ActiveMQ authorization
Solution 1
Whenever I have set up ActiveMQ security, I have found it best to use the plain AuthorizationPlugin with wildcards that denote the destinations covered (which is why it's really handy to use naming conventions fro your queues and topics). The idea is that you define a handful of user groups and grant them access to those destinations.
The role of assigning a group from a username is handled by one of the authentication plugins - the JAAS plugin is particularly useful for externalising this information outside the ActiveMQ config in an LDAP directory.
Check out the ActiveMQ Security Guide from FuseSource (registration required) for further information.
Update 2018-07-02 ActiveMQ Security Guide, now located on redhat.
Solution 2
I found some code snippets that ended up being tremendously helpful in getting started on this subject:
http://activemq.2283324.n4.nabble.com/Fully-programmatic-authorization-map-tp2344815.html
Here's how I ended up using it (may not be the best way):
public class TestAuthorizationPlugin extends AuthorizationPlugin {
Then:
@Override
public Broker installPlugin(Broker broker) {
List<DestinationMapEntry> entries = new ArrayList<DestinationMapEntry>();
try {
entries.add(makeTopicAuthorization("groupA.topic", "groupA", "groupA", "groupA"));
entries.add(makeQueueAuthorization("groupA.queue", "groupA", "groupA", "groupA"));
entries.add(makeQueueAuthorization("groupB.queue", "groupB", "groupB", "groupB"));
entries.add(makeTopicAuthorization("ActiveMQ.Advisory.>", "all", "all", "all"));
AuthorizationMap authMap = new DefaultAuthorizationMap(entries);
return new AuthorizationBroker(broker, authMap);
} catch (Exception e) {
LOGGER.error(e);
}
return new AuthorizationBroker(broker, null);
}
jar this and stick it in <activemq_home>/lib/
.
Modify the activemq.xml:
<plugins>
<!-- use JAAS to authenticate using the login.config file on the classpath to configure JAAS -->
<jaasAuthenticationPlugin configuration="activemq" />
<!-- Authorization control -->
<bean xmlns="http://www.springframework.org/schema/beans" class="com.blackstrype.activemq.security.TestAuthorizationPlugin"/>
</plugins>
Another helpful link for more info on autho plugin dev:
http://mariuszprzydatek.com/2014/01/04/token-based-authentication-plugin-for-activemq/
Cacheing
Updated on June 04, 2022Comments
-
Cacheing almost 2 years
If I want to implement JAAS authorization on Apache ActiveMQ, do I have to use the plug-in in the activemq.xml configuration file?
This way is really NOT good because if I want to change authorization, I have to change the activemq.xml file and restart the server in order to work.
Is there any way I can use like JAAS authentication by changing other properties file rather than the activemq.xml file? Or can I custom my own authorization plugin?
Thanks.
-
Cacheing almost 12 yearsI am using JAAS plugin for the authentication. But for my application, there will be new topics created all the time with different names, thus I don't think using wildcards is enough for my application. But is the authorization plugin the only way to implement authorization for ActiveMQ?
-
Jakub Korab almost 12 yearsIt's pretty straightforward to define a naming convention for newly created queues and topics. If you cannot define one because you don't know how your broker will be used, you are likely to run into deeper problems later on. There are two authorization plugins, but both work on the basis of granting access to resources by wildcards - the LDAP one may be a better fit for your needs if you can wire together the code that creates those destinations with an LDAP entry to grant access. Though the requirement comes across as an architectural smell.
-
Cacheing almost 12 yearsAll right, I got what you said. But for me, the topic name is really unpredictable. I think I may need to meet my requirement in another way. And ummm, ActiveMQ really needs improvement, isn't it? :D
-
realMarkusSchmidt almost 9 yearsHow about multi-tenancy, requiring to regularly set up new users and groups? Is there any way to use placeholders in authorization rules like "{group}.>" except using a custom plugin? Wildcards alone won't help in this case.
-
Manish Kumar about 8 yearscan you give an example how to add a username & password dynamically using java?
-
Jakub Korab about 8 yearsPlease outline your problem as another question.
-
DKG about 6 yearsI tried to do a similar implementation but the connection I tried to make are all with ActiveMQ.Advisory.> because of which, the auth map is always mapped to 'all'
-
blackstrype about 4 yearsYes I haven't really found a clever way around this. Three theoretical options: 1) disable Advisories 2) put all users in a group that have full auth on the Advisories. 3) create an accompanying rule for the advisory topic for each messaging authorization (don't know if this is really possible).