Correct. This is exactly what we are doing.
By the way, as far as we found out, permissions created on-demand will be
stored in the journal independently which user/role storage mechanism you
choose. That was one more reasons for us to go with
ActiveMQBasicSecurityManager because we won't have to juggle between two
different backups of authorization data.
--
Vilius
-----Original Message-----
From: Thorsten Meinl <thorsten.me...@knime.com>
Sent: Friday, April 29, 2022 10:43 AM
To: users@activemq.apache.org
Subject: Re: Questions around security and permissions
Thanks all. This sounds like a viable solution to our problem.
Just to be sure: If I want to set permissions per user I also have to create a
dedicated role per user because permissions can only be granted to roles?
Thanks,
Thorsten
Am Donnerstag, dem 28.04.2022 um 09:00 -0500 schrieb Justin Bertram:
> > But can users be created (and deleted) on-demand?
>
> I'm not exactly sure what you mean by "on-demand," but users can be
> created administratively on a running broker via management. This can
> be done via the "artemis user" command, the web console, Jolokia, etc.
> You'll need to use the PropertiesLoginModule [1] with the JAAS
> security manager [2] (i.e.
> the default configuration) or the "Basic" security manager [3].
>
> You could also likely accomplish this via LDAP [4].
>
> > And is there a practical limit?
>
> There is no arbitrarily imposed limit so any limit will be based on
> the resources available to the broker. My recommendation would be to
> test and see.
>
> > An alternative solution would be to use some kind of proxy between
> > the
> broker and the consumer which allows access to certain queues only.
> Does
> something like this exist?
>
> I'm not aware of anything like this, and I would be surprised if it
> existed as it would add needless complexity on top of something that
> could already be accomplished via the broker directly or via LDAP.
>
>
> Justin
>
> [1]
> https://activemq.apache.org/components/artemis/documentation/latest/se
> curity.html#propertiesloginmodule
> [2]
> https://activemq.apache.org/components/artemis/documentation/latest/se
> curity.html#jaas-security-manager
> [3]
> https://activemq.apache.org/components/artemis/documentation/latest/se
> curity.html#basic-security-manager
> [4]
> https://activemq.apache.org/components/artemis/documentation/latest/se
> curity.html#ldaploginmodule
>
> On Thu, Apr 28, 2022 at 7:59 AM Thorsten Meinl
> <thorsten.me...@knime.com>
> wrote:
>
> > We have a more complicated scenario where we use Artemis and are
> > currently struggling with some security-related problems. Let me try
> > to sketch our setup:
> >
> > - Several producers put work items into queues in Artemis. Every
> > producer uses a dedicated queue, e.g. "jobs.123" where 123 is the
> > unique producer name.
> > - We create consumers on-demand for every producer, i.e. for
> > producer "123" there is a consumer "123" that is consuming from queu
> > "jobs.123".
> > - The consumers are started in containers and get the access
> > credentials for Artemis passed as environment variables. All
> > consumers share the same credentials and therefore have access to
> > all queues.
> > - Now comes the crucial part: the consumers essentially allow for
> > arbitrary code execution. This is not an issue per se because they
> > are restricted to the container. But a carefully crafted work item
> > allows you to read the container's environment variables, create a
> > consumer and read *any* message including work items which are not
> > supposed to be read by the current consumer. E.g. the rogue consumer
> > "123" can then read messages addressed to consumer "456". This
> > compromises confidentiality.
> >
> > Now we are looking for solutions to this problem. We have to ensure
> > that consumer XYZ can only read messages addressed to it (i.e.
> > "jobs.XYZ") and nothing else. I guess this would be possible by
> > creating dedicated Artemis users for each consumer and setting
> > permissions accordingly. But can users be created (and deleted) on-
> > demand? And is there a practical limit? We would need hundreds if
> > not thousands of Artemis users.
> >
> > An alternative solution would be to use some kind of proxy between
> > the broker and the consumer which allows access to certain queues
> > only.
> > Does something like this exist?
> >
> > Are there any other solutions that may think of?
> >
> > I know it's a very generic question but maybe some of you have ideas
> > that they can share.
> >
> > Thanks,
> >
> > Thorsten
> >
> > --
> > Dr.-Ing. Thorsten Meinl
> > KNIME AG
> > Hardturmstrasse 66
> > 8005 Zurich, Switzerland
> >
> >
--
Dr.-Ing. Thorsten Meinl
KNIME AG
Hardturmstrasse 66
8005 Zurich, Switzerland
