There is still more to this (final message but for the sake of completeness) -
1. In Artemis 2.16 nothing makes it work in Kubernetes but it works in Docker 2. In Artemis 2.17+ it works in Kubernetes but only if the com.sun.management.jmx.remote system properties are unset. The vromero docker image enables remote JMX if using the JMX exporter but the latter doesn't require remote JMX (which is kind of the point of it). So it seems that something relevant changed between v2.16 & v2.17 perhaps on one of the Hawtio/management tickets. Thanks again, Dave On Mon, 6 Dec 2021 at 12:41, Tim Bain <tb...@alumni.duke.edu> wrote: > Great, I'm glad you were able to figure it out, and thanks for sharing the > root cause once you found it. > > Tim > > On Mon, Dec 6, 2021, 5:24 AM David Martin <dav...@qoritek.com> wrote: > > > Domenico, Tim, > > > > I've figured it out. > > > > On further investigation, the kubernetes command params included the > > following : > > > > > > > -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml > > -Dcom.sun.management.jmxremote=true > > -Dcom.sun.management.jmxremote.port=1099 > > -Dcom.sun.management.jmxremote.rmi.port=1098 > > -Dcom.sun.management.jmxremote.ssl=false > > -Dcom.sun.management.jmxremote.authenticate=false > > > > but the docker command params did not. > > > > This was due to setting the ENABLE_JMX option supported by this Docker > > image. > > > > Seems that these parameters altered Hawtio's behaviour - > > -Dcom.sun.management.jmxremote.authenticate=false perhaps? > > > > Thanks for all of your help, > > > > > > Dave > > > > > > > > On Mon, 6 Dec 2021 at 10:33, David Martin <dav...@qoritek.com> wrote: > > > > > Hi Domenico, > > > > > > root@artemis-0:/var/lib/artemis/etc# ls -l > > > total 44 > > > -rw-r--r-- 1 artemis artemis 992 Dec 6 10:17 > artemis-roles.properties > > > -rw-r--r-- 1 artemis artemis 1192 Dec 6 10:17 > artemis-users.properties > > > -rw-r--r-- 1 artemis artemis 3880 Dec 6 10:17 artemis.profile > > > -rw-r--r-- 1 artemis artemis 1495 Dec 3 14:30 bootstrap.xml > > > -rw-r--r-- 1 root root 11395 Dec 6 10:17 broker.xml > > > -rw-r--r-- 1 artemis artemis 1448 Dec 6 10:17 jolokia-access.xml > > > -rw-r--r-- 1 artemis artemis 3942 Dec 6 10:17 logging.properties > > > -rw-r--r-- 1 artemis artemis 1086 Dec 3 14:30 login.config > > > -rw-r--r-- 1 artemis artemis 2466 Dec 6 10:17 management.xml > > > > > > Attached the contents of this folder as requested. The same works as > > > expected with Docker but not with k8s. > > > > > > > > > Thanks, > > > > > > Dave > > > > > > > > > > > > On Fri, 3 Dec 2021 at 16:45, Domenico Francesco Bruscino < > > > bruscin...@gmail.com> wrote: > > > > > >> Hi Dave, > > >> > > >> could you get the artemis etc folder from your kubernetes container > > >> and share it? > > >> > > >> Thanks, > > >> Domenico > > >> > > >> > > >> On Fri, 3 Dec 2021 at 17:17, David Martin <dav...@qoritek.com> wrote: > > >> > > >> > Hi Domenico, > > >> > > > >> > Thanks - after further experimentation It appears to be related to > > >> > Kubernetes but it's pretty baffling (to me at least). It works in > > >> Docker. > > >> > > > >> > The build steps are essentially the same as yours, executed via a > > >> > Dockerfile ( > > >> > > > >> > > > >> > > > https://github.com/vromero/activemq-artemis-docker/blob/master/src/Dockerfile > > >> > ) > > >> > - > > >> > > > >> > "/opt/apache-artemis-${ACTIVEMQ_ARTEMIS_VERSION}/bin/artemis" create > > >> > artemis \ > > >> > --home /opt/apache-artemis \ > > >> > --user artemis \ > > >> > --password simetraehcapa \ > > >> > --role amq \ > > >> > --require-login \ > > >> > --cluster-user artemisCluster \ > > >> > --cluster-password simetraehcaparetsulc ; \ > > >> > The only other thing it changes is binding to 0.0.0.0 in Jolokia > > >> instead of > > >> > localhost. > > >> > > > >> > Then I have sed commands quite similar to yours. > > >> > > > >> > sed -i "s#\(HAWTIO_ROLE='amq\)#\1,amqro,monitor#" artemis.profile > > >> > sed -i 's#\(<access method="\(list\|get\|is\)\*" > > >> roles="amq\)"#\1,amqro"#; > > >> > s#\(\.activemq\.artemis">\)#\1\n <access > > >> > method="isActive" roles="amq,amqro,monitor"/>#' management.xml > > >> > sed -i 's#\(<restrict>\)#\1\n <remote>\n > <host>127.0.0.1</host>\n > > >> > <host>localhost</host>\n <host>10.0.0.0/8</host> \ > > >> > <host>172.16.0.0/12</host>\n <host>192.168.0.0/16</host>\n > > >> > </remote>#' jolokia-access.xml > > >> > > > >> > When I run the image in docker, it works. The API works as per your > > >> > examples and when I use the console as the monitor user, everything > is > > >> > locked down except for the Active property in JMX. > > >> > > > >> > When I run it in Kubernetes with the same image and env vars > > (accessing > > >> via > > >> > a nodeport or via kubectl port-forward) it doesn't. Any API method > is > > >> > accessible and the console functionality is unlocked regardless of > my > > >> user, > > >> > although in the JMX tab I cannot invoke any operations (though I can > > >> view > > >> > all the properties). If I put debugging on jaas I can see it > > >> authenticating > > >> > the right user. > > >> > > > >> > I guess you may not want to help with a 3rd party docker image. I > may > > >> have > > >> > to resort to an NGINX sidecar to get the user name from the > > >> Authorization > > >> > header and filter it that way! > > >> > > > >> > I've tried building versions 2.16 and 2.18, same outcome. > > >> > > > >> > > > >> > Many thanks, > > >> > > > >> > Dave > > >> > > > >> > > > >> > > > >> > > > >> > On Thu, 2 Dec 2021 at 21:45, Domenico Francesco Bruscino < > > >> > bruscin...@gmail.com> wrote: > > >> > > > >> > > Hi Dave, > > >> > > > > >> > > I'm not able to reproduce your issue executing the following > steps: > > >> > > > > >> > > 1) create a new broker instance: > > >> > > ./bin/artemis create broker --user admin --password admin > > >> --require-login > > >> > > > > >> > > 2) add test user with monitor role > > >> > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties > > >> > > echo -e "\nmonitor = test" >> > ./broker/etc/artemis-roles.properties > > >> > > > > >> > > 3) add rtest user with amqro role > > >> > > echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties > > >> > > echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties > > >> > > > > >> > > 4) add the monitor role to HAWTIO_ROLE in artemis.profile > > >> > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/" > > >> > > ./broker/etc/artemis.profile > > >> > > > > >> > > 5) add the access for the isActive method in management.xml > > >> > > sed -i > > >> > > > > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\ > > >> > > method="isActive"\ roles="amq,monitor"\/>/' > > >> ./broker/etc/management.xml > > >> > > > > >> > > 6) add the access for amqro in management.xml > > >> > > sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm > > >> > > > > >> > > 5) run the broker > > >> > > ./broker/bin/artemis run > > >> > > > > >> > > 6) read the Active attribute with test user (monitor role) > > >> > > curl -H "Origin:http://localhost:8161"; -u test:test > > >> > > > > >> > > > > >> > > > >> > > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > > >> > > "0.0.0.0\"/Active > > >> > > > > >> > > > > >> > > > >> > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200} > > >> > > > > >> > > 7) read the AddressMemoryUsage attribute with test user (monitor > > role) > > >> > > curl -H "Origin:http://localhost:8161"; -u test:test > > >> > > > > >> > > > > >> > > > >> > > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > > >> > > "0.0.0.0\"/AddressMemoryUsage > > >> > > > > >> > > > > >> > > > >> > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception > > >> > > : User not authorized to access attribute: > > >> > > AddressMemoryUsage","status":403} > > >> > > > > >> > > 7) read the AddressMemoryUsage attribute with rtest user (amqro > > role) > > >> > > curl -H "Origin:http://localhost:8161"; -u rtest:rtest > > >> > > > > >> > > > > >> > > > >> > > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > > >> > > "0.0.0.0\"/AddressMemoryUsage > > >> > > > > >> > > > > >> > > > >> > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200} > > >> > > > > >> > > Could you add the steps to reproduce your issue? > > >> > > > > >> > > Regards, > > >> > > Domenico > > >> > > > > >> > > On Thu, 2 Dec 2021 at 13:43, David Martin <dav...@qoritek.com> > > wrote: > > >> > > > > >> > > > Hi Domenico, > > >> > > > > > >> > > > Following up on this I decided to try adding a readonly console > > user > > >> > with > > >> > > > the role "amqro" and that is when I discovered that the users in > > >> > > > HAWTIO_ROLE have unencumbered access to both the console and the > > >> > Jolokia > > >> > > > REST API. > > >> > > > > > >> > > > 1/ Even the user with the monitor role can log in to the console > > >> and do > > >> > > > things like delete queues and connections. > > >> > > > > > >> > > > 2/ User with monitor role able to invoke other methods than > > /Active > > >> > e.g. > > >> > > > /AddressMemoryUsage (verified username/password with base64 -d) > - > > >> > > > > > >> > > > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic > > xxxxx' ' > > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > > http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage > > >> > > > ' > > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200} > > >> > > > > > >> > > > 3/ management.xml - > > >> > > > > > >> > > > <management-context xmlns="http://activemq.org/schema";> > > >> > > > <!--<connector connector-port="1099"/>--> > > >> > > > <authorisation> > > >> > > > <whitelist> > > >> > > > <entry domain="hawtio"/> > > >> > > > </whitelist> > > >> > > > <default-access> > > >> > > > <access method="list*" roles="amq,amqro"/> > > >> > > > <access method="get*" roles="amq,amqro"/> > > >> > > > <access method="is*" roles="amq,amqro"/> > > >> > > > <access method="set*" roles="amq"/> > > >> > > > <access method="*" roles="amq"/> > > >> > > > </default-access> > > >> > > > <role-access> > > >> > > > <match domain="org.apache.activemq.artemis"> > > >> > > > <access method="isActive" > roles="amq,amqro,monitor"/> > > >> > > > <access method="list*" roles="amq,amqro"/> > > >> > > > <access method="get*" roles="amq,amqro"/> > > >> > > > <access method="is*" roles="amq,amqro"/> > > >> > > > <access method="set*" roles="amq"/> > > >> > > > <access method="*" roles="amq"/> > > >> > > > </match> > > >> > > > <!--example of how to configure a specific object--> > > >> > > > <!--<match domain="org.apache.activemq.artemis" > > >> > > > key="subcomponent=queues"> > > >> > > > <access method="list*" roles="view,update,amq"/> > > >> > > > <access method="get*" roles="view,update,amq"/> > > >> > > > <access method="is*" roles="view,update,amq"/> > > >> > > > <access method="set*" roles="update,amq"/> > > >> > > > <access method="*" roles="amq"/> > > >> > > > </match>--> > > >> > > > </role-access> > > >> > > > </authorisation> > > >> > > > </management-context> > > >> > > > > > >> > > > 4/ artemis-profile - > > >> > > > > > >> > > > # Hawtio Properties > > >> > > > HAWTIO_ROLE='amq,amqro,monitor' > > >> > > > > > >> > > > # Java Opts > > >> > > > if [ -z "$JAVA_ARGS" ]; then > > >> > > > JAVA_ARGS="$BROKER_CONFIGS > > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > > -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml > > >> > > > -Dcom.sun.management.jmxremote=true > > >> > > > -Dcom.sun.management.jmxremote.port=1099 > > >> > > > -Dcom.sun.management.jmxremote.rmi.port=1098 > > >> > > > -Dcom.sun.management.jmxremote.ssl=false > > >> > > > -Dcom.sun.management.jmxremote.authenticate=false > > >> -Dipv4addr=$(hostname > > >> > > -f) > > >> > > > -Ddomain=artemis-headless.sis-247.svc.cluster.local > > >> > > > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d > > >> > > > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt > > >> > > > -Dpage.size=2097152 -Dpaging.threshold=10485760 > > >> > > > -Dmin.large.message.size=204800 > > >> -Dsecurity.invalidation.interval=600000 > > >> > > > -Dhawtio.authenticationEnabled=true > > >> -Djava.net.preferIPv4Addresses=true > > >> > > > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions > > >> > > > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2 > > >> > > > -XX:+PrintClassHistogram -XX:+UseG1GC > -XX:+UseStringDeduplication > > >> > > > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq > > >> > -Dhawtio.offline=true > > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > > -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal > > >> > > > > > >> > -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml" > > >> > > > fi > > >> > > > > > >> > > > Do you or anyone in this group have any suggestions on how the > > >> monitor > > >> > > (and > > >> > > > amqro) roles can be actually restricted? I tried adding > > >> > > > -Dhawtio.authenticationEnabled=true but that had no effect. > > >> > > > > > >> > > > > > >> > > > Thanks for your help, > > >> > > > > > >> > > > > > >> > > > Dave > > >> > > > > > >> > > > > > >> > > > > > >> > > > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino < > > >> > > > bruscin...@gmail.com> wrote: > > >> > > > > > >> > > > > Hi Dave, > > >> > > > > > > >> > > > > you need to add the monitor role to HAWTIO_ROLE in > > artemis.profile > > >> > and > > >> > > > the > > >> > > > > access for the isActive method in management.xml. > > >> > > > > > > >> > > > > Execute the following steps to get a working example: > > >> > > > > > > >> > > > > 1) create a new broker instance: > > >> > > > > ./bin/artemis create broker --user admin --password admin > > >> > > --require-login > > >> > > > > > > >> > > > > 2) add test user with monitor role > > >> > > > > echo -e "\ntest = test" >> > ./broker/etc/artemis-users.properties > > >> > > > > echo -e "\nmonitor = test" >> > > >> ./broker/etc/artemis-roles.properties > > >> > > > > > > >> > > > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile > > >> > > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/" > > >> > > > > ./broker/etc/artemis.profile > > >> > > > > > > >> > > > > 4) add the access for the isActive method in management.xml > > >> > > > > sed -i > > >> > > > > > > >> > > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\ > > >> > > > > method="isActive"\ roles="amq,monitor"\/>/' > > >> > ./broker/etc/management.xml > > >> > > > > > > >> > > > > 5) run the broker > > >> > > > > ./broker/bin/artemis run > > >> > > > > > > >> > > > > 6) read the Active attribute > > >> > > > > curl -H "Origin:http://localhost:8161"; -u test:test > > >> > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > > >> > > > > "0.0.0.0\"/Active > > >> > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200} > > >> > > > > > > >> > > > > Regards, > > >> > > > > Domenico > > >> > > > > > > >> > > > > On Thu, 18 Nov 2021 at 18:16, David Martin < > dav...@qoritek.com> > > >> > wrote: > > >> > > > > > > >> > > > > > Hi all, > > >> > > > > > > > >> > > > > > I'm trying to configure role access via the Jolokia REST API > > for > > >> > the > > >> > > > > single > > >> > > > > > attribute "Active" on the "org.apache.activemq.artemis" > > domain. > > >> > > > > > > > >> > > > > > I have a user with a role "monitor" and want them to be able > > to > > >> > > access > > >> > > > > > nothing but the above attribute via e.g. > > >> > > > > > > > >> /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active. > > >> > > The > > >> > > > > > manual regarding management.xml is clear about *method > *access > > >> e.g. > > >> > > > > "get*" > > >> > > > > > but has no examples for *attribute *access. > > >> > > > > > > > >> > > > > > Having spent about an hour on it I'm really stuck. Any help > > >> would > > >> > be > > >> > > > > > appreciated. > > >> > > > > > > > >> > > > > > > > >> > > > > > Cheers, > > >> > > > > > > > >> > > > > > Dave > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > > > > >
