I am trying to specify user rights in Hawtio connected to ActiveMQ Artemis but I can not figure out what below XML attributes (list*, get*, etc.) from management.xml actually mean. Can some one please explain?
management.xml:
<role-access>
<match domain="org.apache.activemq.artemis"
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="browse*" roles="amq"/>
<access method="count*" roles="amq"/>
<access method="pause*" roles="amq"/>
<access method="resume*" roles="amq"/>
<access method="move*" roles="amq"/>
<access method="removeMessage*" roles="amq"/>
<access method="removeAllMessages*"roles="amq">
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</match>
...
</role-access>
I am trying to find a list that explains what each "access method" attribute does regarding to user rights in the GUI Hawtio.
There's a few important things to understand concerning your question.
The management API in ActiveMQ Artemis is based on JMX MBeans. These MBeans are implemented as a set of "control" classes. You can browse these via JavaDoc to see all the different attributes and operations they expose.
The ActiveMQ Artemis web console application is built on top of Hawtio. Hawtio communicates via HTTP with Jolokia running on an embedded web server managed by the broker. Jolokia is a JMX-HTTP bridge, and it essentially provides the web console with access to all the JMX MBeans. Therefore, for example, when the web console displays the number of messages in a queue it got that information by invoking the getMessageCount method on the QueueControl MBean for the respective queue. If you look closely at the web console you will see the name of the MBean which is being used behind the scenes, e.g.:
The name of the MBean being used here is:
org.apache.activemq.artemis:broker="0.0.0.0",component=addresses,address="testqueue",subcomponent=queues,routing-type="anycast",queue="testqueue"
The configuration in management.xml allows one to control who is allowed to execute these MBean methods. Here's a basic example involving the MBeans specifically related to queues:
<match domain="org.apache.activemq.artemis" key="subcomponent=queues">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>
Using this configuration any users in the role view will be able to use MBean methods which match list*, get*, and is* which basically allows the user to see all the attributes but the user is not allowed to change any attributes or invoke any operations (e.g. deleteMessages).
Hopefully you can see how it's possible to provide users in specific roles specific access to (and only to) the MBeans they need.
Keep in mind that any roles used by Hawtio (i.e. the web console) will need to be defined in etc/artemis.profile in the HAWTIO_ROLE variable.
Related
Good day,
A task:
For each user, give the rights to operations (list, get, browse, etc.) only on their addresses. Rights to addresses are issued in broker.xml.
Currently, any user with the browse role can read messages from any address.
Raised Artemis MQ cluster with domain authentication. We issue rights through broker.xml to addresses of domain users. We want to enable domain users to manage their addresses/queues via the web GUI.
Granted rights to the Domain Users group in the artemis.profile config and all domain users got access to the web GUI.
Gave rights to the Domain Users group on the methods in the management.xml file and ALL domain users can use the allowed methods on ALL queues, including the browse method (allows you to read messages).
Is it possible to restrict access in the web GUI so that domain users can use allowed methods only on THEIR queues (the rights are granted in broker.xml) or do you need to prescribe blocks with methods for each queue in management.xml (you can use a mask) and give rights to methods separate groups?
Generally speaking ActiveMQ Artemis supports role-based access control (i.e. RBAC) so each user who needs unique permissions will need to be in a unique role.
The web console in ActiveMQ Artemis is based on Hawtio which uses Jolokia (a JMX-HTTP bridge) to communicate with the JMX MBeans in the broker. Authorization for Jolokia is configured in etc/management.xml. Here is the default contents:
<management-context xmlns="http://activemq.apache.org/schema">
<!--<connector connector-port="1099"/>-->
<authorisation>
<allowlist>
<entry domain="hawtio"/>
</allowlist>
<default-access>
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</default-access>
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<!-- Note count and browse are need to access the browse tab in the console-->
<access method="browse*" roles="amq"/>
<access method="count*" roles="amq"/>
<access method="*" roles="amq"/>
</match>
<!--example of how to configure a specific object-->
<!--<match domain="org.apache.activemq.artemis" key="subcomponent=queues">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>-->
</role-access>
</authorisation>
</management-context>
The domain and key are based on the name of the JMX MBean on the broker. For example the name of the MBean for an anycast queue named "myQueue" on the address "myAddress" on the broker "myBroker" would be:
org.apache.activemq.artemis:broker=myBroker,component=addresses,address="myAddress",subcomponent=queues,routing-type="anycast",queue="myQueue"
Therefore, if you only wanted users in the role "myRole" to be able to browse messages on the queue "myQueue" then you'd have a match like this:
<match domain="org.apache.activemq.artemis" key="queue=myQueue">
<access method="list*" roles="myRole"/>
<access method="get*" roles="myRole"/>
<access method="is*" roles="myRole"/>
<access method="set*" roles="myRole"/>
<access method="browse*" roles="myRole"/>
<access method="count*" roles="myRole"/>
<access method="*" roles="myRole"/>
</match>
Keep in mind that by default access to the console is only allow via users with the amq role. This is configured in the etc/artemis.profile via the system property -Dhawtio.role=amq. You can configure multiple roles by changing this to -Dhawtio.roles=amq,myRole.
You can find more details in the documentation.
My ActiveMQ Artemis web console is showing all queues and topics, but lacks the detail I have seen on other deployments of the console. There are no columns present showing queue detail. The user role is amq and has the full permissions. I include a screenshot:
The management.xml is as follows:
<management-context xmlns="http://activemq.org/schema">
<!--<connector connector-port="1099"/>-->
<authorisation>
<allowlist>
<entry domain="hawtio"/>
</allowlist>
<default-access>
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</default-access>
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<!-- Note count and browse are need to access the browse tab in the console-->
<access method="browse*" roles="amq"/>
<access method="count*" roles="amq"/>
<access method="*" roles="amq"/>
</match>
<!--example of how to configure a specific object-->
<!--<match domain="org.apache.activemq.artemis" key="subcomponent=queues">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>-->
</role-access>
</authorisation>
Here's artemis.profile:
ARTEMIS_HOME='/opt/apache-artemis-2.20.0'
ARTEMIS_INSTANCE='/var/lib/artemis'
ARTEMIS_DATA_DIR='/var/lib/artemis/data'
ARTEMIS_ETC_DIR='/var/lib/artemis/etc'
ARTEMIS_OOME_DUMP='/var/lib/artemis/log/oom_dump.hprof'
# The logging config will need an URI
# this will be encoded in case you use spaces or special characters
# on your directory structure
ARTEMIS_INSTANCE_URI='file:/var/lib/artemis/'
ARTEMIS_INSTANCE_ETC_URI='file:/var/lib/artemis/etc/'
# Cluster Properties: Used to pass arguments to ActiveMQ Artemis which can be referenced in broker.xml
#ARTEMIS_CLUSTER_PROPS="-Dactivemq.remoting.default.port=61617 -Dactivemq.remoting.amqp.port=5673 -Dactivemq.remoting.stomp.port=61614 -Dactivemq.remoting.hornetq.port=5446"
# Hawtio Properties
HAWTIO_ROLE='amq'
# Java Opts
if [ -z "$JAVA_ARGS" ]; then
JAVA_ARGS="-javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.rmi.port=1098 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.net.preferIPv4Addresses=true -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions -XX:+UseContainerSupport -XX:MaxRAMPercentage=50 -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication -Dhawtio.disableProxy=true -Dhawtio.realm=activemq -Dhawtio.offline=true -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml "
fi
# Uncomment to enable logging for Safepoint JVM pauses
#
# In addition to the traditional GC logs you could enable some JVM flags to know any meaningful and "hidden" pause
# that could affect the latencies of the services delivered by the broker, including those that are not reported by
# the classic GC logs and dependent by JVM background work (eg method deoptimizations, lock unbiasing, JNI, counted
# loops and obviously GC activity).
#
# Replace "all_pauses.log" with the file name you want to log to.
# JAVA_ARGS="-Djava.net.preferIPv4Addresses=true -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions -XX:+UseContainerSupport -XX:MaxRAMPercentage=50 $JAVA_ARGS -XX:+PrintSafepointStatistics -XX:PrintSafepointStatisticsCount=1 -XX:+PrintGCApplicationStoppedTime -XX:+PrintGCApplicationConcurrentTime -XX:+LogVMOutput -XX:LogFile=all_pauses.log"
# Uncomment to enable the dumping of the Java heap when a java.lang.OutOfMemoryError exception is thrown
# JAVA_ARGS="-Djava.net.preferIPv4Addresses=true -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions -XX:+UseContainerSupport -XX:MaxRAMPercentage=50 $JAVA_ARGS -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=${ARTEMIS_OOME_DUMP}"
# Only enable debug options for the 'run' command
if [ "$1" = "run" ]; then :
# Uncomment to enable remote debugging
# DEBUG_ARGS="-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005"
# Uncomment for async profiler
# DEBUG_ARGS="-XX:+UnlockDiagnosticVMOptions -XX:+DebugNonSafepoints"
fi
Here's login.config:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
}
I am trying to connect via JConsole to ActiveMQ Artemis. However, it doesn't seem to work.
JDK version: 1.8.0
ActiveMQ Artemis version: 2.6.2
I have tried the following URLs both with and without user/password (admin/admin).:
service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi
and
service:jmx:rmi:///jndi/rmi://0.0.0.0:1099/jmxrmi
My broker is running locally. I just unzipped it and created an instance. Here is my management.xml:
<management-context xmlns="http://activemq.org/schema">
<connector connector-port="1099"/>
<authorisation>
<whitelist>
<entry domain="hawtio"/>
</whitelist>
<default-access>
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</default-access>
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</match>
<!--example of how to configure a specific object-->
<!--<match domain="org.apache.activemq.artemis" key="subcomponent=queues">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>-->
</role-access>
</authorisation>
</management-context>
I have tried the following:
Uncommented <connector connector-port="1099"/> in management.xml file
Uncommented in artemis-service.xml:
<!-- uncomment this if you want to connect jconsole to connect -->
<argument>-Dcom.sun.management.jmxremote</argument>
<argument>-Dcom.sun.management.jmxremote.port=1099</argument>
<argument>-Dcom.sun.management.jmxremote.ssl=false</argument>
<argument>-Dcom.sun.management.jmxremote.authenticate=false</argument>
Add in artemis-service.xml:
<argument>-Dcom.sun.management.jmxremote.rmi.port=1099</argument>
I just got this working in ActiveMQ Artemis 2.6.2 by doing the following:
Download and unzip ActiveMQ Artemis 2.6.2 to <ACTIVEMQ_HOME>
Open a terminal and run cd <ACTIVEMQ_HOME>/bin
Create a new broker instance using ./artemis create ~/testJMX --user myUser --pass myPass --require-login
Uncomment <connector connector-port="1099"/> in etc/management.xml.
Start the broker using ./artemis run
Start JConsole using the jconsole command.
Point JConsole to service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi using myUser & myPass for the username & password respectively.
Observe that JConsole connects properly and all MBeans are accessible.
I used JDK 1.8 on Linux. I don't have a Windows box I can test with.
It is also possible to get this working by changing steps #4 & #7 slightly:
Download and unzip ActiveMQ Artemis 2.6.2 to <ACTIVEMQ_HOME>
Open a terminal and run cd <ACTIVEMQ_HOME>/bin
Create a new broker instance using ./artemis create ~/testJMX --user myUser --pass myPass --require-login
Remove all of the contents of the management-context element in etc/management.xml so that you're left only with this:
<management-context xmlns="http://activemq.org/schema" />
Start the broker using ./artemis run
Start JConsole using the jconsole command.
Point JConsole to the local ActiveMQ Artemis process.
Observe that JConsole connects properly and all MBeans are accessible.
In general, I recommend you move to the latest version. ActiveMQ Artemis 2.6.2 was released almost 3 years ago now. Since 2.6.2 was released the JMX properties have been removed from artemis-service.xml as they are no longer applicable. See ARTEMIS-2112 for more details.
