Apache
/
activemq-artemis
mirror of https://github.com/apache/activemq-artemis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

This closes #3741

This commit is contained in:
Justin Bertram 2021-09-16 17:19:02 -05:00
parent 8f915dd627 0545664b3d
commit a95c615317
19 changed files with 131 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -9,7 +9,7 @@ our [Hacking Guide](./docs/hacking-guide/en/SUMMARY.md).
## Build Status
Build Status: [![Build Status](https://travis-ci.org/apache/activemq-artemis.svg?branch=master)](https://travis-ci.org/apache/activemq-artemis)
Build Status: [![Build Status](https://travis-ci.org/apache/activemq-artemis.svg?branch=main)](https://travis-ci.org/apache/activemq-artemis)
## Building the ASYNC IO library
@ -23,7 +23,7 @@ To build the ActiveMQ Artemis ASYNCIO native libraries, please follow the instru
Our documentation is always in sync with our releases at the [Apache ActiveMQ Artemis](https://activemq.apache.org/artemis/docs.html) website.
Or you can also look at the current master version on [github](https://github.com/apache/activemq-artemis/blob/master/docs/user-manual/en/SUMMARY.md).
Or you can also look at the current main version on [github](https://github.com/apache/activemq-artemis/blob/main/docs/user-manual/en/SUMMARY.md).
## Examples

23
artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java
View File

@ -19,14 +19,17 @@ package org.apache.activemq.artemis.cli.factory.jmx;
import org.apache.activemq.artemis.cli.ConfigurationException;
import org.apache.activemq.artemis.core.config.JMXConnectorConfiguration;
import org.apache.activemq.artemis.core.server.ActiveMQServerLogger;
import org.apache.activemq.artemis.core.server.management.ManagementContext;
import org.apache.activemq.artemis.dto.AccessDTO;
import org.apache.activemq.artemis.dto.AllowListDTO;
import org.apache.activemq.artemis.dto.AuthorisationDTO;
import org.apache.activemq.artemis.dto.EntryDTO;
import org.apache.activemq.artemis.dto.JMXConnectorDTO;
import org.apache.activemq.artemis.dto.ManagementContextDTO;
import org.apache.activemq.artemis.dto.MatchDTO;
import org.apache.activemq.artemis.core.server.management.JMXAccessControlList;
import org.apache.activemq.artemis.dto.WhiteListDTO;
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
import org.apache.activemq.artemis.utils.FactoryFinder;
@ -67,9 +70,23 @@ public class ManagementFactory {
if (config.getAuthorisation() != null) {
AuthorisationDTO authorisation = config.getAuthorisation();
JMXAccessControlList accessControlList = new JMXAccessControlList();
List<EntryDTO> entries = authorisation.getWhiteList().getEntries();
for (EntryDTO entry : entries) {
accessControlList.addToWhiteList(entry.domain, entry.key);
//deprecated but here for backward compatibility
WhiteListDTO whiteList = authorisation.getWhiteList();
if (whiteList != null) {
ActiveMQServerLogger.LOGGER.useAllowList();
for (EntryDTO entry : whiteList.getEntries()) {
accessControlList.addToAllowList(entry.domain, entry.key);
}
}
AllowListDTO allowList = authorisation.getAllowList();
if (allowList != null) {
if (whiteList != null) {
ActiveMQServerLogger.LOGGER.useOnlyAllowList();
}
for (EntryDTO entry : allowList.getEntries()) {
accessControlList.addToAllowList(entry.domain, entry.key);
}
}
List<AccessDTO> accessList = authorisation.getDefaultAccess().getAccess();

4
artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/management.xml
View File

@ -18,9 +18,9 @@
<management-context xmlns="http://activemq.org/schema">
<!--<connector connector-port="1099"/>-->
<authorisation>
<whitelist>
<allowlist>
<entry domain="hawtio"/>
</whitelist>
</allowlist>
<default-access>
<access method="list*" roles="${role}"/>
<access method="get*" roles="${role}"/>

36
artemis-dto/src/main/java/org/apache/activemq/artemis/dto/AllowListDTO.java Normal file
View File

@ -0,0 +1,36 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* <p>
* http://www.apache.org/licenses/LICENSE-2.0
* <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.artemis.dto;
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElementRef;
import javax.xml.bind.annotation.XmlRootElement;
import java.util.List;
@XmlRootElement(name = "allowlist")
@XmlAccessorType(XmlAccessType.FIELD)
public class AllowListDTO {
@XmlElementRef
List<EntryDTO> entry;
public List<EntryDTO> getEntries() {
return entry;
}
}

11
artemis-dto/src/main/java/org/apache/activemq/artemis/dto/AuthorisationDTO.java
View File

@ -26,19 +26,28 @@ import javax.xml.bind.annotation.XmlRootElement;
@XmlAccessorType(XmlAccessType.FIELD)
public class AuthorisationDTO {
@XmlElementRef
@XmlElementRef( required = false)
@Deprecated
WhiteListDTO whitelist;
@XmlElementRef( required = false )
AllowListDTO allowList;
@XmlElementRef
DefaultAccessDTO defaultAccess;
@XmlElementRef
RoleAccessDTO roleAccess;
@Deprecated
public WhiteListDTO getWhiteList() {
return whitelist;
}
public AllowListDTO getAllowList() {
return allowList;
}
public DefaultAccessDTO getDefaultAccess() {
return defaultAccess;
}

1
artemis-dto/src/main/java/org/apache/activemq/artemis/dto/WhiteListDTO.java
View File

@ -25,6 +25,7 @@ import java.util.List;
@XmlRootElement(name = "whitelist")
@XmlAccessorType(XmlAccessType.FIELD)
@Deprecated
public class WhiteListDTO {
@XmlElementRef

8
artemis-server/src/main/java/org/apache/activemq/artemis/core/server/ActiveMQServerLogger.java
View File

@ -2178,4 +2178,12 @@ public interface ActiveMQServerLogger extends BasicLogger {
@LogMessage(level = Logger.Level.WARN)
@Message(id = 224109, value = "BrokerBalancer {0} not found", format = Message.Format.MESSAGE_FORMAT)
void brokerBalancerNotFound(String name);
@LogMessage(level = Logger.Level.WARN)
@Message(id = 224110, value = "Configuration 'whitelist' is deprecated, please use the 'allowlist' configuration", format = Message.Format.MESSAGE_FORMAT)
void useAllowList();
@LogMessage(level = Logger.Level.WARN)
@Message(id = 224111, value = "Both 'whitelist' and 'allowlist' detected. Configuration 'whitelist' is deprecated, please use only the 'allowlist' configuration", format = Message.Format.MESSAGE_FORMAT)
void useOnlyAllowList();
}

2
artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ArtemisMBeanServerGuard.java
View File

@ -117,7 +117,7 @@ public class ArtemisMBeanServerGuard implements InvocationHandler {
}
private boolean canBypassRBAC(ObjectName objectName) {
return jmxAccessControlList.isInWhiteList(objectName);
return jmxAccessControlList.isInAllowList(objectName);
}
public boolean canInvoke(String object, String operationName) {

14
artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlList.java
View File

@ -33,7 +33,7 @@ public class JMXAccessControlList {
private Access defaultAccess = new Access(WILDCARD);
private ConcurrentHashMap<String, TreeMap<String, Access>> domainAccess = new ConcurrentHashMap<>();
private ConcurrentHashMap<String, TreeMap<String, Access>> whitelist = new ConcurrentHashMap<>();
private ConcurrentHashMap<String, TreeMap<String, Access>> allowList = new ConcurrentHashMap<>();
private Comparator<String> keyComparator = (key1, key2) -> {
boolean key1ContainsWildCard = key1.contains(WILDCARD);
boolean key2ContainsWildcard = key2.contains(WILDCARD);
@ -48,11 +48,11 @@ public class JMXAccessControlList {
return key2.length() - key1.length();
};
public void addToWhiteList(String domain, String key) {
public void addToAllowList(String domain, String key) {
TreeMap<String, Access> domainMap = new TreeMap<>(keyComparator);
domainMap = whitelist.putIfAbsent(domain, domainMap);
domainMap = allowList.putIfAbsent(domain, domainMap);
if (domainMap == null) {
domainMap = whitelist.get(domain);
domainMap = allowList.get(domain);
}
Access access = new Access(domain, normalizeKey(key));
domainMap.putIfAbsent(access.getKey(), access);
@ -81,8 +81,8 @@ public class JMXAccessControlList {
return defaultAccess.getMatchingRolesForMethod(methodName);
}
public boolean isInWhiteList(ObjectName objectName) {
TreeMap<String, Access> domainMap = whitelist.get(objectName.getDomain());
public boolean isInAllowList(ObjectName objectName) {
TreeMap<String, Access> domainMap = allowList.get(objectName.getDomain());
if (domainMap != null) {
if (domainMap.containsKey("")) {
return true;
@ -223,7 +223,7 @@ public class JMXAccessControlList {
public static JMXAccessControlList createDefaultList() {
JMXAccessControlList accessControlList = new JMXAccessControlList();
accessControlList.addToWhiteList("hawtio", "type=*");
accessControlList.addToAllowList("hawtio", "type=*");
accessControlList.addToRoleAccess("org.apache.activemq.artemis", null, "list*", "view", "update", "amq");
accessControlList.addToRoleAccess("org.apache.activemq.artemis", null, "get*", "view", "update", "amq");

