Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-3841

AMQ 7.7 concurrent jolokia operations can incorrectly update artemis-roles.properties or artemis-users.properties

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • AMQ 7.8.0.CR1
    • AMQ 7.7.0.GA
    • broker-core
    • None
    • Hide
      Previously, if multiple, concurrent Jolokia operations that manipulated users and roles or permissions took place on the broker, the broker might incorrectly update or remove some data in the `artemis-roles.properties` or `artemis-users.properties` configuration files. This issue is now resolved.
      Show
      Previously, if multiple, concurrent Jolokia operations that manipulated users and roles or permissions took place on the broker, the broker might incorrectly update or remove some data in the `artemis-roles.properties` or `artemis-users.properties` configuration files. This issue is now resolved.
    • Documented as Resolved Issue
    • Verified in a release
    • Hide

      Example test:

      #!/bin/bash
      for i in {1..5}
      do
      
              # remove myuser
              curl -k --user admin:admin -H "Origin: http://localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/removeUser(java.lang.String)/myuser" &      
        
              # create user 'myuser' with password 'mypassword'
              curl -k --user admin:admin -H "Origin: http://localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/addUser(java.lang.String,java.lang.String,java.lang.String,boolean)/myuser/mypassword//false" & 
             
              # add role 'myrole' to 'myuser'
              curl -k --user admin:admin -H "Origin: http://localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/resetUser(java.lang.String,java.lang.String,java.lang.String)/myuser/mypassword/myrole" &       
      
              # perform read operation as admin user, just to see if we can connect
              curl -k --user admin:admin -H "Origin: http://localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/listNetworkTopology()" &
      done
      
      

      After executing the above script (multiple times if necessary), sometimes the following logs will be encountered in the broker (note that the test does not remove/add admin):

      2020-09-01 14:35:28,398 WARN [io.hawt.system.Authenticator] Login failed due to: User does not exist: admin

      Examination, in this case, of artemis-roles.properties shows:

      $ cat etc/artemis-roles.properties | grep -v '#'
      amq = admin
       = myuser
      

      But there are multiple variants that may occur.  The in-memory user data is likely affected as well, since the admin user is no longer able to authenticate at all.

       

       

      Show
      Example test: #!/bin/bash for i in {1..5} do # remove myuser curl -k --user admin:admin -H "Origin: http: //localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/removeUser(java.lang. String )/myuser" & # create user 'myuser' with password 'mypassword' curl -k --user admin:admin -H "Origin: http: //localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/addUser(java.lang. String ,java.lang. String ,java.lang. String , boolean )/myuser/mypassword// false " & # add role 'myrole' to 'myuser' curl -k --user admin:admin -H "Origin: http: //localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/resetUser(java.lang. String ,java.lang. String ,java.lang. String )/myuser/mypassword/myrole" & # perform read operation as admin user, just to see if we can connect curl -k --user admin:admin -H "Origin: http: //localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/listNetworkTopology()" & done After executing the above script (multiple times if necessary), sometimes the following logs will be encountered in the broker (note that the test does not remove/add admin): 2020-09-01 14:35:28,398 WARN [io.hawt.system.Authenticator] Login failed due to: User does not exist: admin Examination, in this case, of artemis-roles.properties shows: $ cat etc/artemis-roles.properties | grep -v '#' amq = admin = myuser But there are multiple variants that may occur.  The in-memory user data is likely affected as well, since the admin user is no longer able to authenticate at all.    

      Multi-threaded jolokia operations for operations that manipulate the users and roles/permissions in Artemis can cause some data to be incorrectly updated or erroneously removed.

            rhn-support-jbertram Justin Bertram
            rhn-support-shiggs Stephen Higgs
            Oleg Sushchenko Oleg Sushchenko
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: