I'm talking about single master/slave pair using NFS as shared storage. -- Vilius
-----Original Message----- From: Justin Bertram <jbert...@apache.org> Sent: Thursday, March 24, 2022 6:25 PM To: users@activemq.apache.org Subject: Re: ActiveMQBasicSecurityManager configuration examples When you say "cluster environment" are you talking about multiple master brokers or just a single master/slave pair? ActiveMQBasicSecurityManager only provides synchronization between master/slave pairs. It doesn't provide any synchronization for multiple master brokers. You'd need to use a centralized repository for that (e.g. LDAP). Justin On Thu, Mar 24, 2022 at 11:01 AM Vilius Šumskas <vilius.sums...@rivile.lt> wrote: > Hello list, > > since, according to documentation, PropertiesLogin JAAS module is not > recommended for production use, and .properties files are not synched > in a cluster environment, we are now searching for possible > authentication alternatives. > > At first I thought to build a Keycloak cluster, but reading through > documentation I found that there is such a thing as > ActiveMQBasicSecurityManager which should be enough (our case: > thousands of external MQ clients using different Artemis user each, to > separate their JMS queue data). > > Unfortunately documentation is a bit scarce on the examples how > exactly ActiveMQBasicSecurityManager is configured, and internet > search returns almost nothing, so I’m sorry in advance for a lot of questions. > > 1. Is it enough to configure <security-manager> in bootstrap.xml? > Do I need to remove <jaas-security domain="activemq"/> line? Do I also > somehow change login.config? Currently it is configured to use default > PropertiesLogin JAAS module. > 2. How do I separate Hawtio authentication from broker authentication? > Does this mean I have to separate default “activemq” realm, use that > different realm when starting Hawtio and then change login.config so > it includes both realms using different authentication modules? > 3. If the above answer is yes, is there an example somewhere how > ActiveMQBasicSecurityManager is configured in login.config and what > are the options? > 4. Can I use the same .properties file for both, populate > ActiveMQBasicSecurityManager bootstrap user credentials, and Hawtio > authentication? > 5. How bootstrapUser and bootstrapPassword works in cluster > environment if binding journal already contains the same user? Let’s > say I restart primary and backup becomes live, but earlier I have > changed the password via management API using other means? Should I > set bootstrapUser configuration in all cluster nodes or just in primary? > 6. From our code perspective, can we still use > JMSManagementHelper.putOperationInvocation() with "addUser" operation > to add/delete users dynamically, or do we need to use different API? > 7. Is there a tool to at least list all the users in the journal, > or this is only possible calling some kind of API? > 8. From the security perspective, are users’ passwords in binding > journal properly hashed and cannot be retrieved if someone pokes at > the data? > > Thank you in advance for any pointers. > > -- > Best Regards, > > Vilius Šumskas > Rivile > IT manager > +370 614 75713 > >