Great, I'm glad you were able to figure it out, and thanks for sharing the root cause once you found it.
Tim On Mon, Dec 6, 2021, 5:24 AM David Martin <dav...@qoritek.com> wrote: > Domenico, Tim, > > I've figured it out. > > On further investigation, the kubernetes command params included the > following : > > > -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml > -Dcom.sun.management.jmxremote=true > -Dcom.sun.management.jmxremote.port=1099 > -Dcom.sun.management.jmxremote.rmi.port=1098 > -Dcom.sun.management.jmxremote.ssl=false > -Dcom.sun.management.jmxremote.authenticate=false > > but the docker command params did not. > > This was due to setting the ENABLE_JMX option supported by this Docker > image. > > Seems that these parameters altered Hawtio's behaviour - > -Dcom.sun.management.jmxremote.authenticate=false perhaps? > > Thanks for all of your help, > > > Dave > > > > On Mon, 6 Dec 2021 at 10:33, David Martin <dav...@qoritek.com> wrote: > > > Hi Domenico, > > > > root@artemis-0:/var/lib/artemis/etc# ls -l > > total 44 > > -rw-r--r-- 1 artemis artemis 992 Dec 6 10:17 artemis-roles.properties > > -rw-r--r-- 1 artemis artemis 1192 Dec 6 10:17 artemis-users.properties > > -rw-r--r-- 1 artemis artemis 3880 Dec 6 10:17 artemis.profile > > -rw-r--r-- 1 artemis artemis 1495 Dec 3 14:30 bootstrap.xml > > -rw-r--r-- 1 root root 11395 Dec 6 10:17 broker.xml > > -rw-r--r-- 1 artemis artemis 1448 Dec 6 10:17 jolokia-access.xml > > -rw-r--r-- 1 artemis artemis 3942 Dec 6 10:17 logging.properties > > -rw-r--r-- 1 artemis artemis 1086 Dec 3 14:30 login.config > > -rw-r--r-- 1 artemis artemis 2466 Dec 6 10:17 management.xml > > > > Attached the contents of this folder as requested. The same works as > > expected with Docker but not with k8s. > > > > > > Thanks, > > > > Dave > > > > > > > > On Fri, 3 Dec 2021 at 16:45, Domenico Francesco Bruscino < > > bruscin...@gmail.com> wrote: > > > >> Hi Dave, > >> > >> could you get the artemis etc folder from your kubernetes container > >> and share it? > >> > >> Thanks, > >> Domenico > >> > >> > >> On Fri, 3 Dec 2021 at 17:17, David Martin <dav...@qoritek.com> wrote: > >> > >> > Hi Domenico, > >> > > >> > Thanks - after further experimentation It appears to be related to > >> > Kubernetes but it's pretty baffling (to me at least). It works in > >> Docker. > >> > > >> > The build steps are essentially the same as yours, executed via a > >> > Dockerfile ( > >> > > >> > > >> > https://github.com/vromero/activemq-artemis-docker/blob/master/src/Dockerfile > >> > ) > >> > - > >> > > >> > "/opt/apache-artemis-${ACTIVEMQ_ARTEMIS_VERSION}/bin/artemis" create > >> > artemis \ > >> > --home /opt/apache-artemis \ > >> > --user artemis \ > >> > --password simetraehcapa \ > >> > --role amq \ > >> > --require-login \ > >> > --cluster-user artemisCluster \ > >> > --cluster-password simetraehcaparetsulc ; \ > >> > The only other thing it changes is binding to 0.0.0.0 in Jolokia > >> instead of > >> > localhost. > >> > > >> > Then I have sed commands quite similar to yours. > >> > > >> > sed -i "s#\(HAWTIO_ROLE='amq\)#\1,amqro,monitor#" artemis.profile > >> > sed -i 's#\(<access method="\(list\|get\|is\)\*" > >> roles="amq\)"#\1,amqro"#; > >> > s#\(\.activemq\.artemis">\)#\1\n <access > >> > method="isActive" roles="amq,amqro,monitor"/>#' management.xml > >> > sed -i 's#\(<restrict>\)#\1\n <remote>\n <host>127.0.0.1</host>\n > >> > <host>localhost</host>\n <host>10.0.0.0/8</host> \ > >> > <host>172.16.0.0/12</host>\n <host>192.168.0.0/16</host>\n > >> > </remote>#' jolokia-access.xml > >> > > >> > When I run the image in docker, it works. The API works as per your > >> > examples and when I use the console as the monitor user, everything is > >> > locked down except for the Active property in JMX. > >> > > >> > When I run it in Kubernetes with the same image and env vars > (accessing > >> via > >> > a nodeport or via kubectl port-forward) it doesn't. Any API method is > >> > accessible and the console functionality is unlocked regardless of my > >> user, > >> > although in the JMX tab I cannot invoke any operations (though I can > >> view > >> > all the properties). If I put debugging on jaas I can see it > >> authenticating > >> > the right user. > >> > > >> > I guess you may not want to help with a 3rd party docker image. I may > >> have > >> > to resort to an NGINX sidecar to get the user name from the > >> Authorization > >> > header and filter it that way! > >> > > >> > I've tried building versions 2.16 and 2.18, same outcome. > >> > > >> > > >> > Many thanks, > >> > > >> > Dave > >> > > >> > > >> > > >> > > >> > On Thu, 2 Dec 2021 at 21:45, Domenico Francesco Bruscino < > >> > bruscin...