[
https://issues.apache.org/jira/browse/ARTEMIS-1386?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gary Tully closed ARTEMIS-1386.
-------------------------------
Resolution: Not A Problem
The saslMechanisms config can be applied to the 61616 acceptor or that acceptor
can be removed altogether.
It is also reasonable to accept more than one sasl mechanism on an acceptor.
> With enabled kerberos auth, acceptor allows PLAIN auth sasl users in, even
> when GSSAPI is the only defined sasl mechanism on transport
> --------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-1386
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1386
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: AMQP, Broker
> Affects Versions: 2.4.0
> Environment: Artemis built from sources
> last git commit 098d69b63c81d9b2aa2c58c30d921d30472e57f8 (Sept 1)
> Reporter: Michal Toth
>
> Enable all AMQP authentication & authorization to be performed by GSSAPI
> (kerberos), so user can send and receive messages w/o problems using kerberos
> credentials.
> Define broker amqp acceptor to accept only GSSAPI auth mechanism.
> {noformat}
> <acceptor
> name="amqp">tcp://0.0.0.0:5672?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=AMQP;useEpoll=true;amqpCredits=1000;amqpMinCredits=300;saslMechanisms=GSSAPI;saslLoginConfigScope=mykerberos</acceptor>
> {noformat}
> Users authentication over PLAIN sasl mechanism should not be allowed it. Only
> Kerberized ones. This is not working actually.
> I am able to send/receive a message using plain over AMQP, with such defined
> saslMechanisms as above.
> login.config
> {noformat}
> activemq {
> org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule optional
> debug=true;
> org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule
> sufficient
> debug=true
> reload=true
> org.apache.activemq.jaas.properties.user="artemis-users.properties"
> org.apache.activemq.jaas.properties.role="artemis-roles.properties";
> };
> mykerberos {
> com.sun.security.auth.module.Krb5LoginModule required
> isInitiator=false
> storeKey=true
> useKeyTab=true
> keyTab="/opt/amqp-service.keytab"
> principal="amqp/[email protected]"
> debug=true;
> };
> {noformat}
> {noformat}
> users properties
> admin =
> ENC(1024:31461C31F100DA2D4363030BD70AB79BD1693552737AB4951B9B733770B60F40:B97C0DE92D4C0A17C2FE572E206A8F8806EFDFEBA456ED96AC1570E12E3F1BEC8314FA9744AC7EFD95DA939FACA2EA829CF3F46C96268F6B9140C74A2E1EE4D3)
> lala = lala
> ---
> roles.properties
> amq = admin,[email protected],lala
> readers = [email protected]
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
