Thanks all. This sounds like a viable solution to our problem. Just to be sure: If I want to set permissions per user I also have to create a dedicated role per user because permissions can only be granted to roles?
Thanks, Thorsten Am Donnerstag, dem 28.04.2022 um 09:00 -0500 schrieb Justin Bertram: > > But can users be created (and deleted) on-demand? > > I'm not exactly sure what you mean by "on-demand," but users can be > created > administratively on a running broker via management. This can be done > via > the "artemis user" command, the web console, Jolokia, etc. You'll > need to > use the PropertiesLoginModule [1] with the JAAS security manager [2] > (i.e. > the default configuration) or the "Basic" security manager [3]. > > You could also likely accomplish this via LDAP [4]. > > > And is there a practical limit? > > There is no arbitrarily imposed limit so any limit will be based on > the > resources available to the broker. My recommendation would be to test > and > see. > > > An alternative solution would be to use some kind of proxy between > > the > broker and the consumer which allows access to certain queues only. > Does > something like this exist? > > I'm not aware of anything like this, and I would be surprised if it > existed > as it would add needless complexity on top of something that could > already > be accomplished via the broker directly or via LDAP. > > > Justin > > [1] > https://activemq.apache.org/components/artemis/documentation/latest/security.html#propertiesloginmodule > [2] > https://activemq.apache.org/components/artemis/documentation/latest/security.html#jaas-security-manager > [3] > https://activemq.apache.org/components/artemis/documentation/latest/security.html#basic-security-manager > [4] > https://activemq.apache.org/components/artemis/documentation/latest/security.html#ldaploginmodule > > On Thu, Apr 28, 2022 at 7:59 AM Thorsten Meinl > <thorsten.me...@knime.com> > wrote: > > > We have a more complicated scenario where we use Artemis and are > > currently struggling with some security-related problems. Let me > > try to > > sketch our setup: > > > > - Several producers put work items into queues in Artemis. Every > > producer uses a dedicated queue, e.g. "jobs.123" where 123 is the > > unique producer name. > > - We create consumers on-demand for every producer, i.e. for > > producer > > "123" there is a consumer "123" that is consuming from queu > > "jobs.123". > > - The consumers are started in containers and get the access > > credentials for Artemis passed as environment variables. All > > consumers > > share the same credentials and therefore have access to all queues. > > - Now comes the crucial part: the consumers essentially allow for > > arbitrary code execution. This is not an issue per se because they > > are > > restricted to the container. But a carefully crafted work item > > allows > > you to read the container's environment variables, create a > > consumer > > and read *any* message including work items which are not supposed > > to > > be read by the current consumer. E.g. the rogue consumer "123" can > > then > > read messages addressed to consumer "456". This compromises > > confidentiality. > > > > Now we are looking for solutions to this problem. We have to ensure > > that consumer XYZ can only read messages addressed to it (i.e. > > "jobs.XYZ") and nothing else. I guess this would be possible by > > creating dedicated Artemis users for each consumer and setting > > permissions accordingly. But can users be created (and deleted) on- > > demand? And is there a practical limit? We would need hundreds if > > not > > thousands of Artemis users. > > > > An alternative solution would be to use some kind of proxy between > > the > > broker and the consumer which allows access to certain queues only. > > Does something like this exist? > > > > Are there any other solutions that may think of? > > > > I know it's a very generic question but maybe some of you have > > ideas > > that they can share. > > > > Thanks, > > > > Thorsten > > > > -- > > Dr.-Ing. Thorsten Meinl > > KNIME AG > > Hardturmstrasse 66 > > 8005 Zurich, Switzerland > > > > -- Dr.-Ing. Thorsten Meinl KNIME AG Hardturmstrasse 66 8005 Zurich, Switzerland
signature.asc
Description: This is a digitally signed message part
