Uploaded image for project: 'JBoss A-MQ'
  1. JBoss A-MQ
  2. ENTMQ-2072

AMQ Broker authorization plugin not recognising the wildcard character

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Can't Do
    • Icon: Major Major
    • None
    • JBoss A-MQ 6.3
    • broker, jaas
    • None
    • Hide

      1. Create AMQ fabric with command : 

      fabric:create --wait-for-provisioning

      It will ask for user and password. Provide admin,admin.

      2. To manage the fabric : 

      jaas:manage --index 1

      3. Add the users 

      jaas:useradd user1 1234 ("user1", "1234" is password)
                           jaas:useradd user2 1234
                           jaas:update

      4. Now add roles and assign them to users : 

                                   jaas:manage --index 1
                             jaas:roleadd user1 role1
                             jaas:roleadd user2 role2
                             jaas:update

      5. Now create your group and add the your roles to the group : 

                                 jaas:manage --index 1
                           jaas:groupcreate mygroup
                           jaas:grouproleadd mygroup role1
                           jaas:grouproleadd mygroup role2
                           jaas:update

      Now the users, roles and group have been created.

      6. Now login to hawtio console using admin,admin : http://localhost:8181

      7. Go to tab Wiki -> mq -> base -> ssl-broker.xml

      8. Add the authorization plugin as provided above in this xml file and test the scenarios mentioned.

      9. To test the scenarios, unzip the reproducer attached, open it in an IDE, src->main->java->XmlDataProducerAccesPerGroup.java.
      Run this file as the java application. Make your changes according to the scenarios.

      Show
      1. Create AMQ fabric with command : fabric:create --wait- for -provisioning It will ask for user and password. Provide admin,admin. 2. To manage the fabric : jaas:manage --index 1 3. Add the users jaas:useradd user1 1234 ( "user1" , "1234" is password) jaas:useradd user2 1234 jaas:update 4. Now add roles and assign them to users : jaas:manage --index 1 jaas:roleadd user1 role1 jaas:roleadd user2 role2 jaas:update 5. Now create your group and add the your roles to the group : jaas:manage --index 1 jaas:groupcreate mygroup jaas:grouproleadd mygroup role1 jaas:grouproleadd mygroup role2 jaas:update Now the users, roles and group have been created. 6. Now login to hawtio console using admin,admin : http://localhost:8181 7. Go to tab Wiki -> mq -> base -> ssl-broker.xml 8. Add the authorization plugin as provided above in this xml file and test the scenarios mentioned. 9. To test the scenarios, unzip the reproducer attached, open it in an IDE, src->main->java->XmlDataProducerAccesPerGroup.java. Run this file as the java application. Make your changes according to the scenarios.

      A customer was facing this issue while configuring the Authorization plugin based on JAAS user groups. I tried to replicate it at my end and could observe the issue.

      We want to group roles in JAAS groups, then configure Authorization ( broker.xml/ ssl-broker.xml file ) plugin based on users groups. We created 2 users "user1" and "user2" and assigned them two roles roles "role1" and "role2" respectively. Now we created a group "mygroup" having "role1" and "role2"

      JBossFuse:karaf@root> jaas:users
      User Name Group Role
      admin admin admin
      admin admin manager
      admin admin viewer
      admin admin Operator
      admin admin Maintainer
      admin admin Deployer
      admin admin Auditor
      admin admin Administrator
      admin admin SuperUser
      admin Monitor
      user1 role1
      user2 role2

      role1 and role2 have been added to Mygroup using command

      JBossFuse:karaf@root> jaas:grouproleadd myGroup role1
      JBossFuse:karaf@root> jaas:grouproleadd myGroup role2

      JBossFuse:karaf@root> jaas:groups
      Group Roles
      admin admin,admin,manager,viewer,Operator,Maintainer,Deployer,Auditor,Administrator,SuperUser
      myGroup

      {CRYPT}db0f6f37ebeb6ea09489124345af2a45{CRYPT}

      ,role1,role2

      We configured the "authorizationPlugin" in "ssl-broker.xml" file as follows:

      <authorizationPlugin>
			<map>
          <authorizationMap groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal">
			
            <authorizationEntries>
              <authorizationEntry queue=">" read="admin" write="admin" admin="admin,myGroup" />
              <authorizationEntry queue="QUEUE.REFE.NOTIFICATION.>" read="admin,refeconsumer,myGroup" write="admin,refeproducer,myGroup" admin="admin,myGroup" />
			  
			 <authorizationEntry topic=">" read="admin" write="admin" admin="admin,myGroup" />
			 <authorizationEntry topic="ActiveMQ.Advisory.>" read="role1,myGroup,refeconsumer,refeproducer,admin" write="role1,refeproducer,myGroup,admin"  admin="role1,myGroup,refeproducer,admin"/>


			</authorizationEntries>
	
			
			<tempDestinationAuthorizationEntry>
            	 <tempDestinationAuthorizationEntry read="refeconsumer,refeproducer,myGroup,admin" write="refeproducer,myGroup,admin" admin="admin,myGroup"/>
           	</tempDestinationAuthorizationEntry>

      But when we are trying to access the queues with the users having the proper permissions we are getting:
      javax.jms.JMSSecurityException: User user1 is not authorized to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic

      But we noticed a strange behavior there. When we give the full name of the topic/queue in the authorization plugin, it works fine but if we use wildcard character it throws the error.
      For example : 

      <authorizationMap groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal">
			
            <authorizationEntries>
              <!--authorizationEntry queue=">" read="admin,mygroup" write="admin,mygroup" admin="admin,mygroup" /-->
              <authorizationEntry queue="QUEUE.REFE.NOTIFICATION.>" read="mygroup,admin,refeconsumer" write="mygroup,admin,refeproducer" admin="admin" />

<authorizationEntry topic="ActiveMQ.Advisory.>" read="mygroup,refeconsumer,refeproducer,admin" write="mygroup,refeproducer,admin"  admin="mygroup,refeproducer,admin"/>
			   <authorizationEntry topic="ActiveMQ.Advisory.>" read="mygroup" write="mygroup" admin="mygroup" />

      With this configuration, the user "user1" present in "mygroup" is not able to access the "ActiveMQ.Advisory.*>" topic, but if I give the full name of the topic without the wildcard character "ActiveMQ.Advisory.Connection" , it works fine. In this case, for wildcard character worked for queues not topics. But another strange thing which happened was that my user created a queue for which it doesn't have the rights.

      Scenario 2:
      When I changed the authorization map to GroupPrincipal instead of RolePrincipal, the opposite happened for queues and topics. Wildcard did not work for queues this time but worked for topics. And my user created a topic for which it did not have access to.

        1. reproducer.zip
          63 kB

              Unassigned Unassigned
              rhn-support-pchhabra Pulkit Chhabra (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: