Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-7907

Unattended Jolokia Queries Not Working When Keycloak is Integrated for Access Control

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • AMQ 7.11.0.GA
    • console, security
    • None
    • False
    • None
    • False
    • Hide

      1. Set up a broker to use keycloak / Red Hat SSO for authentication, similar to the example at https://github.com/rh-messaging/activemq-artemis/tree/7.11.0.CR2/examples/features/standard/security-keycloak

      2. Enable direct grants for the artemis-console client in keycloak / SSO

      3. Obtain a bearer token from keycloak using curl, like so:

      export TOKEN=$(curl -X POST 'http://localhost:8080/auth/realms/amq/protocol/openid-connect/token' -H "Content-Type: application/x-www-form-urlencoded" -d 'username=testadmin' -d 'password=testadmin' -d 'grant_type=password' -d 'client_id=artemis-console' | jq -r '.access_token')

      (note: tried with and without client_secret)

      4. Now try to use the token in a jolokia query, like so:

      curl -H "Origin:http://localhost:8161" -H "Authorization: Bearer ${TOKEN}" -v http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=\"localhost\",component=addresses,address=\"DLQ\",subcomponent=queues,routing-type=\"anycast\",queue=\"DLQ\"/countMessages\(\)

      The result is a 403 error.

      Show
      1. Set up a broker to use keycloak / Red Hat SSO for authentication, similar to the example at https://github.com/rh-messaging/activemq-artemis/tree/7.11.0.CR2/examples/features/standard/security-keycloak 2. Enable direct grants for the artemis-console client in keycloak / SSO 3. Obtain a bearer token from keycloak using curl, like so: export TOKEN=$(curl -X POST 'http://localhost:8080/auth/realms/amq/protocol/openid-connect/token' -H "Content-Type: application/x-www-form-urlencoded" -d 'username=testadmin' -d 'password=testadmin' -d 'grant_type=password' -d 'client_id=artemis-console' | jq -r '.access_token') (note: tried with and without client_secret) 4. Now try to use the token in a jolokia query, like so: curl -H "Origin:http://localhost:8161" -H "Authorization: Bearer ${TOKEN}" -v http://localhost:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=\"localhost\",component=addresses,address=\"DLQ\",subcomponent=queues,routing-type=\"anycast\",queue=\"DLQ\"/countMessages\(\) The result is a 403 error.

      When AMQ Broker is set up similarly to the example at https://github.com/rh-messaging/activemq-artemis/tree/7.11.0.CR2/examples/features/standard/security-keycloak to use Red Hat SSO for authentication, curl queries using a bearer token obtained from SSO fail with a 403 error, even if direct grants are enabled for the console security realm. This means automated monitoring tools cannot work with the current implementation. This functionality reportedly works with the latest upstream version, so may be related to the hawtio library versions bundled with the current supported versions.

              dbruscin Domenico Francesco Bruscino
              rhn-support-dhawkins Duane Hawkins
              Roman Vais Roman Vais (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: