Hi Dave, could you get the artemis etc folder from your kubernetes container and share it?
Thanks, Domenico On Fri, 3 Dec 2021 at 17:17, David Martin <dav...@qoritek.com> wrote: > Hi Domenico, > > Thanks - after further experimentation It appears to be related to > Kubernetes but it's pretty baffling (to me at least). It works in Docker. > > The build steps are essentially the same as yours, executed via a > Dockerfile ( > > https://github.com/vromero/activemq-artemis-docker/blob/master/src/Dockerfile > ) > - > > "/opt/apache-artemis-${ACTIVEMQ_ARTEMIS_VERSION}/bin/artemis" create > artemis \ > --home /opt/apache-artemis \ > --user artemis \ > --password simetraehcapa \ > --role amq \ > --require-login \ > --cluster-user artemisCluster \ > --cluster-password simetraehcaparetsulc ; \ > The only other thing it changes is binding to 0.0.0.0 in Jolokia instead of > localhost. > > Then I have sed commands quite similar to yours. > > sed -i "s#\(HAWTIO_ROLE='amq\)#\1,amqro,monitor#" artemis.profile > sed -i 's#\(<access method="\(list\|get\|is\)\*" roles="amq\)"#\1,amqro"#; > s#\(\.activemq\.artemis">\)#\1\n <access > method="isActive" roles="amq,amqro,monitor"/>#' management.xml > sed -i 's#\(<restrict>\)#\1\n <remote>\n <host>127.0.0.1</host>\n > <host>localhost</host>\n <host>10.0.0.0/8</host> \ > <host>172.16.0.0/12</host>\n <host>192.168.0.0/16</host>\n > </remote>#' jolokia-access.xml > > When I run the image in docker, it works. The API works as per your > examples and when I use the console as the monitor user, everything is > locked down except for the Active property in JMX. > > When I run it in Kubernetes with the same image and env vars (accessing via > a nodeport or via kubectl port-forward) it doesn't. Any API method is > accessible and the console functionality is unlocked regardless of my user, > although in the JMX tab I cannot invoke any operations (though I can view > all the properties). If I put debugging on jaas I can see it authenticating > the right user. > > I guess you may not want to help with a 3rd party docker image. I may have > to resort to an NGINX sidecar to get the user name from the Authorization > header and filter it that way! > > I've tried building versions 2.16 and 2.18, same outcome. > > > Many thanks, > > Dave > > > > > On Thu, 2 Dec 2021 at 21:45, Domenico Francesco Bruscino < > bruscin...@gmail.com> wrote: > > > Hi Dave, > > > > I'm not able to reproduce your issue executing the following steps: > > > > 1) create a new broker instance: > > ./bin/artemis create broker --user admin --password admin --require-login > > > > 2) add test user with monitor role > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties > > > > 3) add rtest user with amqro role > > echo -e "\nrtest = rtest" >> ./broker/etc/artemis-users.properties > > echo -e "\namqro = rtest" >> ./broker/etc/artemis-roles.properties > > > > 4) add the monitor role to HAWTIO_ROLE in artemis.profile > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,amqro,monitor'/" > > ./broker/etc/artemis.profile > > > > 5) add the access for the isActive method in management.xml > > sed -i > > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\ > > method="isActive"\ roles="amq,monitor"\/>/' ./broker/etc/management.xml > > > > 6) add the access for amqro in management.xml > > sed -i 's/amq/amq,amqro/' ./broker/etc/management.xm > > > > 5) run the broker > > ./broker/bin/artemis run > > > > 6) read the Active attribute with test user (monitor role) > > curl -H "Origin:http://localhost:8161"; -u test:test > > > > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > > "0.0.0.0\"/Active > > > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200} > > > > 7) read the AddressMemoryUsage attribute with test user (monitor role) > > curl -H "Origin:http://localhost:8161"; -u test:test > > > > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > > "0.0.0.0\"/AddressMemoryUsage > > > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception > > : User not authorized to access attribute: > > AddressMemoryUsage","status":403} > > > > 7) read the AddressMemoryUsage attribute with rtest user (amqro role) > > curl -H "Origin:http://localhost:8161"; -u rtest:rtest > > > > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > > "0.0.0.0\"/AddressMemoryUsage > > > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638481397,"status":200} > > > > Could you add the steps to reproduce your issue? > > > > Regards, > > Domenico > > > > On Thu, 2 Dec 2021 at 13:43, David Martin <dav...@qoritek.com> wrote: > > > > > Hi Domenico, > > > > > > Following up on this I decided to try adding a readonly console user > with > > > the role "amqro" and that is when I discovered that the users in > > > HAWTIO_ROLE have unencumbered access to both the console and the > Jolokia > > > REST API. > > > > > > 1/ Even the user with the monitor role can log in to the console and do > > > things like delete queues and connections. > > > > > > 2/ User with monitor role able to invoke other methods than /Active > e.g. > > > /AddressMemoryUsage (verified username/password with base64 -d) - > > > > > > $ curl -H 'Origin: $(hostname -i)' -H 'Authorization: Basic xxxxx' ' > > > > > > > > > http://localhost:31161/console/jolokia/read/org.apache.activemq.artemis:broker=!%22artemis-0!%22/AddressMemoryUsage > > > ' > > > > > > > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"artemis-0\"","attribute":"AddressMemoryUsage","type":"read"},"value":0,"timestamp":1638448344,"status":200} > > > > > > 3/ management.xml - > > > > > > <management-context xmlns="http://activemq.org/schema";> > > > <!--<connector connector-port="1099"/>--> > > > <authorisation> > > > <whitelist> > > > <entry domain="hawtio"/> > > > </whitelist> > > > <default-access> > > > <access method="list*" roles="amq,amqro"/> > > > <access method="get*" roles="amq,amqro"/> > > > <access method="is*" roles="amq,amqro"/> > > > <access method="set*" roles="amq"/> > > > <access method="*" roles="amq"/> > > > </default-access> > > > <role-access> > > > <match domain="org.apache.activemq.artemis"> > > > <access method="isActive" roles="amq,amqro,monitor"/> > > > <access method="list*" roles="amq,amqro"/> > > > <access method="get*" roles="amq,amqro"/> > > > <access method="is*" roles="amq,amqro"/> > > > <access method="set*" roles="amq"/> > > > <access method="*" roles="amq"/> > > > </match> > > > <!--example of how to configure a specific object--> > > > <!--<match domain="org.apache.activemq.artemis" > > > key="subcomponent=queues"> > > > <access method="list*" roles="view,update,amq"/> > > > <access method="get*" roles="view,update,amq"/> > > > <access method="is*" roles="view,update,amq"/> > > > <access method="set*" roles="update,amq"/> > > > <access method="*" roles="amq"/> > > > </match>--> > > > </role-access> > > > </authorisation> > > > </management-context> > > > > > > 4/ artemis-profile - > > > > > > # Hawtio Properties > > > HAWTIO_ROLE='amq,amqro,monitor' > > > > > > # Java Opts > > > if [ -z "$JAVA_ARGS" ]; then > > > JAVA_ARGS="$BROKER_CONFIGS > > > > > > > > > -javaagent:/opt/jmx-exporter/jmx_prometheus_javaagent.jar=9404:/opt/jmx-exporter/etc/jmx-exporter-config.yaml > > > -Dcom.sun.management.jmxremote=true > > > -Dcom.sun.management.jmxremote.port=1099 > > > -Dcom.sun.management.jmxremote.rmi.port=1098 > > > -Dcom.sun.management.jmxremote.ssl=false > > > -Dcom.sun.management.jmxremote.authenticate=false -Dipv4addr=$(hostname > > -f) > > > -Ddomain=artemis-headless.sis-247.svc.cluster.local > > > -Dcluster.password=2b186afe-4e99-4a33-a47f-042df1fadd1d > > > -Dcrmt.poll.cron=0_0/2_*_*_*_? -Dcrmt.jwt=mockDoesNotCheckIt > > > -Dpage.size=2097152 -Dpaging.threshold=10485760 > > > -Dmin.large.message.size=204800 -Dsecurity.invalidation.interval=600000 > > > -Dhawtio.authenticationEnabled=true -Djava.net.preferIPv4Addresses=true > > > -Djava.net.preferIPv4Stack=true -XX:+UnlockExperimentalVMOptions > > > -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=2 > > > -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication > > > -Dhawtio.disableProxy=true -Dhawtio.realm=activemq > -Dhawtio.offline=true > > > > > > > > > -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal > > > -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml" > > > fi > > > > > > Do you or anyone in this group have any suggestions on how the monitor > > (and > > > amqro) roles can be actually restricted? I tried adding > > > -Dhawtio.authenticationEnabled=true but that had no effect. > > > > > > > > > Thanks for your help, > > > > > > > > > Dave > > > > > > > > > > > > On Thu, 18 Nov 2021 at 21:34, Domenico Francesco Bruscino < > > > bruscin...@gmail.com> wrote: > > > > > > > Hi Dave, > > > > > > > > you need to add the monitor role to HAWTIO_ROLE in artemis.profile > and > > > the > > > > access for the isActive method in management.xml. > > > > > > > > Execute the following steps to get a working example: > > > > > > > > 1) create a new broker instance: > > > > ./bin/artemis create broker --user admin --password admin > > --require-login > > > > > > > > 2) add test user with monitor role > > > > echo -e "\ntest = test" >> ./broker/etc/artemis-users.properties > > > > echo -e "\nmonitor = test" >> ./broker/etc/artemis-roles.properties > > > > > > > > 3) add the monitor role to HAWTIO_ROLE in artemis.profile > > > > sed -i "s/HAWTIO_ROLE='amq'/HAWTIO_ROLE='amq,monitor'/" > > > > ./broker/etc/artemis.profile > > > > > > > > 4) add the access for the isActive method in management.xml > > > > sed -i > > > > > 's/org.apache.activemq.artemis">/org.apache.activemq.artemis"><access\ > > > > method="isActive"\ roles="amq,monitor"\/>/' > ./broker/etc/management.xml > > > > > > > > 5) run the broker > > > > ./broker/bin/artemis run > > > > > > > > 6) read the Active attribute > > > > curl -H "Origin:http://localhost:8161"; -u test:test > > > > > > > > > > > > > > http://localhost:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\ > > > > "0.0.0.0\"/Active > > > > > > > > > > > > > > {"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1637271157,"status":200} > > > > > > > > Regards, > > > > Domenico > > > > > > > > On Thu, 18 Nov 2021 at 18:16, David Martin <dav...@qoritek.com> > wrote: > > > > > > > > > Hi all, > > > > > > > > > > I'm trying to configure role access via the Jolokia REST API for > the > > > > single > > > > > attribute "Active" on the "org.apache.activemq.artemis" domain. > > > > > > > > > > I have a user with a role "monitor" and want them to be able to > > access > > > > > nothing but the above attribute via e.g. > > > > > /console/jolokia/read/org.apache.activemq.artemis:broker=*/Active. > > The > > > > > manual regarding management.xml is clear about *method *access e.g. > > > > "get*" > > > > > but has no examples for *attribute *access. > > > > > > > > > > Having spent about an hour on it I'm really stuck. Any help would > be > > > > > appreciated. > > > > > > > > > > > > > > > Cheers, > > > > > > > > > > Dave > > > > > > > > > > > > > > >
