Question about authentication in ActiveMQ Artemis - activemq-artemis

We have ActiveMQ Artemis 2.26.0 which is configured for Active Directory domain authentication.
When a user is authenticated the role is assigned using group membership (userRoleName="memberOf") or username (userRoleName="sAMAccountName"). Is it possible to grant authorizations using both username and groups to which user belongs to?
Currently I have a login.config which works differently for users in different organizational units of domain:
LDAPLogin {
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule sufficient
debug=true
initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
ignorePartialResultException=true
connectionURL="ldaps://domain-controller1:636 ldaps://domain-controller2:636"
connectionUsername="bind_username"
connectionPassword="bind_password"
connectionProtocol="s"
connectionTimeout="5000"
readTimeout="5000"
authentication=simple
userBase="OU=OU_for_application_users,DC=company,DC=tld"
userSearchMatching="(sAMAccountName={0})"
userSearchSubtree=true
userRoleName="sAMAccountName"
;
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule sufficient
debug=true
initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
ignorePartialResultException=true
connectionURL="ldaps://domain-controller1:636 ldaps://domain-controller2:636"
connectionUsername="bind_username"
connectionPassword="bind_password"
connectionProtocol="s"
connectionTimeout="5000"
readTimeout="5000"
authentication=simple
userBase="OU=OU_for_team_users,DC=company,DC=tld"
userSearchMatching="(sAMAccountName={0})"
userSearchSubtree=true
userRoleName="memberOf"
roleName="CN"
;
};
User from OU_for_application_users gets one role which is equal to username, and user from OU_for_team_users gets roles from list of groups to which the user belongs to. Technically it is different types of users (special application accounts and personal user accounts).
Is it possible to create a login.config which assigns to user a list of roles which combine username and list of user groups? Or is there any other way to add authorizations which use both username and group of user?
Also I think if it is a good idea. In other brokers, for example IBM MQ, we can configure separate authorizations for users and for groups. In ActiveMQ Artemis we have only one "role" regardless of what it represents - username or group name.

ActiveMQ Artemis supports roles based access control. There is no option to configure authorization based on username.
The configuration of the LDAPLoginModule is limited to userRoleName when assigning roles. However, JAAS login modules are pluggable so you are free to write your own or contribute changes to LDAPLoginModule to support the behavior you want.

Related

Snowflake data steward discovery based on role hierarchy

Snowflake follows the role-based access control (RBAC) paradigm. Best practice for RBAC is, to have functional and access roles managing either user and clients or access privileges. This creates in worst-case a variety of roles that inherits permissions from and to each other. By nature, one can easily lose sight.
In snowflake, grants to roles and users are stored in ACCESS_USAGE.GRANTS_TO_ROLES and ACCESS_USAGE.GRANTS_TO_USERS. What is a proper approach to identify the data stewards/owner of a role automatically (if not labeled explicitly in a 3rd party tooling)?
Options I thought of:
recursive lookup of OWNERSHIP privileges of roles of roles (will generate a lot of false positives)
recursive discovery of a service account that has advanced permission to a role and lookup the service account owner
lookup over usage pattern of executed queries (might be actually more consumers than producers)
A couple of options:
Populate the role’s comment field with the relevant Data Steward information
Use Tags (in public preview)

Is it possible to add different roles to a user in different groups in keycloak?

User-Ankit
He is in two groups named flights and hotels.
In flights,he is a manager
In Hotels,he is a supervisor.
can we assigns these different roles to Ankit in different groups in keycloak?
I think you have to separate the roles to be specific to the group - you'd need a flights-manager role and a separate hotels-manager role and so on.
You can assign roles to a user or group but assigning roles to a group effectively assigns those roles to all the members of the group. I think this is pretty typical.
When you assign roles to the user, you just assign roles to the user and not a user within a group:
There's a thread in the keycloak mailing list where this comes up. Basically groups are just ways of collecting users and not part of the access control structure.
If hotels and flights correspond to apps then you might want to consider whether you could handle them as clients rather than groups but I think you'd still need to have separate sets of roles.

Service for User to Self

When it comes to Windows permissions a security principal (Admin1) can gather information on another security principal (User1) e.g. their (SID) and group membership (Group SIDS). Then take this list of SIDS and compare it to an ACL (for example on a file/folder) to check if this other security principal (User1) has rights to a given resource
there is some basic information at the this link
The thing I do not quite understand at the moment is 'under what identity' does Admin1 request User1 SID and User1 Group SIDs
for example in the above link the MSDN talks about Kerberos, and my understanding of Kerberos is the TGT or ST is encrypted using the hash of the security principals (SPN) password e.g. either the password has for krbtgt for TGTs and the password has for the SPN for a given SPN (like a CIFS service).
I understand the service/session (in 'Service for User to Self') requests a Kerberos service ticket ST for 'itself' and therefore the service is able to decrypt the ST to extract the SIDs
However what gives the Service/session the 'right' to ask for SIDs for another user?
is it simply because any security principal authentication to AD can 'read' attributes of another security principal and therefore request this list? I assume so
I am not a programmer, but rather a Micrsoft Server/System engineer

Suite CRM Role management, GM, DM, SR hierarchy

Can you please explain how can i setup the role management and security groups in suiteCRM to achieve this,
Two General Manager, they cannot access the records of other GMs and his team records
Any number of Divisional Managers under GM, they cannot access the records of their own GM, other GMs, and other DM but can access the reports of SR under them.
SR (Sales representative) can access only their own records.
Thanks :)
Try this (not tested)
Create All Security groups for DM. This is the main unit of security.
Assign the GM users to the DM security groups they have access to. No need to create a GM group, just give them access to the groups they need.
Create SR role and set the permissions to own. Assign SR users to this role. This will restrict users in this role to only see their own records.
Create DM role and set the permission to group. Assign DM users to this role. Only one DM role is needed, and ALL of the GM and DM users should belong to it.
Add SR and DM role to all the DM security groups.
The logic is like this
Users who try to access a record will have to go through their Roles First, if its say Own, then that's where the security logic compares the owner of the record.
If the users Roles have a Group setting then User groups will be scanned, and check if the record belongs to someone on those groups. If not access is denied.
So thats it, the Group setting needs to be on each module you want to restrict access to, sadly this is a manual work. Take a look at this image, you can see the different types of access you can grant on a role/action.

Map user role to LDAP group

I have been looking for a while online and can't find how do I map a role to user group in JBoss.
I will be maintaining user groups in LDAP but the roles will be local, so I want to have a way of mapping the role to LDAP group in a static way - in property file or in xml config.