Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-7907

Unattended Jolokia Queries Not Working When Keycloak is Integrated for Access Control

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Undefined
    • None
    • AMQ 7.11.0.GA
    • console, security
    • None
    • False
    • None
    • False
    • Hide

      1. Set up a broker to use keycloak / Red Hat SSO for authentication, similar to the example at https://github.com/rh-messaging/activemq-artemis/tree/7.11.0.CR2/examples/features/standard/security-keycloak

      2. Enable direct grants for the artemis-console client in keycloak / SSO

      3. Obtain a bearer token from keycloak using curl, like so:

      export TOKEN=$(curl -X POST 'http://localhost:8080/auth/realms/amq/protocol/openid-connect/token' -H "Content-Type: application/x-www-form-urlencoded" -d 'username=testadmin' -d 'password=testadmin' -d 'grant_type=password' -d 'client_id=artemis-console' | jq -r '.access_token')

      (note: tried with and without client_secret)

      4. Now try to use the token in a jolokia query, like so:

      curl -H "Origin:http://localhost:8161" -H "Authorization: Bearer ${TOKEN}" -v http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=\"localhost\",component=addresses,address=\"DLQ\",subcomponent=queues,routing-type=\"anycast\",queue=\"DLQ\"/countMessages\(\)

      The result is a 403 error.

      Show
      1. Set up a broker to use keycloak / Red Hat SSO for authentication, similar to the example at https://github.com/rh-messaging/activemq-artemis/tree/7.11.0.CR2/examples/features/standard/security-keycloak 2. Enable direct grants for the artemis-console client in keycloak / SSO 3. Obtain a bearer token from keycloak using curl, like so: export TOKEN=$(curl -X POST 'http://localhost:8080/auth/realms/amq/protocol/openid-connect/token' -H "Content-Type: application/x-www-form-urlencoded" -d 'username=testadmin' -d 'password=testadmin' -d 'grant_type=password' -d 'client_id=artemis-console' | jq -r '.access_token') (note: tried with and without client_secret) 4. Now try to use the token in a jolokia query, like so: curl -H "Origin:http://localhost:8161" -H "Authorization: Bearer ${TOKEN}" -v http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=\"localhost\",component=addresses,address=\"DLQ\",subcomponent=queues,routing-type=\"anycast\",queue=\"DLQ\"/countMessages\(\) The result is a 403 error.

    Description

      When AMQ Broker is set up similarly to the example at https://github.com/rh-messaging/activemq-artemis/tree/7.11.0.CR2/examples/features/standard/security-keycloak to use Red Hat SSO for authentication, curl queries using a bearer token obtained from SSO fail with a 403 error, even if direct grants are enabled for the console security realm. This means automated monitoring tools cannot work with the current implementation. This functionality reportedly works with the latest upstream version, so may be related to the hawtio library versions bundled with the current supported versions.

      Attachments

        Issue Links

          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. ENTESB-21158 Unattended Jolokia Queries Not Working When Keycloak is Integrated for Access Control

          • Critical - To be worked on immediately following BLOCKER issues.
          • Done
          mentioned in

          Page Loading...

          Activity

            People

              dbruscin Domenico Francesco Bruscino
              rhn-support-dhawkins Duane Hawkins
              Roman Vais Roman Vais
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: