> 1. Is it enough to configure <security-manager> in bootstrap.xml? Do I need to remove <jaas-security domain="activemq"/> line? Do I also somehow change login.config? Currently it is configured to use default PropertiesLogin JAAS module.
You should remove the jaas-security configuration. As far as the basic security manager is concerned you don't need to change login.config. The basic security manager doesn't use JAAS at all (as noted in the documentation [1]) so it isn't concerned with the contents of login.config. > 2. How do I separate Hawtio authentication from broker authentication? Does this mean I have to separate default “activemq” realm, use that different realm when starting Hawtio and then change login.config so it includes both realms using different authentication modules? Hawtio uses JAAS internally and it is configured via system properties in etc/artemis.profile. It will continue to use JAAS while the broker uses the basic security manager. > 4. Can I use the same .properties file for both, populate ActiveMQBasicSecurityManager bootstrap user credentials, and Hawtio authentication? I suppose you could do that. > 5. How bootstrapUser and bootstrapPassword works in cluster environment if binding journal already contains the same user? Let’s say I restart primary and backup becomes live, but earlier I have changed the password via management API using other means? Should I set bootstrapUser configuration in all cluster nodes or just in primary? As noted in the documentation [1], "Any bootstrap credentials will be set whenever you start the broker no matter what changes may have been made to them at runtime previously." The idea is to boot the broker instance for the first time with a bootstrap user that can be used to add all the necessary users and roles to the journal and then you remove the boostrap user from bootstrap.xml thereafter. > 6. From our code perspective, can we still use JMSManagementHelper.putOperationInvocation() with "addUser" operation to add/delete users dynamically, or do we need to use different API? No. You'll use the same management operations. However, those operations will modify the accounts in the journal rather than the properties files. > 7. Is there a tool to at least list all the users in the journal, or this is only possible calling some kind of API? You can use the management API to list the users (including the CLI "user list" command). You can also print the raw contents of the journal using the CLI "data print" command. User account info will be listed as part of the bindings. > 8. From the security perspective, are users’ passwords in binding journal properly hashed and cannot be retrieved if someone pokes at the data? If you tell the API to hash the passwords then they will be hashed. Hope that helps! Justin [1] https://activemq.apache.org/components/artemis/documentation/latest/security.html#basic-security-manager On Thu, Mar 24, 2022 at 11:01 AM Vilius Šumskas <[email protected]> wrote: > Hello list, > > since, according to documentation, PropertiesLogin JAAS module is not > recommended for production use, and .properties files are not synched in a > cluster environment, we are now searching for possible authentication > alternatives. > > At first I thought to build a Keycloak cluster, but reading through > documentation I found that there is such a thing as > ActiveMQBasicSecurityManager which should be enough (our case: thousands of > external MQ clients using different Artemis user each, to separate their > JMS queue data). > > Unfortunately documentation is a bit scarce on the examples how exactly > ActiveMQBasicSecurityManager is configured, and internet search returns > almost nothing, so I’m sorry in advance for a lot of questions. > > 1. Is it enough to configure <security-manager> in bootstrap.xml? Do I > need to remove <jaas-security domain="activemq"/> line? Do I also somehow > change login.config? Currently it is configured to use default > PropertiesLogin JAAS module. > 2. How do I separate Hawtio authentication from broker authentication? > Does this mean I have to separate default “activemq” realm, use that > different realm when starting Hawtio and then change login.config so it > includes both realms using different authentication modules? > 3. If the above answer is yes, is there an example somewhere how > ActiveMQBasicSecurityManager is configured in login.config and what are the > options? > 4. Can I use the same .properties file for both, populate > ActiveMQBasicSecurityManager bootstrap user credentials, and Hawtio > authentication? > 5. How bootstrapUser and bootstrapPassword works in cluster environment > if binding journal already contains the same user? Let’s say I restart > primary and backup becomes live, but earlier I have changed the password > via management API using other means? Should I set bootstrapUser > configuration in all cluster nodes or just in primary? > 6. From our code perspective, can we still use > JMSManagementHelper.putOperationInvocation() with "addUser" operation to > add/delete users dynamically, or do we need to use different API? > 7. Is there a tool to at least list all the users in the journal, or > this is only possible calling some kind of API? > 8. From the security perspective, are users’ passwords in binding > journal properly hashed and cannot be retrieved if someone pokes at the > data? > > Thank you in advance for any pointers. > > -- > Best Regards, > > Vilius Šumskas > Rivile > IT manager > +370 614 75713 > >
