Thank you. It is working very well! Couple more questions:
* Is it possible to combine different key types in one router? For example,
have connections checked for USER_NAME or ROLE_NAME if user name is not found?
* Documentation mentions that native router redirection works for specific
clients. Do these clients need to be of a particular version, or is native
redirection implemented using native protocol specification. E.g. any AMQP 0.9
client will work?
--
Vilius
-----Original Message-----
From: Domenico Francesco Bruscino <[email protected]>
Sent: Thursday, April 17, 2025 4:25 PM
To: [email protected]
Subject: Re: IP address whitelisting for Artemis users
In my previous example there is an error, I meant:
<connection-router name="allow-privileged-users">
<key-type>USER_NAME</key-type>
<local-target-filter>^(foo|too)$</local-target-filter>
</connection-router>
<connection-router name="deny-privileged-users">
<key-type>USER_NAME</key-type>
<local-target-filter>^(?!foo$|too$).*$</local-target-filter>
</connection-router>
<acceptor name="internal">tcp://
10.0.0.1:61616?router=allow-privileged-users.
<http://10.0.0.1:61616/?router=allow-privileged-users.>..
<acceptor name="external">tcp://
0.0.0.0:61616?router=deny-privileged-users.
<http://0.0.0.0:61616/?router=deny-privileged-users.>..
Domenico
On Thu, 17 Apr 2025 at 15:24, Domenico Francesco Bruscino <
[email protected]> wrote:
> Yes, you can use a connection-router to allow only the connections
> that match the local-target-filter, i.e.
>
> <connection-router name="allow-privileged-users">
> <key-type>USER_NAME</key-type>
> <local-target-filter>^(foo|too)$</local-target-filter>
> </connection-router>
>
> <connection-router name="deny-privileged-users">
> <key-type>SOURCE_IP</key-type>
> <local-target-filter>^(?!foo$|too$).*$</local-target-filter>
> </connection-router>
>
> <acceptor name="internal">tcp://
> 10.0.0.1:61616?router=allow-privileged-users...
>
> <acceptor name="external">tcp://
> 0.0.0.0:61616?router=deny-privileged-users...
>
> Domenico
>
>
>
> On Thu, 17 Apr 2025 at 13:55, Vilius Šumskas
> <[email protected]> wrote:
>
>> I'm trying to wrap my head around how connection router functionality
>> works.
>>
>> In my case, I already have two acceptors. SSL protected and
>> externally exposed one, which should be used only by the external
>> unprivileged users, and internal one on different AMQP port, which
>> should be used by the privileged internal users. If I understand
>> correctly, that external acceptor should be configured in such a way,
>> that it allow all users, except for few privileged ones. Since we are
>> using ActiveMQBasicSecurityManager I probably cannot use security
>> domain here, but looking through documentation, I should be able to
>> use redirection on a specific acceptor with key-type USER_NAME, right?
>>
>> --
>> Vilius
>>
>> -----Original Message-----
>> From: Domenico Francesco Bruscino <[email protected]>
>> Sent: Wednesday, April 16, 2025 9:27 AM
>> To: [email protected]
>> Subject: Re: IP address whitelisting for Artemis users
>>
>> Hi Villus,
>>
>> you can create an acceptor that allows only connections from specific
>> users by setting a per-acceptor security domain[1] and a connection
>> router[2] to reject connections with a source IP address that doesn't
>> match your filter, i.e.
>>
>> <connection-router name="privileged-ip-filter">
>> <key-type>SOURCE_IP</key-type>
>>
>>
>> <local-target-filter>^192\.168\.10\.1|192\.168\.10\.2$</local-target-filter>
>> </connection-router>
>>
>> [1]
>>
>> https://activemq.apache.org/components/artemis/documentation/latest/s
>> ecurity.html#per-acceptor-security-domains
>> [2]
>>
>> https://activemq.apache.org/components/artemis/documentation/latest/c
>> onnection-routers.html#connection-routers
>>
>> Regards,
>> Domenico
>>
>>
>> On Tue, 15 Apr 2025 at 22:24, Vilius Šumskas
>> <[email protected]>
>> wrote:
>>
>> > Hi,
>> >
>> > is there a way to somehow limit which IP Artemis user is allowed to
>> > connect from? We had instances where privileged user dedicated to
>> > internal usage only was used in externalized Java services. I want
>> > to protect these users from being used where they should not be.
>> >
>> > --
>> > Best Regards,
>> > Vilius
>> >
>> >
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
