Re: multiple propertiesLoginModules - different users/rights for console and brokers

Fri, 13 May 2022 00:20:53 -0700 

Hi Jo,

the ArtemisCloud.io <https://artemiscloud.io/> [1] operator provides the
ActiveMQArtemisSecurity CRD [2] to define multiple login modules, i.e.

apiVersion: broker.amq.io/v1beta1
kind: ActiveMQArtemisSecurity
metadata:
  name: ex-prop
spec:
  loginModules:
    propertiesLoginModules:
    - name: 'activemq'
      users:
      - name: admin
        roles:
        - amq
    - name: 'console'
      users:
      - name: bob
        roles:
        - amq-console


[1] https://artemiscloud.io/
[2]
https://github.com/artemiscloud/activemq-artemis-operator/blob/v1.0.2/config/crd/bases/broker.amq.io_activemqartemissecurities.yaml

Regards,
Domenico


On Thu, 12 May 2022 at 17:09, Jo De Troy <[email protected]> wrote:

> Thanks for the explanation Justin
> I wonder if the artemis cloud operator allows me to do that
>
> Best Regards,
> Jo
>
> Op do 12 mei 2022 om 16:40 schreef Justin Bertram <[email protected]>:
>
> > Yes, it is possible to configure multiple PropertiesLoginModules to
> > separate console users from broker users. You'd need to create multiple
> > entries in your etc/login.config, e.g.:
> >
> >   activemq {
> >
> > org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule
> > required
> >          debug=false
> >          reload=true
> >
> >  org.apache.activemq.jaas.properties.user="artemis-users.properties"
> >
> > org.apache.activemq.jaas.properties.role="artemis-roles.properties";
> >   };
> >
> >   console {
> >
> > org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule
> > required
> >          debug=false
> >          reload=true
> >
> >  org.apache.activemq.jaas.properties.user="console-users.properties"
> >
> > org.apache.activemq.jaas.properties.role="console-roles.properties";
> >   };
> >
> > Then in your etc/artemis.profile you'd need to change the value of the
> > "hawtio.realm" system property to use the new entry, e.g.:
> >
> >   -Dhawtio.realm=console
> >
> > Keep in mind that all the user management commands will only work on the
> > broker-specific entry. You'll have to manage console users manually.
> >
> >
> > Justin
> >
> > On Thu, May 12, 2022 at 6:03 AM Jo De Troy <[email protected]> wrote:
> >
> > > Hello,
> > >
> > > is it possible to create multiple propertiesLoginModules, e.g. 1 for
> > broker
> > > access and 1 for console access? Or how should/can you separate users
> > > between broker and console?
> > > I've tried it but it seems like I only see 1 of the
> > propertiesLoginModules
> > > user/roles back in the artemis-{users/roles}.properties
> > >
> > > Best Regards,
> > > Jo
> > >
> >
>

Reply via email to