Thank you for very detailed answers! This helps a lot actually.
Follow-up question regarding item 5. We have an internal policy to control our
infrastructure via code and scripts so that testing and staging environments
can be built and destroyed on-demand. Artemis is part of that infrastructure.
Essentially this means that everything is done in two steps: a) infra
configuration, b) pre-population of data needed for testing. Infrastructure
should not be re-configured/restarted after step b).
In addition, we have three types of Artemis users: 1) administrator accounts,
mostly for Hawtio and cli management, 2) users used by internal SaaS app
backend services, 3) users for our external clients.
Given all of the above, I was thinking to pre-populate and mask passwords in
.properties files for type 1 and 2 accounts, leave the bootstrapUser
configuration present, and then automated tests will create type 3 accounts as
needed.
Would you still advice to remove bootstrapUser configuration after the
environment is built, or generally it should not be an issue?
And one last question regarding ActiveMQBasicSecurityManager as a whole. Since
we will be having thousands of users, how Artemis requirements changes moving
away from PropertiesLogin and putting everything into the binding journal? For
example, do we need much more RAM to run such instance? Maybe something else?
Some technical limit regarding user count or binding journal size?
--
Vilius
-----Original Message-----
From: Justin Bertram <[email protected]>
Sent: Thursday, March 24, 2022 9:43 PM
To: [email protected]
Subject: Re: ActiveMQBasicSecurityManager configuration examples
> 1. Is it enough to configure <security-manager> in bootstrap.xml? Do
> I
need to remove <jaas-security domain="activemq"/> line? Do I also somehow
change login.config? Currently it is configured to use default PropertiesLogin
JAAS module.
You should remove the jaas-security configuration. As far as the basic security
manager is concerned you don't need to change login.config. The basic security
manager doesn't use JAAS at all (as noted in the documentation [1]) so it isn't
concerned with the contents of login.config.
> 2. How do I separate Hawtio authentication from broker authentication?
Does this mean I have to separate default “activemq” realm, use that different
realm when starting Hawtio and then change login.config so it includes both
realms using different authentication modules?
Hawtio uses JAAS internally and it is configured via system properties in
etc/artemis.profile. It will continue to use JAAS while the broker uses the
basic security manager.
> 4. Can I use the same .properties file for both, populate
ActiveMQBasicSecurityManager bootstrap user credentials, and Hawtio
authentication?
I suppose you could do that.
> 5. How bootstrapUser and bootstrapPassword works in cluster
> environment
if binding journal already contains the same user? Let’s say I restart primary
and backup becomes live, but earlier I have changed the password via management
API using other means? Should I set bootstrapUser configuration in all cluster
nodes or just in primary?
As noted in the documentation [1], "Any bootstrap credentials will be set
whenever you start the broker no matter what changes may have been made to them
at runtime previously." The idea is to boot the broker instance for the first
time with a bootstrap user that can be used to add all the necessary users and
roles to the journal and then you remove the boostrap user from bootstrap.xml
thereafter.
> 6. From our code perspective, can we still use
JMSManagementHelper.putOperationInvocation() with "addUser" operation to
add/delete users dynamically, or do we need to use different API?
No. You'll use the same management operations. However, those operations will
modify the accounts in the journal rather than the properties files.
> 7. Is there a tool to at least list all the users in the journal, or
this is only possible calling some kind of API?
You can use the management API to list the users (including the CLI "user list"
command). You can also print the raw contents of the journal using the CLI
"data print" command. User account info will be listed as part of the bindings.
> 8. From the security perspective, are users’ passwords in binding
journal properly hashed and cannot be retrieved if someone pokes at the data?
If you tell the API to hash the passwords then they will be hashed.
Hope that helps!
Justin
[1]
https://activemq.apache.org/components/artemis/documentation/latest/security.html#basic-security-manager
On Thu, Mar 24, 2022 at 11:01 AM Vilius Šumskas <[email protected]>
wrote:
> Hello list,
>
> since, according to documentation, PropertiesLogin JAAS module is not
> recommended for production use, and .properties files are not synched
> in a cluster environment, we are now searching for possible
> authentication alternatives.
>
> At first I thought to build a Keycloak cluster, but reading through
> documentation I found that there is such a thing as
> ActiveMQBasicSecurityManager which should be enough (our case:
> thousands of external MQ clients using different Artemis user each, to
> separate their JMS queue data).
>
> Unfortunately documentation is a bit scarce on the examples how
> exactly ActiveMQBasicSecurityManager is configured, and internet
> search returns almost nothing, so I’m sorry in advance for a lot of questions.
>
> 1. Is it enough to configure <security-manager> in bootstrap.xml?
> Do I need to remove <jaas-security domain="activemq"/> line? Do I also
> somehow change login.config? Currently it is configured to use default
> PropertiesLogin JAAS module.
> 2. How do I separate Hawtio authentication from broker authentication?
> Does this mean I have to separate default “activemq” realm, use that
> different realm when starting Hawtio and then change login.config so
> it includes both realms using different authentication modules?
> 3. If the above answer is yes, is there an example somewhere how
> ActiveMQBasicSecurityManager is configured in login.config and what
> are the options?
> 4. Can I use the same .properties file for both, populate
> ActiveMQBasicSecurityManager bootstrap user credentials, and Hawtio
> authentication?
> 5. How bootstrapUser and bootstrapPassword works in cluster
> environment if binding journal already contains the same user? Let’s
> say I restart primary and backup becomes live, but earlier I have
> changed the password via management API using other means? Should I
> set bootstrapUser configuration in all cluster nodes or just in primary?
> 6. From our code perspective, can we still use
> JMSManagementHelper.putOperationInvocation() with "addUser" operation
> to add/delete users dynamically, or do we need to use different API?
> 7. Is there a tool to at least list all the users in the journal,
> or this is only possible calling some kind of API?
> 8. From the security perspective, are users’ passwords in binding
> journal properly hashed and cannot be retrieved if someone pokes at
> the data?
>
> Thank you in advance for any pointers.
>
> --
> Best Regards,
>
> Vilius Šumskas
> Rivile
> IT manager
> +370 614 75713
>
>
