[
https://issues.apache.org/jira/browse/ARTEMIS-1386?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michal Toth updated ARTEMIS-1386:
---------------------------------
Description:
Enable all AMQP authentication & authorization to be performed by GSSAPI
(kerberos), so user can send and receive messages w/o problems using kerberos
credentials.
Define broker amqp acceptor to accept only GSSAPI auth mechanism.
{noformat}
<acceptor
name="amqp">tcp://0.0.0.0:5672?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=AMQP;useEpoll=true;amqpCredits=1000;amqpMinCredits=300;saslMechanisms=GSSAPI;saslLoginConfigScope=mykerberos</acceptor>
{noformat}
Users authentication over PLAIN sasl mechanism should not be allowed it. Only
Kerberized ones. This is not working actually.
I am able to send/receive a message using plain over AMQP, with such defined
saslMechanisms as above.
login.config
{noformat}
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule optional
debug=true;
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule
sufficient
debug=true
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
};
mykerberos {
com.sun.security.auth.module.Krb5LoginModule required
isInitiator=false
storeKey=true
useKeyTab=true
keyTab="/opt/amqp-service.keytab"
principal="amqp/[email protected]"
debug=true;
};
{noformat}
was:
Enable all AMQP authentication & authorization to be performed by GSSAPI
(kerberos), so user can send and receive messages w/o problems using kerberos
credentials.
Define broker amqp acceptor to accept only GSSAPI auth mechanism.
{noformat}
<acceptor
name="amqp">tcp://0.0.0.0:5672?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=AMQP;useEpoll=true;amqpCredits=1000;amqpMinCredits=300;saslMechanisms=GSSAPI;saslLoginConfigScope=mykerberos</acceptor>
{noformat}
Users authentication over PLAIN sasl mechanism should not be allowed it. Only
Kerberized ones. This is not working actually.
I am able to send/receive a message using plain over AMQP, with such defined
saslMechanisms as above.
> With enabled kerberos auth, acceptor allows PLAIN auth sasl users in, even
> when GSSAPI is the only defined sasl mechanism on transport
> --------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-1386
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1386
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: AMQP, Broker
> Affects Versions: 2.4.0
> Environment: Artemis built from sources
> last git commit 098d69b63c81d9b2aa2c58c30d921d30472e57f8 (Sept 1)
> Reporter: Michal Toth
>
> Enable all AMQP authentication & authorization to be performed by GSSAPI
> (kerberos), so user can send and receive messages w/o problems using kerberos
> credentials.
> Define broker amqp acceptor to accept only GSSAPI auth mechanism.
> {noformat}
> <acceptor
> name="amqp">tcp://0.0.0.0:5672?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=AMQP;useEpoll=true;amqpCredits=1000;amqpMinCredits=300;saslMechanisms=GSSAPI;saslLoginConfigScope=mykerberos</acceptor>
> {noformat}
> Users authentication over PLAIN sasl mechanism should not be allowed it. Only
> Kerberized ones. This is not working actually.
> I am able to send/receive a message using plain over AMQP, with such defined
> saslMechanisms as above.
> login.config
> {noformat}
> activemq {
> org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule optional
> debug=true;
> org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule
> sufficient
> debug=true
> reload=true
> org.apache.activemq.jaas.properties.user="artemis-users.properties"
> org.apache.activemq.jaas.properties.role="artemis-roles.properties";
> };
> mykerberos {
> com.sun.security.auth.module.Krb5LoginModule required
> isInitiator=false
> storeKey=true
> useKeyTab=true
> keyTab="/opt/amqp-service.keytab"
> principal="amqp/[email protected]"
> debug=true;
> };
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
