-
Enhancement
-
Resolution: Unresolved
-
Major
-
None
-
AMQ62 1.3.7.GA
-
None
-
OCP 3.2 A-MQ and FIS xPaaS images
-
Documentation (Ref Guide, User Guide, etc.), Compatibility/Configuration, User Experience
we need to be able to audit all administrative actions in middleware applications, with each action personally identifiable to a named user.
When deploying the A-MQ or FIS xPaaS images in OpenShift, the Java Console gives the ability to perform administrative actions on the Java container using JMX. But how can these be fully audited?
We need to be able to audit every single JMX operation executed, the MBean on which it was operated (i.e. to discover the queue name/topic), the parameters passed to the operation, and the user who performed the action.
As an example, here are the kinds of actions we need to be able to audit:
- Creating a queue or topic
- Pushing a message onto a queue or topic, along with the message content
- Viewing a message on a queue or topic, with its content/message ID
- Deleting a message from a queue or topic
- Publishing a message to a Camel endpoint
- Modifying a Camel route
- Purging queues
Example:
The auditing capability in OpenShift 3.2.1+ can audit requests to the API, but does not seem to log the actual payloads of messages to the proxy, e.g.:
I0306 16:44:56.350452 28768 audit.go:113] 2017-03-06T16:44:56.350367731Z AUDIT: id="aa5f30a9-6f9f-47ae-8de6-d111c639a8c2" ip="127.0.0.1" method="POST" user="developer" as="<self>" asgroups="<lookup>" namespace="amq" uri="/api/v1/namespaces/amq/pods/https:broker-amq-2-bjjbz:8778/proxy/jolokia/?maxDepth=7&maxCollectionSize=500&ignoreErrors=true&canonicalNaming=false"
At the xPaaS image level, the auditing flag in ActiveMQ (-Dorg.apache.activemq.audit=true) cannot determine the user that performed the action, and just logs messages like this:
INFO | anonymous called org.apache.activemq.broker.jmx.BrokerView.addQueue[bar] at 06-03-2017 16:43:48,289 | Thread-9
INFO | anonymous called org.apache.activemq.broker.jmx.QueueView.sendTextMessage[{}, Helloworld, userA5m, ****] at 06-03-2017 16:58:16,015 | Thread-9
As you can see, the user is not identified, and in the case of the second audit message, the queue name (MBean) is not audited either.
We would like to see full, user-identifiable, auditing capability of all actions performed, including the payload of any request to Jolokia. Without this, we cannot enable Java Console for our end users.
Thanks
- clones
-
ENTESB-8806 Implement optional java console per user action audit logging for A-MQ and FIS xPaaS images
- Closed
- is blocked by
-
ENTESB-3932 Implement administrative audit logging for Fuse
- Closed
-
ENTESB-8813 Integrate existing RBAC with OpenShift RBAC available in 3.7+
- Closed