@gmail.com> wrote: > >> > > >> > > Hi Dave, > >> > > > >> > > I'm not able to reproduce your issue executing the following steps: > >> > > > >> > > 1) create a new broker instance: > >> > > ./bin/artemis create broker --user admin --password admin > >> --require-login > >> > > > >> > > 2) add test user with monitor role > >> > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties > >> > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties > >> > > > >> > > 3) add rtest user with amqro role > >> > > echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties > >> > > echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties > >> > > > >> > > 4) add the monitor role to HAWTIO_ROLE in artemis.profile > >> > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/" > >> > > ./broker/etc/artemis.profile > >> > > > >> > > 5) add the access for the isActive method in management.xml > >> > > sed -i > >> > > > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\ > >> > > method="isActive"\ roles="amq,monitor"\/>/' > >> ./broker/etc/management.xml > >> > > > >> > > 6) add the access for amqro in management.xml > >> > > sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm > >> > > > >> > > 5) run the broker > >> > > ./broker/bin/artemis run > >> > > > >> > > 6) read the Active attribute with test user (monitor role) > >> > > curl -H "Origin:http://localhost:8161" -u test:test > >> > > > >> > > > >> > > >> > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > >> > > "0.0.0.0\"/Active > >> > > > >> > > > >> > > >> > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200} > >> > > > >> > > 7) read the AddressMemoryUsage attribute with test user (monitor > role) > >> > > curl -H "Origin:http://localhost:8161" -u test:test > >> > > > >> > > > >> > > >> > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > >> > > "0.0.0.0\"/AddressMemoryUsage > >> > > > >> > > > >> > > >> > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception > >> > > : User not authorized to access attribute: > >> > > AddressMemoryUsage","status":403} > >> > > > >> > > 7) read the AddressMemoryUsage attribute with rtest user (amqro > role) > >> > > curl -H "Origin:http://localhost:8161" -u rtest:rtest > >> > > > >> > > > >> > > >> > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > >> > > "0.0.0.0\"/AddressMemoryUsage > >> > > > >> > > > >> > > >> > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200} > >> > > > >> > > Could you add the steps to reproduce your issue? > >> > > > >> > > Regards, > >> > > Domenico > >> > > > >> > > On Thu, 2 Dec 2021 at 13:43, David Martin <dav...@qoritek.com> > wrote: > >> > > > >> > > > Hi Domenico, > >> > > > > >> > > > Following up on this I decided to try adding a readonly console > user > >> > with > >> > > > the role "amqro" and that is when I discovered that the users in > >> > > > HAWTIO_ROLE have unencumbered access to both the console and the > >> > Jolokia > >> > > > REST API. > >> > > > > >> > > > 1/ Even the user with the monitor role can log in to the console > >> and do > >> > > > things like delete queues and connections. > >> > > > > >> > > > 2/ User with monitor role able to invoke other methods than > /Active > >> > e.g. > >> > > > /AddressMemoryUsage (verified username/password with base64 -d) - > >> > > > > >> > > > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic > xxxxx' ' > >> > > > > >> > > > > >> > > > >> > > >> > http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage > >> > > > ' > >> > > > > >> > > > > >> > > > >> > > >> > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200} > >> > > > > >> > > > 3/ management.xml - > >> > > > > >> > > > <management-context xmlns="http://activemq.org/schema"> > >> > > > <!--<connector connector-port="1099"/>--> > >> > > > <authorisation> > >> > > > <whitelist> > >> > > > <entry domain="hawtio"/> > >> > > > </whitelist> > >> > > > <default-access> > >> > > > <access method="list*" roles="amq,amqro"/> > >> > > > <access method="get*" roles="amq,amqro"/> > >> > > > <access method="is*" roles="amq,amqro"/> > >> > > > <access method="set*" roles="amq"/> > >> > > > <access method="*" roles="amq"/> > >> > > > </default-access> > >> > > > <role-access> > >> > > > <match domain="org.apache.activemq.artemis"> > >> > > > <access method="isActive" roles="amq,amqro,monitor"/> > >> > > > <access method="list*" roles="amq,amqro"/> > >> > > > <access method="get*" roles="amq,amqro"/> > >> > > > <access method="is*" roles="amq,amqro"/> > >> > > > <access method="set*" roles="amq"/> > >> > > > <access method="*" roles="amq"/> > >> > > > </match> > >> > > > <!--example of how to configure a specific object--> > >> > > > <!