Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-3923

[LTS] AMQ 7.7 concurrent jolokia operations can incorrectly update artemis-roles.properties or artemis-users.properties

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • AMQ 7.4.5.GA
    • broker-core
    • Release Notes
    • +
    • Hide
      Cause: Concurrent Jolokia operations that manipulate the users and roles/permissions in the `artemis-users.properties` and `artemis-roles.properties` files can cause some data to be incorrectly updated or erroneously removed., Consequence: Authentication and authorization may fail to work as expected., Fix: Consolidate the ability to modify the `artemis-users.properties` and `artemis-roles.properties` files to the running broker and employ proper concurrency controls., Result: The `artemis-users.properties` and `artemis-roles.properties` files are no longer corrupted by concurrent Jolokia operations.
      Show
      Cause: Concurrent Jolokia operations that manipulate the users and roles/permissions in the `artemis-users.properties` and `artemis-roles.properties` files can cause some data to be incorrectly updated or erroneously removed., Consequence: Authentication and authorization may fail to work as expected., Fix: Consolidate the ability to modify the `artemis-users.properties` and `artemis-roles.properties` files to the running broker and employ proper concurrency controls., Result: The `artemis-users.properties` and `artemis-roles.properties` files are no longer corrupted by concurrent Jolokia operations.
    • Verified in a release
    • Hide

      Example test:

      #!/bin/bash
      for i in {1..5}
      do
      
              # remove myuser
              curl -k --user admin:admin -H "Origin: http://localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/removeUser(java.lang.String)/myuser" &      
        
              # create user 'myuser' with password 'mypassword'
              curl -k --user admin:admin -H "Origin: http://localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/addUser(java.lang.String,java.lang.String,java.lang.String,boolean)/myuser/mypassword//false" & 
             
              # add role 'myrole' to 'myuser'
              curl -k --user admin:admin -H "Origin: http://localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/resetUser(java.lang.String,java.lang.String,java.lang.String)/myuser/mypassword/myrole" &       
      
              # perform read operation as admin user, just to see if we can connect
              curl -k --user admin:admin -H "Origin: http://localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/listNetworkTopology()" &
      done
      
      

      After executing the above script (multiple times if necessary), sometimes the following logs will be encountered in the broker (note that the test does not remove/add admin):

      2020-09-01 14:35:28,398 WARN [io.hawt.system.Authenticator] Login failed due to: User does not exist: admin

      Examination, in this case, of artemis-roles.properties shows:

      $ cat etc/artemis-roles.properties | grep -v '#'
      amq = admin
       = myuser
      

      But there are multiple variants that may occur.  The in-memory user data is likely affected as well, since the admin user is no longer able to authenticate at all.

       

       

      Show
      Example test: #!/bin/bash for i in {1..5} do # remove myuser curl -k --user admin:admin -H "Origin: http: //localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/removeUser(java.lang. String )/myuser" & # create user 'myuser' with password 'mypassword' curl -k --user admin:admin -H "Origin: http: //localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/addUser(java.lang. String ,java.lang. String ,java.lang. String , boolean )/myuser/mypassword// false " & # add role 'myrole' to 'myuser' curl -k --user admin:admin -H "Origin: http: //localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/resetUser(java.lang. String ,java.lang. String ,java.lang. String )/myuser/mypassword/myrole" & # perform read operation as admin user, just to see if we can connect curl -k --user admin:admin -H "Origin: http: //localhost:8161" "http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22/listNetworkTopology()" & done After executing the above script (multiple times if necessary), sometimes the following logs will be encountered in the broker (note that the test does not remove/add admin): 2020-09-01 14:35:28,398 WARN [io.hawt.system.Authenticator] Login failed due to: User does not exist: admin Examination, in this case, of artemis-roles.properties shows: $ cat etc/artemis-roles.properties | grep -v '#' amq = admin = myuser But there are multiple variants that may occur.  The in-memory user data is likely affected as well, since the admin user is no longer able to authenticate at all.    

      Multi-threaded jolokia operations for operations that manipulate the users and roles/permissions in Artemis can cause some data to be incorrectly updated or erroneously removed.

              rhn-support-jbertram Justin Bertram
              rhn-support-shiggs Stephen Higgs
              Tiago Bueno Tiago Bueno
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: