I would say that's a bug.
Justin On Tue, Mar 29, 2022 at 4:58 PM Vilius Šumskas <[email protected]> wrote: > Hello, > > >> Would you still advice to remove bootstrapUser configuration after the > environment is built, or generally it should not be an issue? > > > > There's no technical reason to remove the bootstrap credentials. If it > makes more sense for your use-case for them to remain in the configuration > then by all means leave them. > > I have had time to experiment with this today. > I found that if I leave bootstrap credentials in the configuration these > credentials are adding new entry to the binding files after every restart > of the broker. When viewing user list via "artemis user list" the user > count is correct, it's just bindings content is duplicated again and again. > > Is this a bug, or by design, and should I re-think this by removing > boostrap configuration if I don't want to waste space? > > -- > Vilius > > -----Original Message----- > From: Justin Bertram <[email protected]> > Sent: Friday, March 25, 2022 5:14 PM > To: [email protected] > Subject: Re: ActiveMQBasicSecurityManager configuration examples > > > Would you still advice to remove bootstrapUser configuration after the > environment is built, or generally it should not be an issue? > > There's no technical reason to remove the bootstrap credentials. If it > makes more sense for your use-case for them to remain in the configuration > then by all means leave them. > > > Since we will be having thousands of users, how Artemis requirements > changes moving away from PropertiesLogin and putting everything into the > binding journal? For example, do we need much more RAM to run such > instance? Maybe something else? Some technical limit regarding user count > or binding journal size? > > I wouldn't expect any substantial change in requirements. However, the > only way to know that is with careful testing. I would expect the basic > security manager to be a bit faster since it uses the journal which is > optimized for speed, but I wouldn't expect the difference to be significant. > > > Justin > > On Thu, Mar 24, 2022 at 3:56 PM Vilius Šumskas <[email protected]> > wrote: > > > Thank you for very detailed answers! This helps a lot actually. > > > > Follow-up question regarding item 5. We have an internal policy to > > control our infrastructure via code and scripts so that testing and > > staging environments can be built and destroyed on-demand. Artemis is > > part of that infrastructure. Essentially this means that everything is > > done in two > > steps: a) infra configuration, b) pre-population of data needed for > > testing. Infrastructure should not be re-configured/restarted after step > b). > > In addition, we have three types of Artemis users: 1) administrator > > accounts, mostly for Hawtio and cli management, 2) users used by > > internal SaaS app backend services, 3) users for our external clients. > > > > Given all of the above, I was thinking to pre-populate and mask > > passwords in .properties files for type 1 and 2 accounts, leave the > > bootstrapUser configuration present, and then automated tests will > > create type 3 accounts as needed. > > > > Would you still advice to remove bootstrapUser configuration after the > > environment is built, or generally it should not be an issue? > > > > And one last question regarding ActiveMQBasicSecurityManager as a whole. > > Since we will be having thousands of users, how Artemis requirements > > changes moving away from PropertiesLogin and putting everything into > > the binding journal? For example, do we need much more RAM to run such > > instance? Maybe something else? Some technical limit regarding user > > count or binding journal size? > > > > -- > > Vilius > > > > -----Original Message----- > > From: Justin Bertram <[email protected]> > > Sent: Thursday, March 24, 2022 9:43 PM > > To: [email protected] > > Subject: Re: ActiveMQBasicSecurityManager configuration examples > > > > > 1. Is it enough to configure <security-manager> in bootstrap.xml? > > > Do I > > need to remove <jaas-security domain="activemq"/> line? Do I also > > somehow change login.config? Currently it is configured to use default > > PropertiesLogin JAAS module. > > > > You should remove the jaas-security configuration. As far as the basic > > security manager is concerned you don't need to change login.config. > > The basic security manager doesn't use JAAS at all (as noted in the > > documentation [1]) so it isn't concerned with the contents of > login.config. > > > > > 2. How do I separate Hawtio authentication from broker authentication? > > Does this mean I have to separate default “activemq” realm, use that > > different realm when starting Hawtio and then change login.config so > > it includes both realms using different authentication modules? > > > > Hawtio uses JAAS internally and it is configured via system properties > > in etc/artemis.profile. It will continue to use JAAS while the broker > > uses the basic security manager. > > > > > 4. Can I use the same .properties file for both, populate > > ActiveMQBasicSecurityManager bootstrap user credentials, and Hawtio > > authentication? > > > > I suppose you could do that. > > > > > 5. How bootstrapUser and bootstrapPassword works in cluster > > > environment > > if binding journal already contains the same user? Let’s say I restart > > primary and backup becomes live, but earlier I have changed the > > password via management API using other means? Should I set > > bootstrapUser configuration in all cluster nodes or just in primary? > > > > As noted in the documentation [1], "Any bootstrap credentials will be > > set whenever you start the broker no matter what changes may have been > > made to them at runtime previously." The idea is to boot the broker > > instance for the first time with a bootstrap user that can be used to > > add all the necessary users and roles to the journal and then you > > remove the boostrap user from bootstrap.xml thereafter. > > > > > 6. From our code perspective, can we still use > > JMSManagementHelper.putOperationInvocation() with "addUser" operation > > to add/delete users dynamically, or do we need to use different API? > > > > No. You'll use the same management operations. However, those > > operations will modify the accounts in the journal rather than the > properties files. > > > > > 7. Is there a tool to at least list all the users in the journal, > > > or > > this is only possible calling some kind of API? > > > > You can use the management API to list the users (including the CLI > > "user list" command). You can also print the raw contents of the > > journal using the CLI "data print" command. User account info will be > > listed as part of the bindings. > > > > > 8. From the security perspective, are users’ passwords in binding > > journal properly hashed and cannot be retrieved if someone pokes at > > the data? > > > > If you tell the API to hash the passwords then they will be hashed. > > > > Hope that helps! > > > > > > Justin > > > > [1] > > > > https://activemq.apache.org/components/artemis/documentation/latest/se > > curity.html#basic-security-manager > > > > On Thu, Mar 24, 2022 at 11:01 AM Vilius Šumskas > > <[email protected]> > > wrote: > > > > > Hello list, > > > > > > since, according to documentation, PropertiesLogin JAAS module is > > > not recommended for production use, and .properties files are not > > > synched in a cluster environment, we are now searching for possible > > > authentication alternatives. > > > > > > At first I thought to build a Keycloak cluster, but reading through > > > documentation I found that there is such a thing as > > > ActiveMQBasicSecurityManager which should be enough (our case: > > > thousands of external MQ clients using different Artemis user each, > > > to separate their JMS queue data). > > > > > > Unfortunately documentation is a bit scarce on the examples how > > > exactly ActiveMQBasicSecurityManager is configured, and internet > > > search returns almost nothing, so I’m sorry in advance for a lot of > > questions. > > > > > > 1. Is it enough to configure <security-manager> in bootstrap.xml? > > > Do I need to remove <jaas-security domain="activemq"/> line? Do I > > > also somehow change login.config? Currently it is configured to use > > > default PropertiesLogin JAAS module. > > > 2. How do I separate Hawtio authentication from broker > authentication? > > > Does this mean I have to separate default “activemq” realm, use that > > > different realm when starting Hawtio and then change login.config so > > > it includes both realms using different authentication modules? > > > 3. If the above answer is yes, is there an example somewhere how > > > ActiveMQBasicSecurityManager is configured in login.config and what > > > are the options? > > > 4. Can I use the same .properties file for both, populate > > > ActiveMQBasicSecurityManager bootstrap user credentials, and Hawtio > > > authentication? > > > 5. How bootstrapUser and bootstrapPassword works in cluster > > > environment if binding journal already contains the same user? Let’s > > > say I restart primary and backup becomes live, but earlier I have > > > changed the password via management API using other means? Should I > > > set bootstrapUser configuration in all cluster nodes or just in > primary? > > > 6. From our code perspective, can we still use > > > JMSManagementHelper.putOperationInvocation() with "addUser" > > > operation to add/delete users dynamically, or do we need to use > different API? > > > 7. Is there a tool to at least list all the users in the journal, > > > or this is only possible calling some kind of API? > > > 8. From the security perspective, are users’ passwords in binding > > > journal properly hashed and cannot be retrieved if someone pokes at > > > the data? > > > > > > Thank you in advance for any pointers. > > > > > > -- > > > Best Regards, > > > > > > Vilius Šumskas > > > Rivile > > > IT manager > > > +370 614 75713 > > > > > > > > >
