My MQ server is built with ActiveMQ Artemis 2.17.0.
Recently I realized that some clients are connecting to my ActiveMQ Artemis without setting client id and subscription and subscribing to some topics. Their queues became UUID like below:
So, I want to know how to force ActiveMQ clients to set client id and subscription name? And if they don't config client id and subscription name, the ActiveMQ Artemis can kick them out.
You can't exactly force clients to set their client ID and subscription name, but you can change the security authorization configuration to prevent clients from creating non-durable subscriptions.
Non-durable subscribers create non-durable queues which use the UUID naming convention shown in your web-console screenshot. If you wish to prevent this then modify your security-settings in broker.xml and remove the permission whose type is createNonDurableQueue. Here's the default security-settings:
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="browse" roles="amq"/>
<permission type="send" roles="amq"/>
<!-- we need this otherwise ./artemis data imp wouldn't work -->
<permission type="manage" roles="amq"/>
</security-setting>
</security-settings>
This is the permission I'm referring to:
<permission type="createNonDurableQueue" roles="amq"/>
If you remove that permission or remove the user's role from the permission then that user will no longer be able to create a non-durable queue on the matching address. However, as long as they have the createDurableQueue and deleteDurableQueue permissions they will be able to create & delete a durable subscription.
Related
I am trying to specify user rights in Hawtio connected to ActiveMQ Artemis but I can not figure out what below XML attributes (list*, get*, etc.) from management.xml actually mean. Can some one please explain?
management.xml:
<role-access>
<match domain="org.apache.activemq.artemis"
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="browse*" roles="amq"/>
<access method="count*" roles="amq"/>
<access method="pause*" roles="amq"/>
<access method="resume*" roles="amq"/>
<access method="move*" roles="amq"/>
<access method="removeMessage*" roles="amq"/>
<access method="removeAllMessages*"roles="amq">
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</match>
...
</role-access>
I am trying to find a list that explains what each "access method" attribute does regarding to user rights in the GUI Hawtio.
There's a few important things to understand concerning your question.
The management API in ActiveMQ Artemis is based on JMX MBeans. These MBeans are implemented as a set of "control" classes. You can browse these via JavaDoc to see all the different attributes and operations they expose.
The ActiveMQ Artemis web console application is built on top of Hawtio. Hawtio communicates via HTTP with Jolokia running on an embedded web server managed by the broker. Jolokia is a JMX-HTTP bridge, and it essentially provides the web console with access to all the JMX MBeans. Therefore, for example, when the web console displays the number of messages in a queue it got that information by invoking the getMessageCount method on the QueueControl MBean for the respective queue. If you look closely at the web console you will see the name of the MBean which is being used behind the scenes, e.g.:
The name of the MBean being used here is:
org.apache.activemq.artemis:broker="0.0.0.0",component=addresses,address="testqueue",subcomponent=queues,routing-type="anycast",queue="testqueue"
The configuration in management.xml allows one to control who is allowed to execute these MBean methods. Here's a basic example involving the MBeans specifically related to queues:
<match domain="org.apache.activemq.artemis" key="subcomponent=queues">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>
Using this configuration any users in the role view will be able to use MBean methods which match list*, get*, and is* which basically allows the user to see all the attributes but the user is not allowed to change any attributes or invoke any operations (e.g. deleteMessages).
Hopefully you can see how it's possible to provide users in specific roles specific access to (and only to) the MBeans they need.
Keep in mind that any roles used by Hawtio (i.e. the web console) will need to be defined in etc/artemis.profile in the HAWTIO_ROLE variable.
My ActiveMQ Artemis web console is showing all queues and topics, but lacks the detail I have seen on other deployments of the console. There are no columns present showing queue detail. The user role is amq and has the full permissions. I include a screenshot:
The management.xml is as follows:
<management-context xmlns="http://activemq.org/schema">
<!--<connector connector-port="1099"/>-->
<authorisation>
<allowlist>
<entry domain="hawtio"/>
</allowlist>
<default-access>
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<access method="*" roles="amq"/>
</default-access>
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>
<access method="is*" roles="amq"/>
<access method="set*" roles="amq"/>
<!-- Note count and browse are need to access the browse tab in the console-->
<access method="browse*" roles="amq"/>
<access method="count*" roles="amq"/>
<access method="*" roles="amq"/>
</match>
<!--example of how to configure a specific object-->
<!--<match domain="org.apache.activemq.artemis" key="subcomponent=queues">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>-->
</role-access>
</authorisation>
Here's artemis.profile:
ARTEMIS_HOME='/opt/apache-artemis-2.20.0'
ARTEMIS_INSTANCE='/var/lib/artemis'
ARTEMIS_DATA_DIR='/var/lib/artemis/data'
ARTEMIS_ETC_DIR='/var/lib/artemis/etc'
ARTEMIS_OOME_DUMP='/var/lib/artemis/log/oom_dump.hprof'
# The logging config will need an URI
# this will be encoded in case you use spaces or special characters
# on your directory structure
ARTEMIS_INSTANCE_URI='file:/var/lib/artemis/'
ARTEMIS_INSTANCE_ETC_URI='file:/var/lib/artemis/etc/'
# Cluster Properties: Used to pass arguments to ActiveMQ Artemis which can be referenced in broker.xml
#ARTEMIS_CLUSTER_PROPS="-Dactivemq.remoting.default.port=61617 -Dactivemq.remoting.amqp.port=5673 -Dactivemq.remoting.stomp.port=61614 -Dactivemq.remoting.hornetq.port=5446"
# Hawtio Properties
HAWTIO_ROLE='amq'
# Java Opts
if [ -z "$JAVA_ARGS" ]; then
JAVA_ARGS="-javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.rmi.port=1098 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.net.preferIPv4Addresses=true -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions -XX:+UseContainerSupport -XX:MaxRAMPercentage=50 -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication -Dhawtio.disableProxy=true -Dhawtio.realm=activemq -Dhawtio.offline=true -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml "
fi
# Uncomment to enable logging for Safepoint JVM pauses
#
# In addition to the traditional GC logs you could enable some JVM flags to know any meaningful and "hidden" pause
# that could affect the latencies of the services delivered by the broker, including those that are not reported by
# the classic GC logs and dependent by JVM background work (eg method deoptimizations, lock unbiasing, JNI, counted
# loops and obviously GC activity).
#
# Replace "all_pauses.log" with the file name you want to log to.
# JAVA_ARGS="-Djava.net.preferIPv4Addresses=true -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions -XX:+UseContainerSupport -XX:MaxRAMPercentage=50 $JAVA_ARGS -XX:+PrintSafepointStatistics -XX:PrintSafepointStatisticsCount=1 -XX:+PrintGCApplicationStoppedTime -XX:+PrintGCApplicationConcurrentTime -XX:+LogVMOutput -XX:LogFile=all_pauses.log"
# Uncomment to enable the dumping of the Java heap when a java.lang.OutOfMemoryError exception is thrown
# JAVA_ARGS="-Djava.net.preferIPv4Addresses=true -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions -XX:+UseContainerSupport -XX:MaxRAMPercentage=50 $JAVA_ARGS -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=${ARTEMIS_OOME_DUMP}"
# Only enable debug options for the 'run' command
if [ "$1" = "run" ]; then :
# Uncomment to enable remote debugging
# DEBUG_ARGS="-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005"
# Uncomment for async profiler
# DEBUG_ARGS="-XX:+UnlockDiagnosticVMOptions -XX:+DebugNonSafepoints"
fi
Here's login.config:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
}
We have an ActiveMQ Artemis test deployment and we noticed very slow performance after broker having a large number of messages. This is when paging starts. I hope this is normal. To mitigate this after testing we doubled the xmx for the broker. Now the paging (and performance drop) is delayed. My question is are there any other parameters beside memory which can address this.
My broker.xml is:
<configuration xmlns="urn:activemq" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:activemq /schema/artemis-configuration.xsd">
<core xmlns="urn:activemq:core">
<ha-policy>
<replication>
<master>
<group-name>master</group-name>
<check-for-live-server>true</check-for-live-server>
</master>
</replication>
</ha-policy>
<global-max-size>-1</global-max-size>
<bindings-directory>/opt/broker/broker-data/bindings</bindings-directory>
<journal-directory>/opt/broker/broker-data/journal</journal-directory>
<large-messages-directory>/opt/broker/broker-data/largemessages</large-messages-directory>
<paging-directory>/opt/broker-data/paging</paging-directory>
<journal-min-files>25</journal-min-files>
<journal-type>ASYNCIO</journal-type>
<journal-max-io>5000</journal-max-io>
<journal-sync-transactional>false</journal-sync-transactional>
<journal-sync-non-transactional>false</journal-sync-non-transactional>
<journal-buffer-timeout>750000</journal-buffer-timeout>
<connectors>
<connector name="netty-connector">tcp://node1:61616?tcpSendBufferSize=307200;tcpReceiveBufferSize=307200;writeBufferHighWaterMark=1228800;useEpoll=true;useNio=true</connector>
</connectors>
<acceptors>
<acceptor name="netty-acceptor">tcp://node1:61616?tcpSendBufferSize=307200;tcpReceiveBufferSize=307200;writeBufferHighWaterMark=1228800;useEpoll=true;useNio=true</acceptor>
</acceptors>
<broadcast-groups>
<broadcast-group name="my-broadcast-group">
<group-address>${udp-address:231.7.7.7}</group-address>
<group-port>9875</group-port>
<broadcast-period>100</broadcast-period>
<connector-ref>netty-connector</connector-ref>
</broadcast-group>
</broadcast-groups>
<discovery-groups>
<discovery-group name="my-discovery-group">
<group-address>${udp-address:231.7.7.7}</group-address>
<group-port>9875</group-port>
<refresh-timeout>10000</refresh-timeout>
</discovery-group>
</discovery-groups>
<cluster-connections>
<cluster-connection name="my-cluster">
<connector-ref>netty-connector</connector-ref>
<connection-ttl>130000</connection-ttl>
<call-timeout>120000</call-timeout>
<retry-interval>500</retry-interval>
<use-duplicate-detection>true</use-duplicate-detection>
<message-load-balancing>ON_DEMAND</message-load-balancing>
<max-hops>1</max-hops>
<discovery-group-ref discovery-group-name="my-discovery-group"/>
</cluster-connection>
</cluster-connections>
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="browse" roles="amq"/>
<permission type="send" roles="amq"/>
<permission type="manage" roles="amq"/>
</security-setting>
</security-settings>
<address-settings>
<address-setting match="activemq.management#">
<dead-letter-address>DLQ</dead-letter-address>
<expiry-address>ExpiryQueue</expiry-address>
<redelivery-delay>0</redelivery-delay>
<max-size-bytes>-1</max-size-bytes>
<message-counter-history-day-limit>10</message-counter-history-day-limit>
<address-full-policy>PAGE</address-full-policy>
<auto-create-queues>true</auto-create-queues>
<auto-create-addresses>true</auto-create-addresses>
<auto-create-jms-queues>true</auto-create-jms-queues>
<auto-create-jms-topics>true</auto-create-jms-topics>
</address-setting>
<address-setting match="#">
<dead-letter-address>DLQ</dead-letter-address>
<expiry-address>ExpiryQueue</expiry-address>
<redelivery-delay>0</redelivery-delay>
<!-- with -1 only the global-max-size is in use for limiting -->
<max-size-bytes>-1</max-size-bytes>
<message-counter-history-day-limit>10</message-counter-history-day-limit>
<address-full-policy>PAGE</address-full-policy>
<auto-create-queues>true</auto-create-queues>
<auto-create-addresses>true</auto-create-addresses>
<auto-create-jms-queues>true</auto-create-jms-queues>
<auto-create-jms-topics>true</auto-create-jms-topics>
<auto-delete-addresses>false</auto-delete-addresses>
</address-setting>
</address-settings>
<!-- address section -->
</core>
</configuration>
EDIT:
Most critical issue is once paging starts broker won't recover to original performance even-though majority of messages are consumed.
Consider that paged messages need to be synchronized to disk similarly to durable ones and the parameter to be set to control the frequency of flushes is page-sync-timeout. If no value is set, the default one is used (see the documentation for an explanation about what that setting is for).
By looking at your journal-buffer-timeout (and assuming this is correctly set) your disk seems quite slow so it's expected that paged messages won't perform great as the disk doesn't have enough IOPS.
I would first check what's the expected IOPS for random writes for your disk and will set page-sync-timeout accordingly (1/IOPS in nanoseconds), but don't expect any improvement if the disk isn't fast enough.
Additional note: If you don't care about power failure durability you can still disable journal-datasync and it should let any disk write to be able to survive just to process failures (i.e. no power failure guarantees). It should be ok if you are using shared-nothing replication, given that a backup is able to take the role in case of failure.
How I can share config file in cluster with is on failover mode?
I don't want to edit artemis-user.properties, artemis-role.properties, and broker.xml files on every server in the cluster.
Cluster settings:
security-enabled: true
persistence-enabled : true
paging-directory, bindings-directory, journal-directory, large-messages-directory used from master server
Security settings like this:
<security-setting match="clusterQueue">
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="browse" roles="amq"/>
<permission type="send" roles="amq"/>
<!-- we need this otherwise ./artemis data imp wouldn't work -->
<permission type="manage" roles="amq"/>
</security-setting>
It is possible?
ActiveMQ Artemis doesn't provide any automated way to share configuration between cluster members. However, since all the configuration you referenced is text-based it should be fairly simple to replicate it to your brokers with standard tools and/or infrastructure. For example, you could use SCP to copy the files, create a shared NFS mount with them, etc.
Even in a homogeneous cluster it's common to have small differences in the configuration files (e.g. for the cluster-connection, an acceptor, etc.). In that case you can use system property substitution (which is referenced in the documentation) to pull out the bits from each broker which need to be customized and then set those in artemis.profile, e.g.:
JAVA_ARGS="$JAVA_ARGS -DmyAcceptor=tcp://192.168.1.10:61616"
Then reference that system property in your broker.xml, e.g.:
<acceptor name="netty-acceptor">${myAcceptor}</acceptor>
In this way you can have the same broker.xml shared among all the brokers but each can have their own artemis.profile with the unique values that each broker needs.
Iam trying to secure hornet Q using role based security implementation.
iam using FSW 6.0 which uses Jboss EAP 6.1.
Standalone xml configuration.
<security-settings>
<security-setting match="#">
<permission type="send" roles="guest"/>
<permission type="consume" roles="guest"/>
<permission type="createNonDurableQueue" roles="guest"/>
<permission type="deleteNonDurableQueue" roles="guest"/>
</security-setting>
<security-setting match="Pricing.Eu.In.#">
<permission type="send" roles="pricing"/>
<permission type="consume" roles="pricing"/>
</security-setting>
</security-settings>
I have created a new user using add-user.bat Application Realm and assigned role to it.
application-roles.Properties
#
# Properties declaration of users roles for the realm 'ApplicationRealm'.
#
# This includes the following protocols: remote ejb, remote jndi, web, remote jms
#
# Users can be added to this properties file at any time, updates after the server has started
# will be automatically detected.
#
# The format of this file is as follows: -
# username=role1,role2,role3
#
# A utility script is provided which can be executed from the bin folder to add the users: -
# - Linux
# bin/add-user.sh
#
# - Windows
# bin\add-user.bat
#
# The following illustrates how an admin user could be defined.
#
#admin=PowerUser,BillingAdmin,
#guest=guest
fswAdmin=overlorduser,admin.sramp,dev,qa,stage,prod,manager,arch,ba
dtgovworkflows=overlorduser,admin.sramp
guest=guest
cubehpr=pricing
When i try to send messages to the Pricing.Eu.In.Deferred jms Queue using client application iam getting below error.
Am i missing anything?
Exception in thread "main" javax.jms.JMSSecurityException: HQ119032: User: cubehpr doesnt have permission=SEND on address {2}
at org.hornetq.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:388)
at org.hornetq.core.client.impl.ClientProducerImpl.sendRegularMessage(ClientProducerImpl.java:318)
at org.hornetq.core.client.impl.ClientProducerImpl.doSend(ClientProducerImpl.java:288)
at org.hornetq.core.client.impl.ClientProducerImpl.send(ClientProducerImpl.java:140)
at org.hornetq.jms.client.HornetQMessageProducer.doSend(HornetQMessageProducer.java:438)
at org.hornetq.jms.client.HornetQMessageProducer.send(HornetQMessageProducer.java:194)
at com.agcs.bih.api.pricing.eu.dispatcher.HornetQClient.main(HornetQClient.java:63)
Caused by: HornetQException[errorType=SECURITY_EXCEPTION message=HQ119032: User: cubehpr doesnt have permission=SEND on address {2}]
... 7 more
can you please help me.
Try following
<security-settings>
<security-setting match="jms.queue.Pricing.Eu.In.#">
<permission type="send" roles="pricing"/>
<permission type="consume" roles="pricing"/>
</security-setting>
<security-setting match="#">
<permission type="send" roles="guest"/>
<permission type="consume" roles="guest"/>
<permission type="createNonDurableQueue" roles="guest"/>
<permission type="deleteNonDurableQueue" roles="guest"/>
</security-setting>
</security-settings>