We have a more complicated scenario where we use Artemis and are currently struggling with some security-related problems. Let me try to sketch our setup:
- Several producers put work items into queues in Artemis. Every producer uses a dedicated queue, e.g. "jobs.123" where 123 is the unique producer name. - We create consumers on-demand for every producer, i.e. for producer "123" there is a consumer "123" that is consuming from queu "jobs.123". - The consumers are started in containers and get the access credentials for Artemis passed as environment variables. All consumers share the same credentials and therefore have access to all queues. - Now comes the crucial part: the consumers essentially allow for arbitrary code execution. This is not an issue per se because they are restricted to the container. But a carefully crafted work item allows you to read the container's environment variables, create a consumer and read *any* message including work items which are not supposed to be read by the current consumer. E.g. the rogue consumer "123" can then read messages addressed to consumer "456". This compromises confidentiality. Now we are looking for solutions to this problem. We have to ensure that consumer XYZ can only read messages addressed to it (i.e. "jobs.XYZ") and nothing else. I guess this would be possible by creating dedicated Artemis users for each consumer and setting permissions accordingly. But can users be created (and deleted) on- demand? And is there a practical limit? We would need hundreds if not thousands of Artemis users. An alternative solution would be to use some kind of proxy between the broker and the consumer which allows access to certain queues only. Does something like this exist? Are there any other solutions that may think of? I know it's a very generic question but maybe some of you have ideas that they can share. Thanks, Thorsten -- Dr.-Ing. Thorsten Meinl KNIME AG Hardturmstrasse 66 8005 Zurich, Switzerland
signature.asc
Description: This is a digitally signed message part