--<match domain="org.apache.activemq.artemis" > >> > > > key="subcomponent=queues"> > >> > > > <access method="list*" roles="view,update,amq"/> > >> > > > <access method="get*" roles="view,update,amq"/> > >> > > > <access method="is*" roles="view,update,amq"/> > >> > > > <access method="set*" roles="update,amq"/> > >> > > > <access method="*" roles="amq"/> > >> > > > </match>--> > >> > > > </role-access> > >> > > > </authorisation> > >> > > > </management-context> > >> > > > > >> > > > 4/ artemis-profile - > >> > > > > >> > > > # Hawtio Properties > >> > > > HAWTIO_ROLE='amq,amqro,monitor' > >> > > > > >> > > > # Java Opts > >> > > > if [ -z "$JAVA_ARGS" ]; then > >> > > > JAVA_ARGS="$BROKER_CONFIGS > >> > > > > >> > > > > >> > > > >> > > >> > -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml > >> > > > -Dcom.sun.management.jmxremote=true > >> > > > -Dcom.sun.management.jmxremote.port=1099 > >> > > > -Dcom.sun.management.jmxremote.rmi.port=1098 > >> > > > -Dcom.sun.management.jmxremote.ssl=false > >> > > > -Dcom.sun.management.jmxremote.authenticate=false > >> -Dipv4addr=$(hostname > >> > > -f) > >> > > > -Ddomain=artemis-headless.sis-247.svc.cluster.local > >> > > > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d > >> > > > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt > >> > > > -Dpage.size=2097152 -Dpaging.threshold=10485760 > >> > > > -Dmin.large.message.size=204800 > >> -Dsecurity.invalidation.interval=600000 > >> > > > -Dhawtio.authenticationEnabled=true > >> -Djava.net.preferIPv4Addresses=true > >> > > > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions > >> > > > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2 > >> > > > -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication > >> > > > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq > >> > -Dhawtio.offline=true > >> > > > > >> > > > > >> > > > >> > > >> > -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal > >> > > > > >> -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml" > >> > > > fi > >> > > > > >> > > > Do you or anyone in this group have any suggestions on how the > >> monitor > >> > > (and > >> > > > amqro) roles can be actually restricted? I tried adding > >> > > > -Dhawtio.authenticationEnabled=true but that had no effect. > >> > > > > >> > > > > >> > > > Thanks for your help, > >> > > > > >> > > > > >> > > > Dave > >> > > > > >> > > > > >> > > > > >> > > > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino < > >> > > > bruscin...@gmail.com> wrote: > >> > > > > >> > > > > Hi Dave, > >> > > > > > >> > > > > you need to add the monitor role to HAWTIO_ROLE in > artemis.profile > >> > and > >> > > > the > >> > > > > access for the isActive method in management.xml. > >> > > > > > >> > > > > Execute the following steps to get a working example: > >> > > > > > >> > > > > 1) create a new broker instance: > >> > > > > ./bin/artemis create broker --user admin --password admin > >> > > --require-login > >> > > > > > >> > > > > 2) add test user with monitor role > >> > > > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties > >> > > > > echo -e "\nmonitor = test" >> > >> ./broker/etc/artemis-roles.properties > >> > > > > > >> > > > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile > >> > > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/" > >> > > > > ./broker/etc/artemis.profile > >> > > > > > >> > > > > 4) add the access for the isActive method in management.xml > >> > > > > sed -i > >> > > > > > >> > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\ > >> > > > > method="isActive"\ roles="amq,monitor"\/>/' > >> > ./broker/etc/management.xml > >> > > > > > >> > > > > 5) run the broker > >> > > > > ./broker/bin/artemis run > >> > > > > > >> > > > > 6) read the Active attribute > >> > > > > curl -H "Origin:http://localhost:8161" -u test:test > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > >> > > > > "0.0.0.0\"/Active > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200} > >> > > > > > >> > > > > Regards, > >> > > > > Domenico > >> > > > > > >> > > > > On Thu, 18 Nov 2021 at 18:16, David Martin <dav...@qoritek.com> > >> > wrote: > >> > > > > > >> > > > > > Hi all, > >> > > > > > > >> > > > > > I'm trying to configure role access via the Jolokia REST API > for > >> > the > >> > > > > single > >> > > > > > attribute "Active" on the "org.apache.activemq.artemis" > domain. > >> > > > > > > >> > > > > > I have a user with a role "monitor" and want them to be able > to > >> > > access > >> > > > > > nothing but the above attribute via e.g. > >> > > > > > > >> /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active. > >> > > The > >> > > > > > manual regarding management.xml is clear about *method *access > >> e.g. > >> > > > > "get*" > >> > > > > > but has no examples for *attribute *access. > >> > > > > > > >> > > > > > Having spent about an hour on it I'm really stuck. Any help > >> would > >> > be > >> > > > > > appreciated. > >> > > > > > > >> > > > > > > >> > > > > > Cheers, > >> > > > > > > >> > > > > > Dave > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > > >