[
https://issues.apache.org/jira/browse/ARTEMIS-3569?focusedWorklogId=683189&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-683189
]
ASF GitHub Bot logged work on ARTEMIS-3569:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 18/Nov/21 09:52
Start Date: 18/Nov/21 09:52
Worklog Time Spent: 10m
Work Description: gemmellr commented on a change in pull request #3849:
URL: https://github.com/apache/activemq-artemis/pull/3849#discussion_r752046716
##########
File path:
artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/broker/AMQPSessionCallback.java
##########
@@ -211,12 +211,13 @@ public void init(AMQPSessionContext protonSession,
SASLResult saslResult) throws
true, //boolean xa,
(String) null,
this, true, operationContext, manager.getPrefixes(),
manager.getSecurityDomain());
} else {
+ String validatedUser = manager.getServer().validateUser(user,
passcode, protonSPI.getProtonConnectionDelegate(), manager.getSecurityDomain());
Review comment:
Why did this become necessary? Auth should already have happened by now,
seems messy doing it again.
EDIT: so essentially the same comment as Domenicos in other areas.
##########
File path:
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/balancing/MQTTRedirectTest.java
##########
@@ -121,5 +137,38 @@ public void testSimpleRedirect() throws Exception {
Assert.assertEquals(0, queueControl0.countMessages());
Wait.assertEquals(0, () -> queueControl1.countMessages());
}
+
+ @Test
+ public void testRoleNameKeyLocalTarget() throws Exception {
+
+ ActiveMQJAASSecurityManager securityManager = new
ActiveMQJAASSecurityManager("PropertiesLogin");
+ servers[0] =
addServer(ActiveMQServers.newActiveMQServer(createDefaultConfig(true).setSecurityEnabled(true),
ManagementFactory.getPlatformMBeanServer(), securityManager, false));
+ setupBalancerServerWithLocalTarget(0, TargetKey.ROLE_NAME, "b", "b");
+
+ startServers(0);
+
+ MqttConnectOptions connOpts = new MqttConnectOptions();
+ connOpts.setCleanSession(true);
+ connOpts.setUserName("a");
+ connOpts.setPassword("a".toCharArray());
+
+ MqttClient client0 = new MqttClient("tcp://" +
TransportConstants.DEFAULT_HOST + ":" + TransportConstants.DEFAULT_PORT,
"TEST", new MemoryPersistence());
+ try {
+ client0.connect(connOpts);
+ fail("Expect to be rejected as not in role0");
Review comment:
role b?
(Also, earlier tests used "B" rather than "b", consistency might be nice)
##########
File path:
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/balancing/TargetKeyTest.java
##########
@@ -174,6 +194,43 @@ public void testUserNameKey() throws Exception {
Assert.assertEquals("admin", keys.get(0));
}
+ @Test
+ public void testRoleNameKeyLocalTarget() throws Exception {
+
+ ActiveMQJAASSecurityManager securityManager = new
ActiveMQJAASSecurityManager("PropertiesLogin");
+ servers[0] =
addServer(ActiveMQServers.newActiveMQServer(createDefaultConfig(true).setSecurityEnabled(true),
ManagementFactory.getPlatformMBeanServer(), securityManager, false));
+ setupBalancerServerWithLocalTarget(0, TargetKey.ROLE_NAME, "b", "b");
+
+ // ensure advisory permission is present for openwire connection
creation by 'b'
+ HierarchicalRepository<Set<Role>> securityRepository =
servers[0].getSecurityRepository();
+ Role role = new Role("b", true, true, true, true, true, true, false,
false, true, true);
+ Set<Role> roles = new HashSet<>();
+ roles.add(role);
+ securityRepository.addMatch("ActiveMQ.Advisory.#", roles);
+
+ startServers(0);
+
+ final int noRetriesSuchThatWeGetAnErrorOnRejection = 0;
+ ConnectionFactory connectionFactory = createFactory(protocol, false,
TransportConstants.DEFAULT_HOST,
+
TransportConstants.DEFAULT_PORT + 0, null, "a", "a",
noRetriesSuchThatWeGetAnErrorOnRejection);
+
+ // expect disconnect/reject as not role b
+ try (Connection connection = connectionFactory.createConnection()) {
+ connection.start();
+ fail("Expect to be rejected as not in role0");
+ } catch (Exception rejected) {
+ rejected.printStackTrace();
Review comment:
Maybe log something succinct instead? We already have enough output
during tests without stacks that are entirely expected and not used to check
anything.
##########
File path:
artemis-server/src/main/java/org/apache/activemq/artemis/core/management/impl/BrokerBalancerControlImpl.java
##########
@@ -59,11 +59,10 @@ public BrokerBalancerControlImpl(final BrokerBalancer
balancer, final StorageMan
@Override
public CompositeData getTarget(String key) throws Exception {
- Target target = balancer.getTarget(key);
-
- if (target != null) {
+ Target.Result result = balancer.getTarget(key);
+ if (Target.Status.OK.compareTo(result.status) == 0) {
CompositeData connectorData = null;
- TransportConfiguration connector = target.getConnector();
+ TransportConfiguration connector = result.target.getConnector();
Review comment:
Perhaps similar wondering about a TargetResult class when considering
the 'context.getResult()' usage in AMQPRedirectHandler . It would be nice if
the status checking added using that was being done against the actual
[Target.]Status enum, rather than needing to do object equality check against a
full not-really-Target object. You could instead have a TargetResult holder
indicate the result with the enum (and/or boolean conversion method checking
for success) and not have any actual Target object.
##########
File path:
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/balancing/TargetKeyTest.java
##########
@@ -174,6 +194,43 @@ public void testUserNameKey() throws Exception {
Assert.assertEquals("admin", keys.get(0));
}
+ @Test
+ public void testRoleNameKeyLocalTarget() throws Exception {
+
+ ActiveMQJAASSecurityManager securityManager = new
ActiveMQJAASSecurityManager("PropertiesLogin");
+ servers[0] =
addServer(ActiveMQServers.newActiveMQServer(createDefaultConfig(true).setSecurityEnabled(true),
ManagementFactory.getPlatformMBeanServer(), securityManager, false));
+ setupBalancerServerWithLocalTarget(0, TargetKey.ROLE_NAME, "b", "b");
+
+ // ensure advisory permission is present for openwire connection
creation by 'b'
+ HierarchicalRepository<Set<Role>> securityRepository =
servers[0].getSecurityRepository();
+ Role role = new Role("b", true, true, true, true, true, true, false,
false, true, true);
+ Set<Role> roles = new HashSet<>();
+ roles.add(role);
+ securityRepository.addMatch("ActiveMQ.Advisory.#", roles);
+
+ startServers(0);
+
+ final int noRetriesSuchThatWeGetAnErrorOnRejection = 0;
+ ConnectionFactory connectionFactory = createFactory(protocol, false,
TransportConstants.DEFAULT_HOST,
+
TransportConstants.DEFAULT_PORT + 0, null, "a", "a",
noRetriesSuchThatWeGetAnErrorOnRejection);
+
+ // expect disconnect/reject as not role b
+ try (Connection connection = connectionFactory.createConnection()) {
+ connection.start();
+ fail("Expect to be rejected as not in role0");
Review comment:
role b (/B)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 683189)
Time Spent: 1h 40m (was: 1.5h)
> Broker balancer based on authenticated user role assignment
> -----------------------------------------------------------
>
> Key: ARTEMIS-3569
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3569
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: balancer
> Affects Versions: 2.19.0
> Reporter: Gary Tully
> Assignee: Gary Tully
> Priority: Major
> Fix For: 2.20.0
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> following up on ARTEMIS-3365 for the local target path.
> add support for ROLE_NAME as a targetKey.
> Matching one of the Roles of an authenticated principal associated with a
> connection, accept or reject the connection based on some partition policy
> based on the role.
> Using the existing regular expression based filter, it is possible to ensure
> a sub set of roles are associated with a given broker.
> The symmeteric-simple-example that uses the client id key type can be
> extended to support partitioning on role assignment, the configuration, to
> use role names that begin with "PARTITION_" and match "PARTITION_FOO" to
> this broker, would be of the form:
> {code:java}
> <broker-balancer name="symmetric-simple-role">
> <target-key>ROLE_NAME</target-key>
> <target-key-filter>^PARTITION_*</target-key-filter>
> <local-target-filter>^PARTITION_FOO.*</local-target-filter>
> </broker-balancer> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
