Apache
/
activemq-artemis
mirror of https://github.com/apache/activemq-artemis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

This closes #4001

This commit is contained in:
Justin Bertram 2022-05-23 12:27:29 -05:00
parent 2cd92a82e7 d8af49d64c
commit 5ca0d72cad
No known key found for this signature in database
GPG Key ID: F41830B875BB8633
1 changed files with 20 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
docs/user-manual/en/security.md
View File

@ -1198,8 +1198,15 @@ manager *may* still may have a couple of advantages depending on your use-case.
All user & role data is stored in the bindings journal (or bindings table if All user & role data is stored in the bindings journal (or bindings table if
using JDBC). The advantage here is that in a live/backup use-case any user using JDBC). The advantage here is that in a live/backup use-case any user
management performed on the live broker will be reflected on the backup upon management performed on the live broker will be reflected on the backup upon
failover. Typically LDAP would be employed for this kind of use-case, but not failover.
everyone wants or is able to administer an independent LDAP server.
Typically LDAP would be employed for this kind of use-case, but not everyone
wants or is able to administer an independent LDAP server. One significant
benefit of LDAP is that user data can be shared between multiple live brokers.
However, this is not possible with the `ActiveMQBasicSecurityManager` or, in fact,
any other configuration potentially available out of the box. Nevertheless,
if you just want to share user data between a single live/backup pair then the
basic security manager may be a good fit for you.
User management is provided by the broker's management API. This includes the User management is provided by the broker's management API. This includes the
ability to add, list, update, and remove users & roles. As with all management ability to add, list, update, and remove users & roles. As with all management
@ -1218,6 +1225,8 @@ the basic security manager.
The configuration for the `ActiveMQBasicSecurityManager` happens in The configuration for the `ActiveMQBasicSecurityManager` happens in
`bootstrap.xml` just like it does for all security manager implementations. `bootstrap.xml` just like it does for all security manager implementations.
Start by removing `<jaas-security />` section and add `<security-manager />`
configuration as described below.
The `ActiveMQBasicSecurityManager` requires some special configuration for the The `ActiveMQBasicSecurityManager` requires some special configuration for the
following reasons: following reasons:
@ -1231,10 +1240,10 @@ If, for example, the broker was configured to use the
`ActiveMQBasicSecurityManager` and was started from scratch then no clients `ActiveMQBasicSecurityManager` and was started from scratch then no clients
would be able to connect because there would be no users & roles configured. would be able to connect because there would be no users & roles configured.
However, in order to configure users & roles one would need to use the However, in order to configure users & roles one would need to use the
management API which would require the proper credentials. It's a catch-22. management API which would require the proper credentials. It's a [catch-22](https://en.wikipedia.org/wiki/Catch-22_(logic))
Therefore, it is possible to configure "bootstrap" credentials that will be problem. Therefore, it is essential to configure "bootstrap" credentials that
automatically created when the broker starts. There are properties to define will be automatically created when the broker starts. There are properties
either: to define either:
- a single user whose credentials can then be used to add other users - a single user whose credentials can then be used to add other users
- properties files from which to load users & roles in bulk - properties files from which to load users & roles in bulk
@ -1308,8 +1317,11 @@ For example:
> **Note:** > **Note:**
> >
> Any `bootstrap` credentials will be set **whenever** you start the broker no > Any `bootstrap` credentials will be reset **whenever** you start the broker
> matter what changes may have been made to them at runtime previously. > no matter what changes may have been made to them at runtime previously, so
> depending on your use-case you should decide if you want to leave `bootstrap`
> configuration permanent or if you want to remove it after initial
> configuration.
## Mapping external roles ## Mapping external roles
Roles from external authentication providers (i.e. LDAP) can be mapped to internally used roles. The is done through role-mapping entries in the security-settings block: Roles from external authentication providers (i.e. LDAP) can be mapped to internally used roles. The is done through role-mapping entries in the security-settings block: