Great news, thank you!


> Il giorno 11 dic 2019, alle ore 20:48, Justin Bertram <jbert...@apache.org> 
> ha scritto:
> 
>> Currently there is no way to use a custom ActiveMQSecurityManager
> implementation via the XML configuration.
> 
> FYI - I just opened ARTEMIS-2574 [1] and sent a PR [2] to address this.
> 
> 
> Justin
> 
> [1] https://issues.apache.org/jira/browse/ARTEMIS-2574
> [2] https://github.com/apache/activemq-artemis/pull/2917
> 
> On Fri, Sep 20, 2019 at 8:34 AM Justin Bertram <jbert...@apache.org> wrote:
> 
>>> In few word what I’d like to achieve is to let Artemis instantiate and
>> use a custom ActiveMQSecurityManager provided through a configuration
>> parameter. Is there a way or I must patch the Artemis code to allow the
>> ActiveMQSecurityManager pluggability?
>> 
>> Currently there is no way to use a custom ActiveMQSecurityManager
>> implementation via the XML configuration. The broker would need to be
>> modified to allow this behavior (and I think that would be a valid
>> enhancement).
>> 
>> For what it's worth, using a custom ActiveMQSecurityManager implementation
>> is a trivial matter for embedded use-cases.
>> 
>> 
>> Justin
>> 
>> On Wed, Sep 11, 2019 at 9:28 AM Modanese, Riccardo
>> <riccardo.modan...@eurotech.com.invalid> wrote:
>> 
>>> Hi, unfortunately I cannot rely on a security repository and the users
>>> and ACLs profiles could be thousands.
>>> 
>>> My idea is to replace the ActiveMQJAASSecurityManager with my own custom
>>> ActiveMQSecurityManager implementation.
>>> But I didn’t find a way.
>>> It seems that there is no other way than specifying a jaas-security tag
>>> in the bootstrap.xml configuration file (<jaas-security
>>> domain="activemq"/>).
>>> If I remove the tag, or I try to change the DTO instance (with the
>>> appropriate annotation in the new DTO file itself), I get a xml validation
>>> schema error.
>>> From my attempts there is no way to remove the jaas-security tag.
>>> 
>>> In few word what I’d like to achieve is to let Artemis instantiate and
>>> use a custom ActiveMQSecurityManager provided through a configuration
>>> parameter.
>>> Is there a way or I must patch the Artemis code to allow the
>>> ActiveMQSecurityManager pluggability?
>>> 
>>> 
>>> Il giorno 28 ago 2019, alle ore 05:23, yw yw <wy96...@gmail.com<mailto:
>>> wy96...@gmail.com>> ha scritto:
>>> 
>>> Yes, it would check every time a client publishes a message or subscribes
>>> an address.
>>> 
>>> From my understanding, SecuritySettingPlugin should meet your
>>> requirements.
>>> You can save the "securityRepository" passed by "SecuritySettingPlugin::
>>> setSecurityRepository" in your custom SecuritySettingPlugin. When you
>>> receive a notification that user is added/removed,  you can call
>>> securityRepository::addMatch/removeMatch/swap to change ACL in matching
>>> address.
>>> 
>>> 
>>> Modanese, Riccardo <riccardo.modan...@eurotech.com.invalid<mailto:
>>> riccardo.modan...@eurotech.com.invalid>> 于2019年8月27日周二
>>> 下午11:12写道:
>>> 
>>> I think the SecuritySettingPlugin will not solve my issue but an
>>> ActiveMQSecurityManager3 custom implementation could be.
>>> 
>>> So I tried to plug an ActiveMQSecurityManager3 implementation but without
>>> any success.
>>> From my understanding this plugin should be defined into bootstrap.xml but
>>> unfortunately I found no way to replace the jaas-security tag with another
>>> one pointing to my configuration DTO (the xsd doesn’t provide alternative
>>> tag to jaas-security)
>>> 
>>> Anyway, just to be sure if the ActiveMQSecurityManager3 api could fit my
>>> needs,  is the method validateUserAndRole called before every
>>> publish/subscribe?
>>> 
>>> Il giorno 26 ago 2019, alle ore 18:00, Christopher Shannon <
>>> christopher.l.shan...@gmail.com<mailto:christopher.l.shan...@gmail.com>>
>>> ha scritto:
>>> 
>>> You might need to write some custom code to do what you want and you
>>> could
>>> try a custom Security plugin.
>>> See the API and Java docs for the security setting plugin:
>>> 
>>> 
>>> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java
>>> 
>>> If you need even more control you can create your own SecurityManager and
>>> register it with the broker.  The interface to extend is:
>>> 
>>> 
>>> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java
>>> 
>>> The validateUserAndRole() method is where you do your ACL checks
>>> 
>>> A default implementation that delegates to a JAAS module is including in
>>> the broker already which you can use as an example or to extend:
>>> 
>>> 
>>> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
>>> 
>>> On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo
>>> <riccardo.modan...@eurotech.com.invalid> wrote:
>>> 
>>> I already read this page and I wasn’t able to find any helpful
>>> information.
>>> In our use case each user has ACL depending on the username itself.
>>> Moreover a user can be added at runtime and the broker must be able to
>>> create and handle correctly the ACL also for the new created user.
>>> 
>>> So, at the end, what I need is the capability of creating ACL
>>> programmatically and keep them in a session in order to be used every
>>> time
>>> a client publishes a message or subscribes an address.
>>> In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a
>>> DefaultAuthorizationMap object, but I cannot find a similar object in
>>> Artemis
>>> 
>>> [1]
>>> 
>>> 
>>> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683
>>> [2]
>>> 
>>> 
>>> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557
>>> 
>>> 
>>> Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon <
>>> christopher.l.shan...@gmail.com<mailto:christopher.l.shan...@gmail.com
>>> 
>>> ha scritto:
>>> 
>>> All of the info you should need to get started should be here:
>>> 
>>> 
>>> 
>>> https://activemq.apache.org/components/artemis/documentation/latest/security.html
>>> 
>>> On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo
>>> <riccardo.modan...@eurotech.com.invalid> wrote:
>>> 
>>> Hello,
>>> In our ActiveMQ 5.x security plugin code we are enforcing ACL
>>> programmatically so I’m investigating how to migrate our current ACL
>>> from
>>> ActiveMQ 5.x to Artemis.
>>> 
>>> I took a look into Artemis source code and I didn’t find any similar
>>> object to those present in ActiveMQ 5.x (E.g.
>>> org.apache.activemq.security.AuthorizationMap,
>>> org.apache.activemq.security.AuthorizationEntry, ...)
>>> 
>>> Can you point me to the right direction?
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 

Reply via email to