Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-9310

ActiveMQ LDAP Authorization plugin does not work correctly with Karaf's jaasAuthenticationPlugin

XMLWordPrintable

    • % %

      Authorization plugin does not work correctly with Karaf jaasAuthenticationPlugin.

      for instance, I have three groups configured in my ldap server:

      dn: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      cn: admins
      member: uid=admin
      objectClass: groupOfNames
      objectClass: top
      
      dn: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      cn: users
      member: uid=client
      objectClass: groupOfNames
      objectClass: top
      
      dn: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      cn: Operator
      member: uid=jdoe
      objectClass: groupOfNames
      objectClass: top
      

      The group "cn=Operator" has a matched name as a pre-configured Karaf RBAC role "Operator".

      If I do not add this group "cn=Operator" to any of "cn=read", "cn=write" and "cn=admin" privilege group on any of destinations, for instance:

      dn: cn=admin,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      cn: admin
      description: Admin privilege group, members are roles
      member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      #member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      objectclass: groupOfNames
      objectclass: top
      
      dn: cn=write,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      cn: write
      member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      #member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      objectclass: groupOfNames
      objectclass: top
      
      dn: cn=read,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      cn: read
      member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      #member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      objectclass: groupOfNames
      objectclass: top
      ...
      ...
      dn: cn=read,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      cn: read
      member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      #member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      objectClass: groupOfNames
      objectClass: top
      
      dn: cn=write,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      cn: write
      member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      #member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      objectClass: groupOfNames
      objectClass: top
      
      dn: cn=admin,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      cn: admin
      member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      #member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      objectClass: groupOfNames
      objectClass: top
      

      Then even my "admin" user could not send any messages to a queue destination as I'd get:

      javax.jms.JMSSecurityException: User admin is not authorized to create: topic://ActiveMQ.Advisory.Connection
      

      although I have added the "cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org" group to all of "ActiveMQ.Advisory.$" destinations as required.

      If I uncommented out the following line from above LDAP samples:

      member: cn=Operator,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
      

      instead, I am adding this "cn=Operator" group to all of destination's "cn=admin", "cn=read" and "cn=write" privileges, then the "admin" user would work.

      However, the consequences is that even the "client" user can create a new queue or write messages to a queue despite the fact that it is not supposed to do anything with a queue because it's group "cn=users" is not added there under any queue destinations (see above sample). It means by adding the group "cn=Operator", effectively, it allowed any user to have all permissions to all destinations, somehow.

      You could test with any other user group name such as "cn=viewer" or "cn=Deployer" etc. They will have the same effect as the "cn=Operator" group as long as the name matches one of Karaf's pre-configured RBAC roles.

      I'll attach a activemq.xml file with relevant <jaasAuthenticationPlugin> and <authorizationPlugin> elements, a ldap-module.xml for Karaf to use LDAPLogginModule and a activemq-openldap.ldif file to this JIRA for testing.

        1. ldap-module.xml
          1 kB
        2. ldap-auth-001.jpg
          ldap-auth-001.jpg
          119 kB
        3. activemq-openldap.ldif
          7 kB
        4. activemq.xml
          4 kB

              rhn-support-qluo Joe Luo
              rhn-support-qluo Joe Luo
              Votes:
              4 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: