'Re: activemq artemis users on queue level'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       activemq-users
Subject:    Re: activemq artemis users on queue level
From:       Domenico Francesco Bruscino <bruscinodf () gmail ! com>
Date:       2022-05-06 15:43:00
Message-ID: CAE86shL5_8=Os3KBeBa3BFNse=GWvwcvYo=kHR-8XpnThK1vyA () mail ! gmail ! com
[Download RAW message or body]


Hi Jo,

yes it is correct, the broker admin password can be masked using the
same way.
An alternative to mask password could be to use the kubernetes secrets, see
https://artemiscloud.io/documentation/operator/reference.html

Regards,
Domenco

On Fri, 6 May 2022 at 17:26, Jo De Troy <jo.de.troy@gmail.com> wrote:

> Domenico,
> 
> thanks again.
> I guess the masking can also be done for the password the admin user of the
> broker, correct?
> 
> Regards,
> Jo
> 
> Op vr 6 mei 2022 om 16:57 schreef Domenico Francesco Bruscino <
> bruscinodf@gmail.com>:
> 
> > Hi Jo,
> > 
> > this is more a question for the ArtemisCloud.io community [1], I think
> the
> > passwords for the users in ActiveMQArtemisSecurity can be masked using
> the
> > mask command [2] but I have never tried, i.e.
> > 
> > $ ./broker/bin/artemis mask --hash user
> > result:
> > 
> > 
> 1024:C1475A2DBBCCC50D7EB75448555E408E99A71DA455E117552CD27FA57A0C864C:355874B12FB9ED \
> 6F2C9D4283A2072E99866EDAE1F9F0FD58A34AB441720BB4E070918EFE615E0C2276984EE674654BB856AE9257F1FB73A2ECAB6742B1789562
> 
> > 
> > spec:
> > loginModules:
> > propertiesLoginModules:
> > - name: prop-module
> > users:
> > - name: userA
> > roles:
> > - roleA
> > password:
> > 
> > 
> "ENC(1024:C1475A2DBBCCC50D7EB75448555E408E99A71DA455E117552CD27FA57A0C864C:355874B12 \
> FB9ED6F2C9D4283A2072E99866EDAE1F9F0FD58A34AB441720BB4E070918EFE615E0C2276984EE674654BB856AE9257F1FB73A2ECAB6742B1789562)"
> 
> > 
> > [1] https://artemiscloud.io/community/
> > [2]
> > 
> > 
> https://activemq.apache.org/components/artemis/documentation/latest/masking-passwords
> 
> > 
> > Regards,
> > Domenico
> > 
> > On Fri, 6 May 2022 at 14:29, Jo De Troy <jo.de.troy@gmail.com> wrote:
> > 
> > > Thanks Domenico
> > > 
> > > Is there a possibility to encrypt/obfuscate  the passwords for the
> users
> > in
> > > kind: ActiveMQArtemisSecurity ?
> > > Or can these be stored in an Openshift secret/Hashicorp Vault/...
> > > 
> > > Best Regards,
> > > Jo
> > > 
> > > Op vr 6 mei 2022 om 11:30 schreef Domenico Francesco Bruscino <
> > > bruscinodf@gmail.com>:
> > > 
> > > > Hi Jo,
> > > > 
> > > > Apache ActiveMQ Artemis contains a flexible role-based security model
> > for
> > > > applying security to queues, based on their addresses, see the
> > > > documentation [1] for further details.
> > > > 
> > > > Suppose you have userA with the roleA that can only consume queueA
> and
> > > > userB with roleB that can only consume queueB:
> > > > 
> > > > apiVersion: broker.amq.io/v1alpha1
> > > > kind: ActiveMQArtemisSecurity
> > > > metadata:
> > > > name: ex-prop
> > > > spec:
> > > > loginModules:
> > > > propertiesLoginModules:
> > > > - name: 'prop-module'
> > > > users:
> > > > - name: userA
> > > > password: userA
> > > > roles:
> > > > - roleA
> > > > - name: userB
> > > > password: userB
> > > > roles:
> > > > - roleB
> > > > securityDomains:
> > > > brokerDomain:
> > > > name: 'activemq'
> > > > loginModules:
> > > > - name: 'prop-module'
> > > > flag: 'sufficient'
> > > > securitySettings:
> > > > broker:
> > > > - match: 'queue1'
> > > > permissions:
> > > > - operationType: 'consume'
> > > > roles:
> > > > - roleA
> > > > - match: 'queue2'
> > > > permissions:
> > > > - operationType: 'consume'
> > > > roles:
> > > > - roleB
> > > > 
> > > > [1]
> > > > 
> > > > 
> > > 
> > 
> https://activemq.apache.org/components/artemis/documentation/latest/security.html#role-based-security-for-addresses
> 
> > > > 
> > > > Regards,
> > > > Domenico
> > > > 
> > > > On Fri, 6 May 2022 at 10:37, Jo De Troy <jo.de.troy@gmail.com>
> wrote:
> > > > 
> > > > > Hello,
> > > > > 
> > > > > I'm pretty new to the ActiveMQ (Artemis) world.
> > > > > I was wondering if it's possible to define different users per
> queue
> > > when
> > > > > using e.g. PropertiesLoginModule.
> > > > > So userA would be able to only produce on queueA but not on queueB
> > > > > Suppose you have a broker with a few 50 different queues you don't
> > want
> > > > all
> > > > > clients to use the same credentials if they only need access to 1
> > > queue.
> > > > > 
> > > > > If it's possible would there be an example I can find somewhere for
> > > this
> > > > > type of configuration?
> > > > > I'm trying to use the ActiveMQ Artemis running on a container
> > platform,
> > > > so
> > > > > the security config would hopefully be created by using the
> > > > > ActiveMQArtemisSecurity CRD
> > > > > 
> > > > > Best Regards,
> > > > > Jo
> > > > > 
> > > > 
> > > 
> > 
> 



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic