inline On Wed, 3 Apr 2024 at 15:43, MILOVIDOV Aleksandr <aleksandr.milovi...@raiffeisen.ru.invalid> wrote:
> Hi Team, > > I'm trying to enable and test new feature which was developed in > ARTEMIS-4582 - add view and edit permissions to extend security-settings > rbac for management operations. > great :-) > > I tried to configure JMX authorization in broker.xml as described in the > chapter > https://activemq.apache.org/components/artemis/documentation/latest/management.html#jmx-authorization-in-broker-xml > First I have added an option > -Djavax.management.builder.initial=org.apache.activemq.artemis.core.server.management.ArtemisRbacMBeanServerBuilder > to java system properties and found that it cannot be used with > -Dcom.sun.management.jmxremote=true (it was enabled for JMX Exporter). > > Broker cannot start with an exception: > javax.management.JMRuntimeException: Failed to load MBeanServerBuilder > class > org.apache.activemq.artemis.core.server.management.ArtemisRbacMBeanServerBuilder: > java.lang.ClassNotFoundException: > org.apache.amq.artemis.core.server.management.ArtemisRbacMBeanServerBuilder > > Question 1. Is it possible to use both ArtemisRbacMBeanServerBuilder and > com.sun.management.jmxremote=true option? > Not at the moment, there are two issues, the first is access to the class: It would require a change to the isolation classloader that the broker uses to confine jars to lib and lib/ext directory. Currently the class path only has a tiny boot jar, with non of the artemis internal present. see: https://issues.apache.org/jira/browse/ARTEMIS-4257 for another use case. AFAIK a workaround is to include lib/*.jar in the classpath, but I have not verified. the second is authentication, in some way the connection to the jmx remoting endpoint needs to authenticate to artemis via JAAS. the remoting connectors that are configured in management.xml will do this. > > Currently I use both JMX Exporter and broker metrics plugin because latter > does not export common broker metrics (for example, ReplicationSync which > used to monitor replication status), and I did not found how to add it in > the broker metrics plugin. > At least I have an option to change JMX exporter running as javaagent to > "standalone" JMX exporter which runs as a separate process and connects to > JMX port using TCP. > How is that authenticated, the ArtemisRbacMBeanServerBuilder installs a guard that expects to find an authenticated subject. I think you will need to use a remoting connection defined in management.xml > > After I have successfully started Artemis with this option, I added > setting to broker.xml: > <management-message-rbac>true</management-message-rbac> > This setting enabled rbac on messages sent to the management address, a good idea, but not relevant to MBean access. I have added new user "user" with role "user" to PropertiesLoginModule > files, and allowed it to login into management console. > User can login to the management console and has no permissions (all > operations are restricted with lock sign). > Then I added section to security-settings in broker.xml (as described in > the documentation): > > <security-setting match="mops.#"> > <permission type="view" roles="amq,user"/> > <permission type="edit" roles="amq,user"/> > </security-setting> > > And nothing happens. Tried to relogin and restart Artemis. > > Question 2. Is there something else should be configured to add > permissions for user in the management console using security-settings > section? > that looks correct, same as: https://github.com/apache/activemq-artemis/blob/main/tests/smoke-tests/src/main/resources/servers/jmx-rbac-broker-security/broker.xml#L76 I think the problem is the lack of authentication on the jmx remoting endpoint that access the mbean server. see the smoke test config for an example that works: https://github.com/apache/activemq-artemis/blob/main/tests/smoke-tests/src/main/resources/servers/jmx-rbac-broker-security/management.xml#L19 hope this helps, gary. > > -- > Best regards, > Aleksandr > ----------------------------------- > > This message and any attachment are confidential and may be privileged or > otherwise protected from disclosure. If you are not the intended recipient > any use, distribution, copying or disclosure is strictly prohibited. If you > have received this message in error, please notify the sender immediately > either by telephone or by e-mail and delete this message and any attachment > from your system. Correspondence via e-mail is for information purposes > only. AO Raiffeisenbank neither makes nor accepts legally binding > statements by e-mail unless otherwise agreed. > > ----------------------------------- >
