Apache
/
activemq-artemis
mirror of https://github.com/apache/activemq-artemis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ARTEMIS-3010 doc updates

This commit is contained in:
Justin Bertram 2020-11-24 11:56:07 -06:00 committed by Gary Tully
parent 805a94018c
commit c64d4d62e3
3 changed files with 56 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
docs/user-manual/en/masking-passwords.md
View File

@ -70,9 +70,9 @@ This process does **not** work for passwords in:
- `artemis-users.properties`
Maksed passwords for `artemis-users.properties` *can* be generated using the
`mask` command using the `--hash` command-line option. However, we recommend
using the set of tools provided by the `user` command described below.
Masked passwords for `artemis-users.properties` *can* be generated using the
`mask` command using the `--hash` command-line option. However, this is also
possible using the set of tools provided by the `user` command described below.
## Masking Configuration
@ -100,10 +100,11 @@ hashed values for password verification.
Use the following command from the CLI of the Aremtis *instance* you wish to
add the user/password to. This command will not work from the Artemis home
used to create the instance. For example:
used to create the instance, and it will also not work unless the broker has
been started. For example:
```sh
./artemis user add --user guest --password guest --role admin
./artemis user add --user-command-user guest --user-command-password guest --role admin
```
This will use the default codec to perform a "one-way" hash of the password
@ -114,6 +115,17 @@ Passwords in `artemis-users.properties` are automatically detected as hashed or
not by looking for the syntax `ENC(<hash>)`. The `mask-password` parameter does
not need to be `true` to use hashed passwords here.
> **Warning**
>
> Management and CLI operations to manipulate user & role data are only available
> when using the `PropertiesLoginModule`.
>
> In general, using properties files and broker-centric user management for
> anything other than very basic use-cases is not recommended. The broker is
> designed to deal with messages. It's not in the business of managing users,
> although that functionality is provided at a limited level for convenience. LDAP
> is recommended for enterprise level production use-cases.
### cluster-password
If it is specified in `ENC()` syntax it will be treated as masked, or

17
docs/user-manual/en/security.md
View File

@ -584,12 +584,15 @@ guest=password
```
Passwords in `artemis-users.properties` can be hashed. Such passwords should
follow the syntax `ENC(<hash>)`. Hashed passwords can easily be added to
`artemis-users.properties` using the `user` CLI command from the Artemis
*instance*. This command will not work from the Artemis home.
follow the syntax `ENC(<hash>)`.
Hashed passwords can easily be added to `artemis-users.properties` using the
`user` CLI command from the Artemis *instance*. This command will not work
from the Artemis home, and it will also not work unless the broker has been
started.
```sh
./artemis user add --user guest --password guest --role admin
./artemis user add --user-command-user guest --user-command-password guest --role admin
```
This will use the default codec to perform a "one-way" hash of the password
@ -617,6 +620,12 @@ etc.).
>
> Management and CLI operations to manipulate user & role data are only available
> when using the `PropertiesLoginModule`.
>
> In general, using properties files and broker-centric user management for
> anything other than very basic use-cases is not recommended. The broker is
> designed to deal with messages. It's not in the business of managing users,
> although that functionality is provided at a limited level for convenience. LDAP
> is recommended for enterprise level production use-cases.
#### LDAPLoginModule

26
docs/user-manual/en/versions.md
View File

@ -23,6 +23,32 @@ Highlights:
- Support for admin objects in the JCA resource adapter to facilitate deployment into 3rd-party Java EE application servers
- Ability to prevent an acceptor from automatically starting
#### Upgrading from older versions
Due to [ARTEMIS-2893](https://issues.apache.org/jira/browse/ARTEMIS-2893) the
fundamental way user management was implemented had to change to avoid data
integrity issues related to concurrent modification. From a user's perspective
two main things changed:
1. User management is no longer possible using the `artemis user` commands
when the broker is **offline**. Of course users are still free to modify the
properties files directly in this situation.
2. The parameters of the `artemis user` commands changed. Instead of using
something like this:
```sh
./artemis user add --user guest --password guest --role admin
```
Use this instead:
```sh
./artemis user add --user-command-user guest --user-command-password guest --role admin
```
In short, use `user-command-user` in lieu of `user` and `user-command-password`
in lieu of `password`. Both `user` and `password` parameters now apply to the
connection used to send the command to the broker.
For additional details see [ARTEMIS-2893](https://issues.apache.org/jira/browse/ARTEMIS-2893)
and [ARTEMIS-3010](https://issues.apache.org/jira/browse/ARTEMIS-3010)
## 2.15.0
[Full release notes](https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315920&version=12348568).