Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-8520

Incorrect username logging in AMQ601264 events & missing address creation event AMQ601262

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • AMQ 7.11.2.GA
    • AMQ 7.10.3.GA, AMQ 7.10.4.GA
    • None
    • None

      ==== 7.10.3/4 observations ====

      Scram bug is present- group name is used instead of username

      audit.log:
      ...
      AMQ601715: User amq(amq)@192.168.32.2:39516 successfully authenticated
      ...
      
      
      artemis-roles.properties:
      amq = admin
      senders = alice,charlie
      ...
      

       

      As a side note: There also seems to be missing an audit log for creation of Address for AMQP protocol, which is present on 7.11.x branch.

      expected lines (taken from 7.11.2) 
      2023-10-18 09:00:36,631 [AUDIT](Thread-2 (activemq-netty-threads)) AMQ601262: User admin(amq)@172.31.0.2:43424 is creating address on target resource: cd822598-6d94-11ee-8125-0242ac1f0002 with parameters: [Address [name=myAddress, id=0, routingTypes={ANYCAST}, autoCreated=false, paused=false, bindingRemovedTimestamp=-1, swept=false, createdTimestamp=1697619636631], true]
      2023-10-18 09:00:36,643 [AUDIT](Thread-2 (activemq-netty-threads)) AMQ601019: User anonymous@172.31.0.2:43424 is getting mbean info on target resource: org.apache.activemq.artemis.core.management.impl.AddressControlImpl@4598d01f
      2023-10-18 09:00:36,745 [AUDIT](Thread-2 (activemq-netty-threads)) AMQ601065: User admin(amq)@172.31.0.2:43424 is creating a queue on target resource: ServerSessionImpl() with parameters: [Qu...]]
      
      
      
      current with 7.10.3/4
      2023-10-18 06:58:24,290 [AUDIT](main) AMQ241004: Artemis Console available at http://0.0.0.0:8161/console
      2023-10-18 06:58:24,624 [AUDIT](RMI TCP Connection(4)-172.29.0.1) AMQ601019: User anonymous@172.29.0.1 is getting mbean info on target resource: org.apache.activemq.artemis.core.management.impl.ActiveMQServerControlImpl@7da10b5b []
      2023-10-18 06:58:24,628 [AUDIT](RMI TCP Connection(4)-172.29.0.1) AMQ601023: User anonymous@172.29.0.1 is querying isStarted on target resource: ActiveMQServerImpl::name=artemis-otelia []
      2023-10-18 06:58:24,706 [AUDIT](RMI TCP Connection(4)-172.29.0.1) AMQ601019: User anonymous@172.29.0.1 is getting mbean info on target resource: org.apache.activemq.artemis.core.management.impl.ActiveMQServerControlImpl@7da10b5b []
      2023-10-18 06:58:24,708 [AUDIT](RMI TCP Connection(4)-172.29.0.1) AMQ601026: User anonymous@172.29.0.1 is getting version on target resource: ActiveMQServerImpl::name=artemis-otelia []
      2023-10-18 06:58:30,979 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601715: User admin(amq)@172.29.0.2:54234 successfully authenticated
      2023-10-18 06:58:31,002 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601715: User admin(amq)@172.29.0.2:54234 successfully authenticated
      2023-10-18 06:58:31,034 [AUDIT](AmqpProvider :(1):[amqp://artemis-otelia:5672]) Open of resource:(JmsConnectionInfo { ID:1b241045-d611-4b8d-908e-055d055f35a1:1, configuredURI = amqp://artemis-otelia:5672, connectedURI = null }) failed: Open failed unexpectedly.
      2023-10-18 06:58:31,064 [AUDIT](Thread-2 (activemq-netty-threads)) AMQ601715: User admin(amq)@172.29.0.2:54246 successfully authenticated
      2023-10-18 06:58:31,073 [AUDIT](Thread-2 (activemq-netty-threads)) AMQ601715: User admin(amq)@172.29.0.2:54246 successfully authenticated
      2023-10-18 06:58:31,097 [AUDIT](Thread-2 (activemq-netty-threads)) AMQ601267: User admin(amq)@172.29.0.2:54246 is creating a core session on target resource ActiveMQServerImpl::name=artemis-otelia [with parameters: [bf326bde-6d83-11ee-ac8f-0242ac1d0002, admin, ****, 102400, org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection@3d66fe0e, false, false, false, true, null, org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback@1447610c, true, {}]]
      2023-10-18 06:58:31,118 [AUDIT](AmqpProvider :(2):[amqp://artemis-otelia:5672]) Connection ID:136b9cc8-d9e0-49e4-bc36-951972aa13aa:2 connected to server: amqp://artemis-otelia:5672
      2023-10-18 06:58:31,138 [AUDIT](Thread-2 (activemq-netty-threads)) AMQ601267: User admin(amq)@172.29.0.2:54246 is creating a core session on target resource ActiveMQServerImpl::name=artemis-otelia [with parameters: [bf38d47f-6d83-11ee-ac8f-0242ac1d0002, admin, ****, 102400, org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection@3d66fe0e, false, false, false, true, null, org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback@2e50996c, true, {}]]
      
