Hello,
>> Would you still advice to remove bootstrapUser configuration after the
environment is built, or generally it should not be an issue?
>
> There's no technical reason to remove the bootstrap credentials. If it makes
> more sense for your use-case for them to remain in the configuration then by
> all means leave them.
I have had time to experiment with this today.
I found that if I leave bootstrap credentials in the configuration these
credentials are adding new entry to the binding files after every restart of
the broker. When viewing user list via "artemis user list" the user count is
correct, it's just bindings content is duplicated again and again.
Is this a bug, or by design, and should I re-think this by removing boostrap
configuration if I don't want to waste space?
--
Vilius
-----Original Message-----
From: Justin Bertram <jbert...@apache.org>
Sent: Friday, March 25, 2022 5:14 PM
To: users@activemq.apache.org
Subject: Re: ActiveMQBasicSecurityManager configuration examples
> Would you still advice to remove bootstrapUser configuration after the
environment is built, or generally it should not be an issue?
There's no technical reason to remove the bootstrap credentials. If it makes
more sense for your use-case for them to remain in the configuration then by
all means leave them.
> Since we will be having thousands of users, how Artemis requirements
changes moving away from PropertiesLogin and putting everything into the
binding journal? For example, do we need much more RAM to run such instance?
Maybe something else? Some technical limit regarding user count or binding
journal size?
I wouldn't expect any substantial change in requirements. However, the only way
to know that is with careful testing. I would expect the basic security manager
to be a bit faster since it uses the journal which is optimized for speed, but
I wouldn't expect the difference to be significant.
Justin
On Thu, Mar 24, 2022 at 3:56 PM Vilius Šumskas <vilius.sums...@rivile.lt>
wrote:
> Thank you for very detailed answers! This helps a lot actually.
>
> Follow-up question regarding item 5. We have an internal policy to
> control our infrastructure via code and scripts so that testing and
> staging environments can be built and destroyed on-demand. Artemis is
> part of that infrastructure. Essentially this means that everything is
> done in two
> steps: a) infra configuration, b) pre-population of data needed for
> testing. Infrastructure should not be re-configured/restarted after step b).
> In addition, we have three types of Artemis users: 1) administrator
> accounts, mostly for Hawtio and cli management, 2) users used by
> internal SaaS app backend services, 3) users for our external clients.
>
> Given all of the above, I was thinking to pre-populate and mask
> passwords in .properties files for type 1 and 2 accounts, leave the
> bootstrapUser configuration present, and then automated tests will
> create type 3 accounts as needed.
>
> Would you still advice to remove bootstrapUser configuration after the
> environment is built, or generally it should not be an issue?
>
> And one last question regarding ActiveMQBasicSecurityManager as a whole.
> Since we will be having thousands of users, how Artemis requirements
> changes moving away from PropertiesLogin and putting everything into
> the binding journal? For example, do we need much more RAM to run such
> instance? Maybe something else? Some technical limit regarding user
> count or binding journal size?
>
> --
> Vilius
>
> -----Original Message-----
> From: Justin Bertram <jbert...@apache.org>
> Sent: Thursday, March 24, 2022 9:43 PM
> To: users@activemq.apache.org
> Subject: Re: ActiveMQBasicSecurityManager configuration examples
>
> > 1. Is it enough to configure <security-manager> in bootstrap.xml?
> > Do I
> need to remove <jaas-security domain="activemq"/> line? Do I also
> somehow change login.config? Currently it is configured to use default
> PropertiesLogin JAAS module.
>
> You should remove the jaas-security configuration. As far as the basic
> security manager is concerned you don't need to change login.config.
> The basic security manager doesn't use JAAS at all (as noted in the
> documentation [1]) so it isn't concerned with the contents of login.config.
>
> > 2. How do I separate Hawtio authentication from broker authentication?
> Does this mean I have to separate default “activemq” realm, use that
> different realm when starting Hawtio and then change login.config so
> it includes both realms using different authentication modules?
>
> Hawtio uses JAAS internally and it is configured via system properties
> in etc/artemis.profile. It will continue to use JAAS while the broker
> uses the basic security manager.
>
> > 4. Can I use the same .properties file for both, populate
> ActiveMQBasicSecurityManager bootstrap user credentials, and Hawtio
> authentication?
>
> I suppose you could do that.
>
> > 5. How bootstrapUser and bootstrapPassword works in cluster
> > environment
> if binding journal already contains the same user? Let’s say I restart
> primary and backup becomes live, but earlier I have changed the
> password via management API using other means? Should I set
> bootstrapUser configuration in all cluster nodes or just in primary?
>
> As noted in the documentation [1], "Any bootstrap credentials will be
> set whenever you start the broker no matter what changes may have been
> made to them at runtime previously." The idea is to boot the broker
> instance for the first time with a bootstrap user that can be used to
> add all the necessary users and roles to the journal and then you
> remove the boostrap user from bootstrap.xml thereafter.
>
> > 6. From our code perspective, can we still use
> JMSManagementHelper.putOperationInvocation() with "addUser" operation
> to add/delete users dynamically, or do we need to use different API?
>
> No. You'll use the same management operations. However, those
> operations will modify the accounts in the journal rather than the properties
> files.
>
> > 7. Is there a tool to at least list all the users in the journal,
> > or
> this is only possible calling some kind of API?
>
> You can use the management API to list the users (including the CLI
> "user list" command). You can also print the raw contents of the
> journal using the CLI "data print" command. User account info will be
> listed as part of the bindings.
>
> > 8. From the security perspective, are users’ passwords in binding
> journal properly hashed and cannot be retrieved if someone pokes at
> the data?
>
> If you tell the API to hash the passwords then they will be hashed.
>
> Hope that helps!
>
>
> Justin
>
> [1]
>
> https://activemq.apache.org/components/artemis/documentation/latest/se
> curity.html#basic-security-manager
>
> On Thu, Mar 24, 2022 at 11:01 AM Vilius Šumskas
> <vilius.sums...@rivile.lt>
> wrote:
>
> > Hello list,
> >
> > since, according to documentation, PropertiesLogin JAAS module is
> > not recommended for production use, and .properties files are not
> > synched in a cluster environment, we are now searching for possible
> > authentication alternatives.
> >
> > At first I thought to build a Keycloak cluster, but reading through
> > documentation I found that there is such a thing as
> > ActiveMQBasicSecurityManager which should be enough (our case:
> > thousands of external MQ clients using different Artemis user each,
> > to separate their JMS queue data).
> >
> > Unfortunately documentation is a bit scarce on the examples how
> > exactly ActiveMQBasicSecurityManager is configured, and internet
> > search returns almost nothing, so I’m sorry in advance for a lot of
> questions.
> >
> > 1. Is it enough to configure <security-manager> in bootstrap.xml?
> > Do I need to remove <jaas-security domain="activemq"/> line? Do I
> > also somehow change login.config? Currently it is configured to use
> > default PropertiesLogin JAAS module.
> > 2. How do I separate Hawtio authentication from broker authentication?
> > Does this mean I have to separate default “activemq” realm, use that
> > different realm when starting Hawtio and then change login.config so
> > it includes both realms using different authentication modules?
> > 3. If the above answer is yes, is there an example somewhere how
> > ActiveMQBasicSecurityManager is configured in login.config and what
> > are the options?
> > 4. Can I use the same .properties file for both, populate
> > ActiveMQBasicSecurityManager bootstrap user credentials, and Hawtio
> > authentication?
> > 5. How bootstrapUser and bootstrapPassword works in cluster
> > environment if binding journal already contains the same user? Let’s
> > say I restart primary and backup becomes live, but earlier I have
> > changed the password via management API using other means? Should I
> > set bootstrapUser configuration in all cluster nodes or just in primary?
> > 6. From our code perspective, can we still use
> > JMSManagementHelper.putOperationInvocation() with "addUser"
> > operation to add/delete users dynamically, or do we need to use different
> > API?
> > 7. Is there a tool to at least list all the users in the journal,
> > or this is only possible calling some kind of API?
> > 8. From the security perspective, are users’ passwords in binding
> > journal properly hashed and cannot be retrieved if someone pokes at
> > the data?
> >
> > Thank you in advance for any pointers.
> >
> > --
> > Best Regards,
> >
> > Vilius Šumskas
> > Rivile
> > IT manager
> > +370 614 75713
> >
> >
>
