> But can users be created (and deleted) on-demand? I'm not exactly sure what you mean by "on-demand," but users can be created administratively on a running broker via management. This can be done via the "artemis user" command, the web console, Jolokia, etc. You'll need to use the PropertiesLoginModule [1] with the JAAS security manager [2] (i.e. the default configuration) or the "Basic" security manager [3].
You could also likely accomplish this via LDAP [4]. > And is there a practical limit? There is no arbitrarily imposed limit so any limit will be based on the resources available to the broker. My recommendation would be to test and see. > An alternative solution would be to use some kind of proxy between the broker and the consumer which allows access to certain queues only. Does something like this exist? I'm not aware of anything like this, and I would be surprised if it existed as it would add needless complexity on top of something that could already be accomplished via the broker directly or via LDAP. Justin [1] https://activemq.apache.org/components/artemis/documentation/latest/security.html#propertiesloginmodule [2] https://activemq.apache.org/components/artemis/documentation/latest/security.html#jaas-security-manager [3] https://activemq.apache.org/components/artemis/documentation/latest/security.html#basic-security-manager [4] https://activemq.apache.org/components/artemis/documentation/latest/security.html#ldaploginmodule On Thu, Apr 28, 2022 at 7:59 AM Thorsten Meinl <thorsten.me...@knime.com> wrote: > We have a more complicated scenario where we use Artemis and are > currently struggling with some security-related problems. Let me try to > sketch our setup: > > - Several producers put work items into queues in Artemis. Every > producer uses a dedicated queue, e.g. "jobs.123" where 123 is the > unique producer name. > - We create consumers on-demand for every producer, i.e. for producer > "123" there is a consumer "123" that is consuming from queu "jobs.123". > - The consumers are started in containers and get the access > credentials for Artemis passed as environment variables. All consumers > share the same credentials and therefore have access to all queues. > - Now comes the crucial part: the consumers essentially allow for > arbitrary code execution. This is not an issue per se because they are > restricted to the container. But a carefully crafted work item allows > you to read the container's environment variables, create a consumer > and read *any* message including work items which are not supposed to > be read by the current consumer. E.g. the rogue consumer "123" can then > read messages addressed to consumer "456". This compromises > confidentiality. > > Now we are looking for solutions to this problem. We have to ensure > that consumer XYZ can only read messages addressed to it (i.e. > "jobs.XYZ") and nothing else. I guess this would be possible by > creating dedicated Artemis users for each consumer and setting > permissions accordingly. But can users be created (and deleted) on- > demand? And is there a practical limit? We would need hundreds if not > thousands of Artemis users. > > An alternative solution would be to use some kind of proxy between the > broker and the consumer which allows access to certain queues only. > Does something like this exist? > > Are there any other solutions that may think of? > > I know it's a very generic question but maybe some of you have ideas > that they can share. > > Thanks, > > Thorsten > > -- > Dr.-Ing. Thorsten Meinl > KNIME AG > Hardturmstrasse 66 > 8005 Zurich, Switzerland > >