How I can share config file in cluster with is on failover mode?
I don't want to edit artemis-user.properties, artemis-role.properties, and broker.xml files on every server in the cluster.
Cluster settings:
security-enabled: true
persistence-enabled : true
paging-directory, bindings-directory, journal-directory, large-messages-directory used from master server
Security settings like this:
<security-setting match="clusterQueue">
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="browse" roles="amq"/>
<permission type="send" roles="amq"/>
<!-- we need this otherwise ./artemis data imp wouldn't work -->
<permission type="manage" roles="amq"/>
</security-setting>
It is possible?
ActiveMQ Artemis doesn't provide any automated way to share configuration between cluster members. However, since all the configuration you referenced is text-based it should be fairly simple to replicate it to your brokers with standard tools and/or infrastructure. For example, you could use SCP to copy the files, create a shared NFS mount with them, etc.
Even in a homogeneous cluster it's common to have small differences in the configuration files (e.g. for the cluster-connection, an acceptor, etc.). In that case you can use system property substitution (which is referenced in the documentation) to pull out the bits from each broker which need to be customized and then set those in artemis.profile, e.g.:
JAVA_ARGS="$JAVA_ARGS -DmyAcceptor=tcp://192.168.1.10:61616"
Then reference that system property in your broker.xml, e.g.:
<acceptor name="netty-acceptor">${myAcceptor}</acceptor>
In this way you can have the same broker.xml shared among all the brokers but each can have their own artemis.profile with the unique values that each broker needs.
I would like to know if it is possible to add a user with "read-only" access to the Artemis Web console.
Right now we are in a point that is important to check if my application's consumer is created and connected to queues, if he is the only one connected, etc. And the easier place I can think of seein this is through Artemis Console. What I want is to create a user that can only see this information, the messages in the queues, etc., but cannot create new queues, send messages, purge queues, etc.
Is that possible?
I have tried following this tutorial to create a user and play around with the roles but for some reason I can't even connect to the console with my created user. I keep getting "Forbidden".
Thanks!
Edit
What I have tried:
I have updated artemis-users.properties to have the following users:
admin = ENC(1024:5C41928065C0AED5B88F8DD66937F86F59BCF9F6BAC9097CD12C6D66FE83DC3B:DC9FCEECBBCB4849F3AE9570D83C8ABFDB1E03B0318F7B4BA128B9A174C00049C817FB2F7613D4A332BA1D1FF14C70F1E0492EECE747A6C7881E358F44CDB02C)
amqviewer = 123abc
The admin user was created when I have set up the broker. The amqviewer is the user I'm trying to have read-only permissions.
On the artemis-roles.properties I have set the amqviewer to have the viewer role (at least thats what I think after seeing how it was for the admin user):
amq = admin
viewer = amqviewer
and on the management.xml I have set the following:
<authorisation>
<whitelist>
<entry domain="hawtio"/>
</whitelist>
<default-access>
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</default-access>
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</match>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="viewer"/>
<access method="get*" roles="viewer"/>
</match>
</role-access>
</authorisation>
The thing is, I can't even get past the login. When I try to login with the amqviewer user, I get forbidden.
To allow only read access in the webconsole, the role needs to be set in the management.xml and in the artemis.profile.
To configure the role readonly, Update the management.xml and artemis.profile as below.
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="readonly,amq"/>
<access method="get*" roles="readonly,amq"/>
<access method="is*" roles="readonly,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>
</role-access>
in artemis.profile: -Dhawtio.roles=amq,readonly
Refer: https://activemq.apache.org/components/artemis/documentation/latest/management.html.
Edit (as i am not able to reply in comment):
Everything you have done so far is right. you just need to the role "readonly" in the artemis.profile for the hawtio role.
in artemis.profile: -Dhawtio.roles=amq,readonly
you can verify whether you added successfully by the broker startup log. it will display as below.
2019-05-06 10:45:24,655 INFO [io.hawt.web.AuthenticationFilter] Starting hawtio authentication filter, JAAS realm: "activemq" authorized role(s): "admin,readonly" role principal classes: "org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal"