This commit is contained in:
Clebert Suconic 2017-09-25 10:30:18 -04:00
commit bb8c11b1e3
7 changed files with 45 additions and 2 deletions

View File

@ -104,6 +104,7 @@ public class Create extends InputAbstract {
public static final String ETC_GLOBAL_MAX_SPECIFIED_TXT = "etc/global-max-specified.txt";
public static final String ETC_GLOBAL_MAX_DEFAULT_TXT = "etc/global-max-default.txt";
public static final String ETC_JOLOKIA_ACCESS_XML = "etc/jolokia-access.xml";
@Arguments(description = "The instance directory to hold the broker's configuration and data. Path must be writable.", required = true)
private File directory;
@ -687,6 +688,7 @@ public class Create extends InputAbstract {
// we want this variable to remain unchanged so that it will use the value set in the profile
filters.remove("${artemis.instance}");
write(ETC_BOOTSTRAP_XML, filters, false);
write(ETC_JOLOKIA_ACCESS_XML, filters, false);
context.out.println("");
context.out.println("You can now start the broker by executing: ");

View File

@ -62,6 +62,7 @@
<argument>-Dhawtio.offline="true"</argument>
<argument>-Dhawtio.role=${role}</argument>
<argument>-Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal</argument>
<argument>-Djolokia.policyLocation=%ARTEMIS_INSTANCE_URI%/etc/jolokia-access.xml</argument>
<!-- Debug args: Uncomment to enable debug
<argument>-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005</argument>

View File

@ -28,7 +28,7 @@ ARTEMIS_INSTANCE_URI='${artemis.instance.uri}'
# Java Opts
JAVA_ARGS="${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx2G -Dhawtio.realm=activemq -Dhawtio.offline="true" -Dhawtio.role=${role} -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal"
JAVA_ARGS="${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx2G -Dhawtio.realm=activemq -Dhawtio.offline="true" -Dhawtio.role=${role} -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=file:etc/jolokia-access.xml"
#
# There might be options that you only want to enable on specifc commands, like setting a JMX port

View File

@ -28,7 +28,7 @@ rem Cluster Properties: Used to pass arguments to ActiveMQ Artemis which can be
rem set ARTEMIS_CLUSTER_PROPS=-Dactivemq.remoting.default.port=61617 -Dactivemq.remoting.amqp.port=5673 -Dactivemq.remoting.stomp.port=61614 -Dactivemq.remoting.hornetq.port=5446
rem Java Opts
set JAVA_ARGS=${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx1024M -Xbootclasspath/a:%ARTEMIS_HOME%\lib\${logmanager} -Djava.security.auth.login.config=%ARTEMIS_INSTANCE%\etc\login.config -Dhawtio.offline="true" -Dhawtio.realm=activemq -Dhawtio.role=${role} -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Dartemis.instance=%ARTEMIS_INSTANCE%
set JAVA_ARGS=${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx1024M -Xbootclasspath/a:%ARTEMIS_HOME%\lib\${logmanager} -Djava.security.auth.login.config=%ARTEMIS_INSTANCE%\etc\login.config -Dhawtio.offline="true" -Dhawtio.realm=activemq -Dhawtio.role=${role} -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=%ARTEMIS_INSTANCE_URI%\etc\jolokia-access.xml -Dartemis.instance=%ARTEMIS_INSTANCE%
rem There might be options that you only want to enable on specifc commands, like setting a JMX port
rem See https://issues.apache.org/jira/browse/ARTEMIS-318

View File

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="utf-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<!-- This policy file controls the Jolokia JMX-HTTP bridge security options for the web console.
see: https://jolokia.org/reference/html/security.html -->
<restrict>
<cors>
<!-- Allow cross origin access from ${http.host} ... -->
<allow-origin>*://${http.host}*</allow-origin>
<!-- Check for the proper origin on the server side, too -->
<strict-checking/>
</cors>
</restrict>

View File

@ -58,6 +58,7 @@ public class StreamClassPathTest {
openStream(Create.ETC_COMMENTED_PING_TXT);
openStream(Create.ETC_GLOBAL_MAX_SPECIFIED_TXT);
openStream(Create.ETC_GLOBAL_MAX_DEFAULT_TXT);
openStream(Create.ETC_JOLOKIA_ACCESS_XML);
}

View File

@ -13,6 +13,12 @@ A login screen will be presented, if your broker is secure, you will need to use
![ActiveMQ Artemis Console Login](images/console-login.png)
## Security
That Jolokia JMX-HTTP bridge is secured via a policy file in the broker configuration directory: 'etc/jolokia-access.xml'.
The contents of that file should be modified as described in the [Jolokia Security Guide](https://jolokia.org/reference/html/security.html).
By default the console is locked down
to 'localhost', pay particular attention to the 'CORS' restrictions when exposing the console web endpoint over the network.
## Console