Hi Jo,
yes, the ArtemisCloud.io [1] operator will take care of the needed changes
in etc/login.config and in etc/artemis.profile but you need to define
hawtio roles too, i.e.
apiVersion: broker.amq.io/v1beta1
kind: ActiveMQArtemisSecurity
metadata:
name: ex-prop
spec:
loginModules:
propertiesLoginModules:
- name: 'activemq'
users:
- name: admin
roles:
- amq
- name: 'console'
users:
- name: bob
roles:
- amq-console
* hawtioRoles:*
* - console*
[1] https://artemiscloud.io/
[2]
https://github.com/artemiscloud/activemq-artemis-operator/blob/v1.0.2/config/crd/bases/broker.amq.io_activemqartemissecurities.yaml
Regards,
Domenico
On Fri, 13 May 2022 at 09:44, Jo De Troy <[email protected]> wrote:
> Domenico,
>
> my excuses for the stupid questions but would the operator also take care
> of the needed changes in etc/login.config and in etc/artemis.profile as
> mentioned in your first reply?
>
> Best Regards,
> Jo
>
> Op vr 13 mei 2022 om 09:20 schreef Domenico Francesco Bruscino <
> [email protected]>:
>
> > Hi Jo,
> >
> > the ArtemisCloud.io <https://artemiscloud.io/> [1] operator provides the
> > ActiveMQArtemisSecurity CRD [2] to define multiple login modules, i.e.
> >
> > apiVersion: broker.amq.io/v1beta1
> > kind: ActiveMQArtemisSecurity
> > metadata:
> > name: ex-prop
> > spec:
> > loginModules:
> > propertiesLoginModules:
> > - name: 'activemq'
> > users:
> > - name: admin
> > roles:
> > - amq
> > - name: 'console'
> > users:
> > - name: bob
> > roles:
> > - amq-console
> >
> >
> > [1] https://artemiscloud.io/
> > [2]
> >
> >
> https://github.com/artemiscloud/activemq-artemis-operator/blob/v1.0.2/config/crd/bases/broker.amq.io_activemqartemissecurities.yaml
> >
> > Regards,
> > Domenico
> >
> >
> > On Thu, 12 May 2022 at 17:09, Jo De Troy <[email protected]> wrote:
> >
> > > Thanks for the explanation Justin
> > > I wonder if the artemis cloud operator allows me to do that
> > >
> > > Best Regards,
> > > Jo
> > >
> > > Op do 12 mei 2022 om 16:40 schreef Justin Bertram <[email protected]
> >:
> > >
> > > > Yes, it is possible to configure multiple PropertiesLoginModules to
> > > > separate console users from broker users. You'd need to create
> multiple
> > > > entries in your etc/login.config, e.g.:
> > > >
> > > > activemq {
> > > >
> > > >
> > org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule
> > > > required
> > > > debug=false
> > > > reload=true
> > > >
> > > > org.apache.activemq.jaas.properties.user="artemis-users.properties"
> > > >
> > > > org.apache.activemq.jaas.properties.role="artemis-roles.properties";
> > > > };
> > > >
> > > > console {
> > > >
> > > >
> > org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule
> > > > required
> > > > debug=false
> > > > reload=true
> > > >
> > > > org.apache.activemq.jaas.properties.user="console-users.properties"
> > > >
> > > > org.apache.activemq.jaas.properties.role="console-roles.properties";
> > > > };
> > > >
> > > > Then in your etc/artemis.profile you'd need to change the value of
> the
> > > > "hawtio.realm" system property to use the new entry, e.g.:
> > > >
> > > > -Dhawtio.realm=console
> > > >
> > > > Keep in mind that all the user management commands will only work on
> > the
> > > > broker-specific entry. You'll have to manage console users manually.
> > > >
> > > >
> > > > Justin
> > > >
> > > > On Thu, May 12, 2022 at 6:03 AM Jo De Troy <[email protected]>
> > wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > is it possible to create multiple propertiesLoginModules, e.g. 1
> for
> > > > broker
> > > > > access and 1 for console access? Or how should/can you separate
> users
> > > > > between broker and console?
> > > > > I've tried it but it seems like I only see 1 of the
> > > > propertiesLoginModules
> > > > > user/roles back in the artemis-{users/roles}.properties
> > > > >
> > > > > Best Regards,
> > > > > Jo
> > > > >
> > > >
> > >
> >
>
