I am able to authenticate via web console as well as via the bin/artemis producer command with credentials from my LDAP server. When I use the same credentials with mosquitto_pub to the same topic the log says
User: $username does not have permission='SEND' on address $address"
I've verified the resolved roles in the logs as well - they are the same for mosquitto_pub as for artemis producer. In my case they resolve a producer role which has admin privileges.
Is there any difference in authorization depending on the protocols? As it seems the authorization works for the CORE protocol and also for AMQP (I've tested both via artemis producer).
Unfortunately I cannot cross-check that with the artemis producer --protocol MQTT - this fails with "protocol MQTT not supported".
As noted in the documentation, the legacy admin permission is not mapped to the send permission:
ActiveMQ 5.x only has 3 permission types - read, write, and admin. These permission types are described on their website. However, as described previously, ActiveMQ Artemis has 9 permission types - createAddress, deleteAddress, createDurableQueue, deleteDurableQueue, createNonDurableQueue, deleteNonDurableQueue, send, consume, browse, and manage. Here's how the old types are mapped to the new types:
read - consume, browse
write - send
admin - createAddress, deleteAddress, createDurableQueue, deleteDurableQueue, createNonDurableQueue, deleteNonDurableQueue, manage (if mapAdminToManage is true)
Therefore, your producer role needs the write permission.
It's not clear why the producer command is working for other protocols (i.e. core & AMQP), but based on what you've provided I believe this is why it isn't working for MQTT.
Related
Has anybody connected Kafka and ACL to a Payara/Glassfish server that uses declared security annotations like #DeclaredRoles #RolesAllowed?
I’m interested in the translation/connection from the ACL’s roles to the roles defined in the security realm used in the Payara server.
/Jan
I want the #RolesAllowed to work with the credentials of the calling user
Is there a way in ActiveMQ Artemis to create users and roles dynamically from code or is calling shell command artemis or artemis.cmd the only way?
Edit: Also, is there a way to list and delete users and roles?
The CLI commands use the management API to add, list, remove, and reset users. The management API is accessible in many different ways. For example, if your broker is embedded you can invoke the management API directly. If your broker is remote you could use JMX (either administratively or programmatically, programmatic example here), HTTP (via Jolokia), or management messages (example here).
Confluent has something called Audit Logs which are written to internal topics (if configured) and which log access to Kafka resources such as clients writing or reading from particular topics. That's all great, however, there are components in a Confluent/Kafka setup such as Confluent Control Center which (should) have a RBAC access set up for users to log in and use.
It is possible to set it up and have users log in with username and password but I am having difficulties in locating where exactly Confluent provides logs of successful/unsuccessful login attempts. If I set the Control Center logs to DEBUG, I can see the HTTP communication and the password lookup for when a user tries to login but I don't see an option for admin review and control of such events. Audit Logs are apparently only for Kafka resources. Is there no other option other than building up a custom solution, scraping DEBUG logs?
The list of auditable events is documented here. Confluent Control Center login events are unfortunately not one of them.
I see that I can publish a message through HTTP using RabbitMQ Manager plugin. My problem is that it exposes the exchanges and operations but requires an administrator user to perform the operations. Is that correct
I tryed to publish to this exchange using a user that I configured with write permission:
http://localhost:15672/api/exchanges/%2f/amq.default/publish
And the server returns:
{
"error": "not_authorised",
"reason": "Not management user"
}
But if I try to perform the same operation with the user guest I get the following response:
{
"routed": true
}
Is this correct? Do I need to have an administrator user to consume the HTTP publish API (even with a user that has write permissions)? Are there any other options to have an exchanged published accepting requests based on RabbitMQ User permissions?
Actually this feature is part of the management console and exposes functionalities related to this module. There are no options to configure users without administration role and access the HTTP api.
You have to add the tag to your user:
sudo rabbitmqctl set_user_tags youruser management
I got it from here
I have customized a new LDAP plugin to provide basic Zookeeper Authenication.
some thing like
setAcl /zookeeperPath ldap:<Group>:crwda
and when I check for the znodes
addAuth ldap:<uid>:password
will grant me access to the znodes
I know this can be done using the kerberos. But in my enterprise Linux Auth is doe through sssd. kerberos is not enabled.
I am afraid I have done some customization that should have not been done. Because, I did not get any reference from internet to do it.
If theare are any plugins thats been already used please help.
There are no ldap auth plugin for zookeeper. As zookeeper supports SASL kerberos authentication. But additional ACLs can be set using Active directory or LDAP group permissions. This can be achieved by implementing
org.apache.zookeeper.server.auth.AuthenticationProvider
and settng -D params as
-Dzookeeper.authProvider.1=class.path.to.XyzAuthenticationProvider