'[activemq-artemis] branch master updated: ARTEMIS-3010 doc updates'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       activemq-commits
Subject:    [activemq-artemis] branch master updated: ARTEMIS-3010 doc updates
From:       gtully () apache ! org
Date:       2020-11-27 11:04:21
Message-ID: 160647506161.29288.9207724015045131731 () gitbox ! apache ! org
[Download RAW message or body]

This is an automated email from the ASF dual-hosted git repository.

gtully pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git


The following commit(s) were added to refs/heads/master by this push:
     new c64d4d6  ARTEMIS-3010 doc updates
c64d4d6 is described below

commit c64d4d62e39c20cc4eb3b9cb6f4ebf2a3b037239
Author: Justin Bertram <jbertram@apache.org>
AuthorDate: Tue Nov 24 11:56:07 2020 -0600

    ARTEMIS-3010 doc updates
---
 docs/user-manual/en/masking-passwords.md | 22 +++++++++++++++++-----
 docs/user-manual/en/security.md          | 17 +++++++++++++----
 docs/user-manual/en/versions.md          | 26 ++++++++++++++++++++++++++
 3 files changed, 56 insertions(+), 9 deletions(-)

diff --git a/docs/user-manual/en/masking-passwords.md \
b/docs/user-manual/en/masking-passwords.md index 028ce6a..1966b4c 100644
--- a/docs/user-manual/en/masking-passwords.md
+++ b/docs/user-manual/en/masking-passwords.md
@@ -70,9 +70,9 @@ This process does **not** work for passwords in:
 
  - `artemis-users.properties`
 
-Maksed passwords for `artemis-users.properties` *can* be generated using the
-`mask` command using the `--hash` command-line option. However, we recommend
-using the set of tools provided by the `user` command described below.
+Masked passwords for `artemis-users.properties` *can* be generated using the
+`mask` command using the `--hash` command-line option. However, this is also
+possible using the set of tools provided by the `user` command described below.
 
 ## Masking Configuration
 
@@ -100,10 +100,11 @@ hashed values for password verification.
 
 Use the following command from the CLI of the Aremtis *instance* you wish to
 add the user/password to. This command will not work from the Artemis home
-used to create the instance. For example:
+used to create the instance, and it will also not work unless the broker has
+been started. For example:
 
 ```sh
-./artemis user add --user guest --password guest --role admin
+./artemis user add --user-command-user guest --user-command-password guest --role \
admin  ```
 
 This will use the default codec to perform a "one-way" hash of the password
@@ -114,6 +115,17 @@ Passwords in `artemis-users.properties` are automatically \
detected as hashed or  not by looking for the syntax `ENC(<hash>)`. The \
`mask-password` parameter does  not need to be `true` to use hashed passwords here.
 
+> **Warning**
+>
+> Management and CLI operations to manipulate user & role data are only available
+> when using the `PropertiesLoginModule`.
+>
+> In general, using properties files and broker-centric user management for
+> anything other than very basic use-cases is not recommended. The broker is
+> designed to deal with messages. It's not in the business of managing users,
+> although that functionality is provided at a limited level for convenience. LDAP
+> is recommended for enterprise level production use-cases.
+
 ### cluster-password
 
 If it is specified in `ENC()` syntax it will be treated as masked, or
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index ddd32ca..13f2523 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -584,12 +584,15 @@ guest=password
 ```
 
 Passwords in `artemis-users.properties` can be hashed. Such passwords should
-follow the syntax `ENC(<hash>)`. Hashed passwords can easily be added to
-`artemis-users.properties` using the `user` CLI command from the Artemis
-*instance*. This command will not work from the Artemis home.
+follow the syntax `ENC(<hash>)`. 
+
+Hashed passwords can easily be added to `artemis-users.properties` using the
+`user` CLI command from the Artemis *instance*. This command will not work 
+from the Artemis home, and it will also not work unless the broker has been
+started.
 
 ```sh
-./artemis user add --user guest --password guest --role admin
+./artemis user add --user-command-user guest --user-command-password guest --role \
admin  ```
 
 This will use the default codec to perform a "one-way" hash of the password
@@ -617,6 +620,12 @@ etc.).
 >
 > Management and CLI operations to manipulate user & role data are only available
 > when using the `PropertiesLoginModule`.
+>
+> In general, using properties files and broker-centric user management for
+> anything other than very basic use-cases is not recommended. The broker is
+> designed to deal with messages. It's not in the business of managing users,
+> although that functionality is provided at a limited level for convenience. LDAP
+> is recommended for enterprise level production use-cases.
 
 #### LDAPLoginModule
 
diff --git a/docs/user-manual/en/versions.md b/docs/user-manual/en/versions.md
index 9e4c9f2..9b407e6 100644
--- a/docs/user-manual/en/versions.md
+++ b/docs/user-manual/en/versions.md
@@ -23,6 +23,32 @@ Highlights:
 - Support for admin objects in the JCA resource adapter to facilitate deployment \
                into 3rd-party Java EE application servers
 - Ability to prevent an acceptor from automatically starting
 
+#### Upgrading from older versions
+
+Due to [ARTEMIS-2893](https://issues.apache.org/jira/browse/ARTEMIS-2893) the
+fundamental way user management was implemented had to change to avoid data
+integrity issues related to concurrent modification. From a user's perspective
+two main things changed:
+
+1. User management is no longer possible using the `artemis user` commands
+   when the broker is **offline**. Of course users are still free to modify the
+   properties files directly in this situation.
+2. The parameters of the `artemis user` commands changed. Instead of using
+   something like this:
+   ```sh
+   ./artemis user add --user guest --password guest --role admin
+   ``` 
+   Use this instead:
+   ```sh
+   ./artemis user add --user-command-user guest --user-command-password guest --role \
admin +   ```
+   In short, use `user-command-user` in lieu of `user` and `user-command-password`
+   in lieu of `password`. Both `user` and `password` parameters now apply to the
+   connection used to send the command to the broker.
+   
+   For additional details see \
[ARTEMIS-2893](https://issues.apache.org/jira/browse/ARTEMIS-2893) +   and \
[ARTEMIS-3010](https://issues.apache.org/jira/browse/ARTEMIS-3010)  +
 ## 2.15.0
 
 [Full release notes](https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315920&version=12348568).



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic