Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-4985

[LTS] SecurityStoreImpl.java erroneously logs a ActiveMQMessageBundle.userNoPermissions message

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • AMQ 7.8.0.GA
    • broker-core
    • None

    Description

      In SecurityStoreImpl.check() method, the call to ActiveMQSecurityManager5.authenticate (via getSubjectForAuthorization) fails due to a connection reset error. Here's part of the stack trace:

      2021-03-29 14:58:42,229 ERROR [org.apache.activemq.artemis.core.server] AMQ224084: Failed to open context: javax.naming.CommunicationException: simple bind failed: svc-ldap-auth.aws.mycompany.com:636 [Root exception is java.net.SocketException: Connection reset]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) [rt.jar:1.8.0_231]
        ...
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) [rt.jar:1.8.0_231]
        ...
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_231]
        ...
        at javax.security.auth.Subject.doAs(Subject.java:422) [rt.jar:1.8.0_231]
        ......
        at org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.openContext(LDAPLoginModule.java:693) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_231]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.8.0_231]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587) [rt.jar:1.8.0_231]
        ...
        at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:138) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.authenticate(ActiveMQJAASSecurityManager.java:91) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.getSubjectForAuthorization(SecurityStoreImpl.java:366) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:282) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:499) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        ...
Caused by: java.net.SocketException: Connection reset
        at java.net.SocketInputStream.read(SocketInputStream.java:210) [rt.jar:1.8.0_231]

      The SocketException is not unsual; however, processing continues in SecurityStoreImpl.check():

               ...
         final Boolean validated;
         if (securityManager instanceof ActiveMQSecurityManager5) {
            Subject subject = getSubjectForAuthorization(session, ((ActiveMQSecurityManager5) securityManager));
            validated = ((ActiveMQSecurityManager5) securityManager).authorize(subject, roles, checkType, fqqn != null ? fqqn.toString() : bareAddress.toString());
         } else if (securityManager instanceof ActiveMQSecurityManager4) {
       ...

       

      1) ActiveMQSecurityManager5.authenticate returns null because of the SocketException
      2) validated remains false because of a null subject
      3) This leads to the ActiveMQMessageBundle.userNoPermissions message :

      if (!validated) {
 ...
 Exception ex;
 if (bareQueue == null) {
 ex = ActiveMQMessageBundle.BUNDLE.userNoPermissions(session.getUsername(), checkType, bareAddress);
 } else {
 ex = ActiveMQMessageBundle.BUNDLE.userNoPermissionsQueue(session.getUsername(), checkType, bareQueue, bareAddress);
 }
 AuditLogger.securityFailure(ex);
 throw ex;
 }

      Here's the log message:

      2021-03-29 14:58:42,231 WARN  [org.apache.activemq.artemis.core.protocol.openwire.amq.AMQSession] AMQ229032: User: user1 does not have permission='SEND' on address RMS.REPLY: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229032: User: user1 does not have permission='SEND' on address RMS.REPLY]
        at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:309) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:499) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.doSend(ServerSessionImpl.java:2137) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]

      The user "user1" was able to successfully send messages to the queue before and after the SocketException. The ActiveMQMessageBundle.userNoPermissions message was misleading and it caused a lot confusion when troubleshooting for the real root cause.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. ENTMQBR-4872 SecurityStoreImpl.java erroneously logs a ActiveMQMessageBundle.userNoPermissions message

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-jbertram Justin Bertram
              dbruscin Domenico Francesco Bruscino
              Roman Vais Roman Vais
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: