When you say "cluster environment" are you talking about multiple master brokers or just a single master/slave pair? ActiveMQBasicSecurityManager only provides synchronization between master/slave pairs. It doesn't provide any synchronization for multiple master brokers. You'd need to use a centralized repository for that (e.g. LDAP).
Justin On Thu, Mar 24, 2022 at 11:01 AM Vilius Šumskas <[email protected]> wrote: > Hello list, > > since, according to documentation, PropertiesLogin JAAS module is not > recommended for production use, and .properties files are not synched in a > cluster environment, we are now searching for possible authentication > alternatives. > > At first I thought to build a Keycloak cluster, but reading through > documentation I found that there is such a thing as > ActiveMQBasicSecurityManager which should be enough (our case: thousands of > external MQ clients using different Artemis user each, to separate their > JMS queue data). > > Unfortunately documentation is a bit scarce on the examples how exactly > ActiveMQBasicSecurityManager is configured, and internet search returns > almost nothing, so I’m sorry in advance for a lot of questions. > > 1. Is it enough to configure <security-manager> in bootstrap.xml? Do I > need to remove <jaas-security domain="activemq"/> line? Do I also somehow > change login.config? Currently it is configured to use default > PropertiesLogin JAAS module. > 2. How do I separate Hawtio authentication from broker authentication? > Does this mean I have to separate default “activemq” realm, use that > different realm when starting Hawtio and then change login.config so it > includes both realms using different authentication modules? > 3. If the above answer is yes, is there an example somewhere how > ActiveMQBasicSecurityManager is configured in login.config and what are the > options? > 4. Can I use the same .properties file for both, populate > ActiveMQBasicSecurityManager bootstrap user credentials, and Hawtio > authentication? > 5. How bootstrapUser and bootstrapPassword works in cluster environment > if binding journal already contains the same user? Let’s say I restart > primary and backup becomes live, but earlier I have changed the password > via management API using other means? Should I set bootstrapUser > configuration in all cluster nodes or just in primary? > 6. From our code perspective, can we still use > JMSManagementHelper.putOperationInvocation() with "addUser" operation to > add/delete users dynamically, or do we need to use different API? > 7. Is there a tool to at least list all the users in the journal, or > this is only possible calling some kind of API? > 8. From the security perspective, are users’ passwords in binding > journal properly hashed and cannot be retrieved if someone pokes at the > data? > > Thank you in advance for any pointers. > > -- > Best Regards, > > Vilius Šumskas > Rivile > IT manager > +370 614 75713 > >