36
artemis-server/src/test/java/org/apache/activemq/artemis/core/server/management/JMXAccessControlListTest.java
View File

@ -29,35 +29,35 @@ public class JMXAccessControlListTest {
@Test
public void testBasicDomain() throws MalformedObjectNameException {
JMXAccessControlList controlList = new JMXAccessControlList();
controlList.addToWhiteList("org.myDomain", null);
controlList.addToWhiteList("org.myDomain.foo", null);
Assert.assertTrue(controlList.isInWhiteList(new ObjectName("org.myDomain:*")));
Assert.assertTrue(controlList.isInWhiteList(new ObjectName("org.myDomain.foo:*")));
Assert.assertFalse(controlList.isInWhiteList(new ObjectName("org.myDomain.bar:*")));
controlList.addToAllowList("org.myDomain", null);
controlList.addToAllowList("org.myDomain.foo", null);
Assert.assertTrue(controlList.isInAllowList(new ObjectName("org.myDomain:*")));
Assert.assertTrue(controlList.isInAllowList(new ObjectName("org.myDomain.foo:*")));
Assert.assertFalse(controlList.isInAllowList(new ObjectName("org.myDomain.bar:*")));
}
@Test
public void testBasicDomainWithProperty() throws MalformedObjectNameException {
JMXAccessControlList controlList = new JMXAccessControlList();
controlList.addToWhiteList("org.myDomain", "type=foo");
controlList.addToWhiteList("org.myDomain.foo", "type=bar");
Assert.assertFalse(controlList.isInWhiteList(new ObjectName("org.myDomain:*")));
Assert.assertFalse(controlList.isInWhiteList(new ObjectName("org.myDomain.foo:*")));
Assert.assertFalse(controlList.isInWhiteList(new ObjectName("org.myDomain.bar:*")));
Assert.assertFalse(controlList.isInWhiteList(new ObjectName("org.myDomain:subType=foo")));
controlList.addToAllowList("org.myDomain", "type=foo");
controlList.addToAllowList("org.myDomain.foo", "type=bar");
Assert.assertFalse(controlList.isInAllowList(new ObjectName("org.myDomain:*")));
Assert.assertFalse(controlList.isInAllowList(new ObjectName("org.myDomain.foo:*")));
Assert.assertFalse(controlList.isInAllowList(new ObjectName("org.myDomain.bar:*")));
Assert.assertFalse(controlList.isInAllowList(new ObjectName("org.myDomain:subType=foo")));
Assert.assertTrue(controlList.isInWhiteList(new ObjectName("org.myDomain:type=foo")));
Assert.assertTrue(controlList.isInWhiteList(new ObjectName("org.myDomain:subType=bar,type=foo")));
Assert.assertTrue(controlList.isInAllowList(new ObjectName("org.myDomain:type=foo")));
Assert.assertTrue(controlList.isInAllowList(new ObjectName("org.myDomain:subType=bar,type=foo")));
}
@Test
public void testBasicDomainWithWildCardProperty() throws MalformedObjectNameException {
JMXAccessControlList controlList = new JMXAccessControlList();
controlList.addToWhiteList("org.myDomain", "type=*");
Assert.assertFalse(controlList.isInWhiteList(new ObjectName("org.myDomain:*")));
Assert.assertFalse(controlList.isInWhiteList(new ObjectName("org.myDomain.foo:*")));
Assert.assertFalse(controlList.isInWhiteList(new ObjectName("org.myDomain.bar:*")));
Assert.assertTrue(controlList.isInWhiteList(new ObjectName("org.myDomain:type=foo")));
controlList.addToAllowList("org.myDomain", "type=*");
Assert.assertFalse(controlList.isInAllowList(new ObjectName("org.myDomain:*")));
Assert.assertFalse(controlList.isInAllowList(new ObjectName("org.myDomain.foo:*")));
Assert.assertFalse(controlList.isInAllowList(new ObjectName("org.myDomain.bar:*")));
Assert.assertTrue(controlList.isInAllowList(new ObjectName("org.myDomain:type=foo")));
}
@Test

16
docs/user-manual/en/management.md
View File

@ -305,28 +305,32 @@ the broker's JAAS plugin support. This is configured via the `authorisation`
element in the `management.xml` configuration file and can be used to restrict
access to attributes and methods on MBeans.
There are 3 elements within the `authorisation` element, `whitelist`,
There are 3 elements within the `authorisation` element, `allowlist`,
`default-access` and `role-access`. Lets discuss each in turn.
Whitelist contains a list of MBeans that will bypass the authorisation, this
Allowlist contains a list of MBeans that will bypass the authorisation, this
is typically used for any MBeans that are needed by the console to run etc. The
default configuration is:
```xml
<whitelist>
<allowlist>
<entry domain="hawtio"/>
</whitelist>
</allowlist>
```
This means that any MBean with the domain `hawtio` will be allowed access
without authorisation. for instance `hawtio:plugin=artemis`. You can also use
wildcards for the MBean properties so the following would also match.
```xml
<whitelist>
<allowlist>
<entry domain="hawtio" key="type=*"/>
</whitelist>
</allowlist>
```
> **Note:**
>
> The allowlist element has replaced the whitelist element which is now deprecated
The `role-access`defines how roles are mapped to particular MBeans and its
attributes and methods, the default configuration looks like:

4
examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/management.xml
View File

@ -25,9 +25,9 @@
trust-store-path="${data.dir}/../etc/client-ca-truststore.jks"
trust-store-password="ENC(1f0e6cd7ced61232730f9e82cc91c1e1)"/>
<authorisation>
<whitelist>
<allowlist>
<entry domain="hawtio"/>
</whitelist>
</allowlist>
<default-access>
<access method="list*" roles="view,update,amq,guest"/>
<access method="get*" roles="view,update,amq,guest"/>

4
examples/features/standard/jmx/src/main/resources/activemq/server0/management.xml
View File

@ -18,9 +18,9 @@
<management-context xmlns="http://activemq.org/schema">
<connector connector-port="1099" connector-host="localhost"/>
<authorisation>
<whitelist>
<allowlist>
<entry domain="hawtio"/>
</whitelist>
</allowlist>
<default-access>
<access method="list*" roles="view,update,amq,guest"/>
<access method="get*" roles="view,update,amq,guest"/>

4
examples/features/standard/message-counters/src/main/resources/activemq/server0/management.xml
View File

@ -18,9 +18,9 @@
<management-context xmlns="http://activemq.org/schema">
<connector connector-port="1099" connector-host="127.0.0.1"/>
<authorisation>
<whitelist>
<allowlist>
<entry domain="hawtio"/>
</whitelist>
</allowlist>
<default-access>
<access method="list*" roles="view,update,amq,guest"/>
<access method="get*" roles="view,update,amq,guest"/>

4
tests/smoke-tests/src/main/resources/servers/audit-logging/management.xml
View File

@ -18,9 +18,9 @@
<management-context xmlns="http://activemq.org/schema">
<connector connector-port="10099" connector-host="localhost"/>
<authorisation>
<whitelist>
<allowlist>
<entry domain="hawtio"/>
</whitelist>
</allowlist>
<default-access>
<access method="list*" roles="guest"/>
<access method="get*" roles="guest"/>

4
tests/smoke-tests/src/main/resources/servers/audit-logging2/management.xml
View File

@ -18,9 +18,9 @@
<management-context xmlns="http://activemq.org/schema">
<connector connector-port="10099" connector-host="localhost"/>
<authorisation>
<whitelist>
<allowlist>
<entry domain="hawtio"/>
</whitelist>
</allowlist>
<default-access>
<access method="list*" roles="guest"/>
<access method="get*" roles="guest"/>

4
tests/smoke-tests/src/main/resources/servers/jmx-rbac/management.xml
View File

@ -18,9 +18,9 @@
<management-context xmlns="http://activemq.org/schema">
<connector connector-port="10099"/>
<authorisation>
<whitelist>
<allowlist>
<entry domain="hawtio"/>
</whitelist>
</allowlist>
<default-access>
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>

4
tests/smoke-tests/src/main/resources/servers/jmx/management.xml
View File

@ -18,9 +18,9 @@
<management-context xmlns="http://activemq.org/schema">
<connector connector-port="10099" connector-host="localhost" rmi-registry-port="10098" />
<authorisation>
<whitelist>
<allowlist>
<entry domain="hawtio"/>
</whitelist>
</allowlist>
<default-access>
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>

4
tests/smoke-tests/src/main/resources/servers/replay/replay/management.xml
View File

@ -18,9 +18,9 @@
<management-context xmlns="http://activemq.org/schema">
<connector connector-port="1099"/>
<authorisation>
<whitelist>
<allowlist>
<entry domain="hawtio"/>
</whitelist>
</allowlist>
<default-access>
<access method="list*" roles="amq"/>
<access method="get*" roles="amq"/>