Hi,
we have very similar requirements. You can search this mailing list for my
recent questions and answers from others for details.
Basically we have chosen ActiveMQBasicSecurityManager as a backend, and we are
creating users, their permissions and queues on-demand, using
activemq.management address.
--
Vilius
-----Original Message-----
From: Thorsten Meinl <thorsten.me...@knime.com>
Sent: Thursday, April 28, 2022 3:59 PM
To: users@activemq.apache.org
Subject: Questions around security and permissions
We have a more complicated scenario where we use Artemis and are currently
struggling with some security-related problems. Let me try to sketch our setup:
- Several producers put work items into queues in Artemis. Every producer uses
a dedicated queue, e.g. "jobs.123" where 123 is the unique producer name.
- We create consumers on-demand for every producer, i.e. for producer "123"
there is a consumer "123" that is consuming from queu "jobs.123".
- The consumers are started in containers and get the access credentials for
Artemis passed as environment variables. All consumers share the same
credentials and therefore have access to all queues.
- Now comes the crucial part: the consumers essentially allow for arbitrary
code execution. This is not an issue per se because they are restricted to the
container. But a carefully crafted work item allows you to read the container's
environment variables, create a consumer and read *any* message including work
items which are not supposed to be read by the current consumer. E.g. the rogue
consumer "123" can then read messages addressed to consumer "456". This
compromises confidentiality.
Now we are looking for solutions to this problem. We have to ensure that
consumer XYZ can only read messages addressed to it (i.e.
"jobs.XYZ") and nothing else. I guess this would be possible by creating
dedicated Artemis users for each consumer and setting permissions accordingly.
But can users be created (and deleted) on- demand? And is there a practical
limit? We would need hundreds if not thousands of Artemis users.
An alternative solution would be to use some kind of proxy between the broker
and the consumer which allows access to certain queues only.
Does something like this exist?
Are there any other solutions that may think of?
I know it's a very generic question but maybe some of you have ideas that they
can share.
Thanks,
Thorsten
--
Dr.-Ing. Thorsten Meinl
KNIME AG
Hardturmstrasse 66
8005 Zurich, Switzerland
