with monitor role able to invoke other methods than
> /Active
> >> > e.g.
> >> > > > /AddressMemoryUsage (verified username/password with base64 -d) -
> >> > > >
> >> > > > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic
> xxxxx' '
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage
> >> > > > '
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200}
> >> > > >
> >> > > > 3/ management.xml -
> >> > > >
> >> > > > <management-context xmlns="http://activemq.org/schema";>
> >> > > >    <!--<connector connector-port="1099"/>-->
> >> > > >    <authorisation>
> >> > > >       <whitelist>
> >> > > >          <entry domain="hawtio"/>
> >> > > >       </whitelist>
> >> > > >       <default-access>
> >> > > >          <access method="list*" roles="amq,amqro"/>
> >> > > >          <access method="get*" roles="amq,amqro"/>
> >> > > >          <access method="is*" roles="amq,amqro"/>
> >> > > >          <access method="set*" roles="amq"/>
> >> > > >          <access method="*" roles="amq"/>
> >> > > >       </default-access>
> >> > > >       <role-access>
> >> > > >          <match domain="org.apache.activemq.artemis">
> >> > > >             <access method="isActive" roles="amq,amqro,monitor"/>
> >> > > >             <access method="list*" roles="amq,amqro"/>
> >> > > >             <access method="get*" roles="amq,amqro"/>
> >> > > >             <access method="is*" roles="amq,amqro"/>
> >> > > >             <access method="set*" roles="amq"/>
> >> > > >             <access method="*" roles="amq"/>
> >> > > >          </match>
> >> > > >          <!--example of how to configure a specific object-->
> >> > > >          <!--<match domain="org.apache.activemq.artemis"
> >> > > > key="subcomponent=queues">
> >> > > >             <access method="list*" roles="view,update,amq"/>
> >> > > >             <access method="get*" roles="view,update,amq"/>
> >> > > >             <access method="is*" roles="view,update,amq"/>
> >> > > >             <access method="set*" roles="update,amq"/>
> >> > > >             <access method="*" roles="amq"/>
> >> > > >          </match>-->
> >> > > >       </role-access>
> >> > > >    </authorisation>
> >> > > > </management-context>
> >> > > >
> >> > > > 4/ artemis-profile -
> >> > > >
> >> > > > # Hawtio Properties
> >> > > > HAWTIO_ROLE='amq,amqro,monitor'
> >> > > >
> >> > > > # Java Opts
> >> > > > if [ -z "$JAVA_ARGS" ]; then
> >> > > >  JAVA_ARGS="$BROKER_CONFIGS
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml
> >> > > > -Dcom.sun.management.jmxremote=true
> >> > > > -Dcom.sun.management.jmxremote.port=1099
> >> > > > -Dcom.sun.management.jmxremote.rmi.port=1098
> >> > > > -Dcom.sun.management.jmxremote.ssl=false
> >> > > > -Dcom.sun.management.jmxremote.authenticate=false
> >> -Dipv4addr=$(hostname
> >> > > -f)
> >> > > > -Ddomain=artemis-headless.sis-247.svc.cluster.local
> >> > > > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d
> >> > > > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt
> >> > > > -Dpage.size=2097152 -Dpaging.threshold=10485760
> >> > > > -Dmin.large.message.size=204800
> >> -Dsecurity.invalidation.interval=600000
> >> > > > -Dhawtio.authenticationEnabled=true
> >> -Djava.net.preferIPv4Addresses=true
> >> > > > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions
> >> > > > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2
> >> > > >  -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication
> >> > > > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq
> >> > -Dhawtio.offline=true
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
> >> > > >
> >> -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml"
> >> > > > fi
> >> > > >
> >> > > > Do you or anyone in this group have any suggestions on how the
> >> monitor
> >> > > (and
> >> > > > amqro) roles can be actually restricted? I tried adding
> >> > > > -Dhawtio.authenticationEnabled=true but that had no effect.
> >> > > >
> >> > > >
> >> > > > Thanks for your help,
> >> > > >
> >> > > >
> >> > > > Dave
> >> > > >
> >> > > >
> >> > > >
> >> > > > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino <
> >> > > > bruscin...@gmail.com> wrote:
> >> > > >
> >> > > > > Hi Dave,
> >> > > > >
> >> > > > > you need to add the monitor role to HAWTIO_ROLE in
> artemis.profile
> >> > and
> >> > > > the
> >> > > > > access for the isActive method in management.xml.
> >> > > > >
> >> > > > > Execute the following steps to get a working example:
> >> > > > >
> >> > > > > 1) create a new broker instance:
> >> > > > > ./bin/artemis create broker --user admin --password admin
> >> > > --require-login
> >> > > > >
> >> > > > > 2) add test user with monitor role
> >> > > > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties
> >> > > > > echo -e "\nmonitor = test" >>
> >> ./broker/etc/artemis-roles.properties
> >> > > > >
> >> > > > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile
> >> > > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/"
> >> > > > > ./broker/etc/artemis.profile
> >> > > > >
> >> > > > > 4) add the access for the isActive method in management.xml
> >> > > > > sed -i
> >> > > > >
> >> > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\
> >> > > > > method="isActive"\ roles="amq,monitor"\/>/'
> >> > ./broker/etc/management.xml
> >> > > > >
> >> > > > > 5) run the broker
> >> > > > > ./broker/bin/artemis run
> >> > > > >
> >> > > > > 6) read the Active attribute
> >> > > > > curl -H "Origin:http://localhost:8161"; -u test:test
> >> > > > >
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\
> >> > > > > "0.0.0.0\"/Active
> >> > > > >
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200}
> >> > > > >
> >> > > > > Regards,
> >> > > > > Domenico
> >> > > > >
> >> > > > > On Thu, 18 Nov 2021 at 18:16, David Martin <dav...@qoritek.com>
> >> > wrote:
> >> > > > >
> >> > > > > > Hi all,
> >> > > > > >
> >> > > > > > I'm trying to configure role access via the Jolokia REST API
> for
> >> > the
> >> > > > > single
> >> > > > > > attribute "Active" on the "org.apache.activemq.artemis"
> domain.
> >> > > > > >
> >> > > > > > I have a user with a role "monitor" and want them to be able
> to
> >> > > access
> >> > > > > > nothing but the above attribute via e.g.
> >> > > > > >
> >> /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active.
> >> > > The
> >> > > > > > manual regarding management.xml is clear about *method *access
> >> e.g.
> >> > > > > "get*"
> >> > > > > > but has no examples for *attribute *access.
> >> > > > > >
> >> > > > > > Having spent about an hour on it I'm really stuck. Any help
> >> would
> >> > be
> >> > > > > > appreciated.
> >> > > > > >
> >> > > > > >
> >> > > > > > Cheers,
> >> > > > > >
> >> > > > > > Dave
> >> > > > > >
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> >
>

Reply via email to