      >>>> missing address creation log here AMQ601262
      2023-10-18 06:58:31,303 [AUDIT](Thread-2 (activemq-netty-threads)) AMQ601065: User admin(amq)@172.29.0.2:54246 is creating a queue on target resource: ServerSessionImpl() [with parameters: [QueueConfiguration ...]]]
      2023-10-18 06:58:31,309 [AUDIT](Thread-2 (activemq-netty-threads)) AMQ601019: User anonymous@172.29.0.2:54246 is getting mbean info on target resource: org.apache.activemq.artemis.core.management.impl.AddressControlImpl@e906144 []

      This has been confirmed to be fixed in 7.11.x branch by gtully@redhat.com 

       

      ==== Information from cloned Jira ====
      We have ActiveMQ Artemis with audit logging turned on, and sometimes wrong username is logged when user gets an authorization error (audit log event AMQ601264). I have reproduced this issue when client uses STOMP to connect to the broker. In that case client username is always logged as anonymous, and source IP address seems to be correct.

      We have a lot of other audit log messages where different usernames are logged in single log event, but I cannot attach these logs because it contains sensitive information. I think this problem is not specific to STOMP clients because most our clients use core and openwire. I will try to reproduce it later.

      The problem is not specific to the current version of Artemis.

      Steps to reproduce (for STOMP client):

      1. Create Artemis instance

      artemis create --user admin --password admin --require-login 

      Edit artemis-roles.properties and artemis-users.properties to create some other user with password and non-admin role. For example, add string alice = alice to both files.

      Edit log4j2.properties to enable base audit logging:

      logger.audit_base = INFO, audit_log_file

      To connect to the broker with STOMP I have used python with Stompest library (it has to be installed using pip install stompest).

      Example STOMP producer python code (it does not handle authorization errors):

       

      from stompest.config import StompConfig
      from stompest.protocol import StompSpec
      from stompest.sync import Stomp
      CONFIG = StompConfig("tcp://localhost:61613", login="alice", passcode="alice", version=StompSpec.VERSION_1_0)
      QUEUE = 'test.queue'
      client = Stomp(CONFIG)
      client.connect()
      client.send(QUEUE, 'Test message'.encode())
      client.disconnect()
      

      Run this example code. Check broker audit.log. For example:

       

      2023-08-28 17:39:20,042 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601267: User alice(alice)@127.0.0.1:56685 is creating a core session on target resource ActiveMQServerImpl::name=0.0.0.0 with parameters: [ac22db0e-45b0-11ee-b333-005056abe8b9, alice, ****, 102400, org.apache.activemq.artemis.core.protocol.stomp.StompConnection@3313e538, true, false, false, false, null, org.apache.activemq.artemis.core.protocol.stomp.StompSession@2fc820ee, true, {}]
      2023-08-28 17:39:20,081 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601262: User alice(alice)@127.0.0.1:56685 is creating address on target resource: ac22db0e-45b0-11ee-b333-005056abe8b9 with parameters: [Address [name=test.queue, id=0, routingTypes={MULTICAST}, autoCreated=false, paused=false, bindingRemovedTimestamp=-1, swept=false, createdTimestamp=1693233560081], true]
      2023-08-28 17:39:20,116 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601264: User anonymous@127.0.0.1:56685 gets security check failure, reason = AMQ229032: User: alice does not have permission='CREATE_ADDRESS' on address test.queue
      org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229032: User: alice does not have permission='CREATE_ADDRESS' on address test.queue
          at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:305) [artemis-server-2.30.0.jar:2.30.0]
          at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:227) [artemis-server-2.30.0.jar:2.30.0]
          at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:503) [artemis-server-2.30.0.jar:2.30.0]
          at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createAddress(ServerSessionImpl.java:972) [artemis-server-2.30.0.jar:2.30.0]
          at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createAddress(ServerSessionImpl.java:962) [artemis-server-2.30.0.jar:2.30.0]
          at org.apache.activemq.artemis.core.protocol.stomp.StompConnection.autoCreateDestinationIfPossible(StompConnection.java:184) [artemis-stomp-protocol-2.30.0.jar:2.30.0]
          at org.apache.activemq.artemis.core.protocol.stomp.VersionedStompFrameHandler.onSend(VersionedStompFrameHandler.java:188) [artemis-stomp-protocol-2.30.0.jar:2.30.0]
          at org.apache.activemq.artemis.core.protocol.stomp.VersionedStompFrameHandler.handleFrame(VersionedStompFrameHandler.java:87) [artemis-stomp-protocol-2.30.0.jar:2.30.0]
          at org.apache.activemq.artemis.core.protocol.stomp.StompConnection.handleFrame(StompConnection.java:424) [artemis-stomp-protocol-2.30.0.jar:2.30.0]
          at org.apache.activemq.artemis.core.protocol.stomp.StompProtocolManager.handleBuffer(StompProtocolManager.java:162) [artemis-stomp-protocol-2.30.0.jar:2.30.0]
          at org.apache.activemq.artemis.core.protocol.stomp.StompConnection.bufferReceived(StompConnection.java:307) [artemis-stomp-protocol-2.30.0.jar:2.30.0]
          at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:698) [artemis-server-2.30.0.jar:2.30.0]
          at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73) [artemis-core-client-2.30.0.jar:2.30.0]
          at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) [netty-transport-4.1.94.Final.jar:4.1.94.Final]
          at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.94.Final.jar:4.1.94.Final]
          at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.94.Final.jar:4.1.94.Final]
          at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.94.Final.jar:4.1.94.Final]
          at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) [netty-transport-4.1.94.Final.jar:4.1.94.Final]
          at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.94.Final.jar:4.1.94.Final]
          at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.94.Final.jar:4.1.94.Final]
          at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [netty-transport-4.1.94.Final.jar:4.1.94.Final]
          at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) [netty-transport-4.1.94.Final.jar:4.1.94.Final]
          at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724) [netty-transport-4.1.94.Final.jar:4.1.94.Final]
          at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650) [netty-transport-4.1.94.Final.jar:4.1.94.Final]
          at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.94.Final.jar:4.1.94.Final]
          at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) [netty-common-4.1.94.Final.jar:4.1.94.Final]
          at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.94.Final.jar:4.1.94.Final]
          at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) [artemis-commons-2.30.0.jar:?]

       

       

              Unassigned Unassigned
              mtoth@redhat.com Michal Toth
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: