Adding users on the fly ACTIVEMQ

I have activemq running and a new user asks for an account. Is it possible to add users and groups on the fly to the list of users and groups in activemq without restarting it?

If so, how? Can I do it programmatically?

I think the only way at the moment is to use LDAP JAAS login module (
http://activemq.apache.org/maven/activemq-jaas/apidocs/org/apache/activemq/jaas/LDAPLoginModule.html).
The appropriate relational database solution is still to come.

Cheers
--
Dejan Bosanac
www.scriptinginjava.net

On Tue, Apr 22, 2008 at 7:01 PM, greenapple <ztuffaha@...> wrote:

greenapple wrote:

I have activemq running and a new user asks for an account. Is it possible to add users and groups on the fly to the list of users and groups in activemq without restarting it?

If so, how? Can I do it programmatically?

Well, you'd need to have an implementation of an AuthorizationMap that picks up its data from someplace. I think I saw there is an LDAP one. The default just gets it from the XML in the config file, which is obviously no good for your purposes. There doesn't seem to be one that supports JDBC right now, but I know one of these days soon I'm going to have to write one because all my JAAS stuff is in there (I did write a JAAS auth module for JDBC which works). You'll probably need something like that too in order to authenticate the users from your data store. As a guess I'd say it might take a couple days to unravel the AuthorizationMap interface and implement something that works. Have a go at it!

Thanks Abdul and Dejan,

Do you need an LDAP server to use LDAP authorization? My knowledge is minimal in LDAP.

I found out through trial and error that you can add users on the fly using JAAS authentication and by editing users.properties and groups.properties

But somehow, doing this does not seem right since I would like to provide a UI for users to
Thanks,

Abdul Alhazred wrote:

greenapple wrote:

I have activemq running and a new user asks for an account. Is it possible to add users and groups on the fly to the list of users and groups in activemq without restarting it?

If so, how? Can I do it programmatically?

Well, you'd need to have an implementation of an AuthorizationMap that picks up its data from someplace. I think I saw there is an LDAP one. The default just gets it from the XML in the config file, which is obviously no good for your purposes. There doesn't seem to be one that supports JDBC right now, but I know one of these days soon I'm going to have to write one because all my JAAS stuff is in there (I did write a JAAS auth module for JDBC which works). You'll probably need something like that too in order to authenticate the users from your data store. As a guess I'd say it might take a couple days to unravel the AuthorizationMap interface and implement something that works. Have a go at it!

Right. OK, there are a couple of different issues.

1) If ALL you want to do is add users and the permissions of the users will be set up entirely in the activemq.sql file, then you would just need to create a JAAS auth realm and if you say want to use JDBC then write or acquire a JDBC JAAS auth module. I wrote one in an afternoon that worked with my user base, it is fairly easy.

2) If you want to have DYNAMIC mapping to queues and topics, say you need to be able to have a queue for each user that only they can read from, then you need to implement an AuthorizationMap (or else put everyone in the activemq.xml file entries, which kind of defeats the purpose).

3) If you say wanted to use LDAP for either or both of these things, then you would use a JAAS LDAP auth module and an LDAP AuthorizationMap (which actually I believe exists, see the javadoc). Depending on your schema requirements you may need to configure or tweak the code in either of those.

Finally, yes, LDAP requires an LDAP server. LDAP is a pretty useful technology, but setting up and running LDAP servers is somewhat of a pain. Note however that Active Directory can do your LDAP for you if you are in an MS environment, which is a great thing if you have already user provisioning etc set up for that. NDS is another commercial product that provides LDAP service. Sun also has an LDAP server, and there are a few others out there as well. OpenLDAP is your basic OSS implementation. I have a feeling there are also OS J2EE components which can provide LDAP services. Not familiar with them, but I bet you can find something.

Getting your data INTO LDAP and managing it are a whole other kettle of fish. There are command line and GUI tools that will do it. Basically they're similar to RDBMS tools like the mysql command line tool, except they work with LDAP databases.


Thanks Abdul and Dejan,

Do you need an LDAP server to use LDAP authorization? My knowledge is minimal in LDAP.

I found out through trial and error that you can add users on the fly using JAAS authentication and by editing users.properties and groups.properties

But somehow, doing this does not seem right since I would like to provide a UI for users to
Thanks,

Abdul Alhazred wrote:

greenapple wrote:

I have activemq running and a new user asks for an account. Is it possible to add users and groups on the fly to the list of users and groups in activemq without restarting it?

If so, how? Can I do it programmatically?

Well, you'd need to have an implementation of an AuthorizationMap that picks up its data from someplace. I think I saw there is an LDAP one. The default just gets it from the XML in the config file, which is obviously no good for your purposes. There doesn't seem to be one that supports JDBC right now, but I know one of these days soon I'm going to have to write one because all my JAAS stuff is in there (I did write a JAAS auth module for JDBC which works). You'll probably need something like that too in order to authenticate the users from your data store. As a guess I'd say it might take a couple days to unravel the AuthorizationMap interface and implement something that works. Have a go at it!

Thanks Abdul for your time,

Exactly I am trying to do the following:

Say a new application yyy requested to use JMS.

My job as a JMS admin is to create the queues needed (on the fly), add users and groups (on the fly) and grant permissions to certain users and groups to read/write/both/etc (also on the fly).

By on the fly, I mean: without having to restart ActiveMQ. TIBCO EMS for example had some user interface to do this.

I am very new to ActiveMQ and have been playing with it for a couple of days.

It seems to me that this information needs to go somewhere else other than activemq.xml (as you have mentioned) since activemq.xml is only loaded at startup (correct?). I have some ideas.

I am thinking to implement the AuthorizationMap in a way similar to DefaultAuthorizationMap and fill it up with entries through some UI. Then create a AuthorizationPlugin and install the plugin.

My questions are: can I create a AuthorizationPlugin and install it while ActiveMQ is running (so that it will be effective on the fly)? Can I install many AuthorizationPlugins?

As far as adding users on the fly, I was able to do that through adding users directly to users.properties and groups.properties. Is there a cleaner way?

Could you please direct me to some JAAS user realm documentation?

I have more ideas but I am going to sleep on them for now :-)

Thanks again,


Right. OK, there are a couple of different issues.

1) If ALL you want to do is add users and the permissions of the users will be set up entirely in the activemq.sql file, then you would just need to create a JAAS auth realm and if you say want to use JDBC then write or acquire a JDBC JAAS auth module. I wrote one in an afternoon that worked with my user base, it is fairly easy.

2) If you want to have DYNAMIC mapping to queues and topics, say you need to be able to have a queue for each user that only they can read from, then you need to implement an AuthorizationMap (or else put everyone in the activemq.xml file entries, which kind of defeats the purpose).

3) If you say wanted to use LDAP for either or both of these things, then you would use a JAAS LDAP auth module and an LDAP AuthorizationMap (which actually I believe exists, see the javadoc). Depending on your schema requirements you may need to configure or tweak the code in either of those.

Finally, yes, LDAP requires an LDAP server. LDAP is a pretty useful technology, but setting up and running LDAP servers is somewhat of a pain. Note however that Active Directory can do your LDAP for you if you are in an MS environment, which is a great thing if you have already user provisioning etc set up for that. NDS is another commercial product that provides LDAP service. Sun also has an LDAP server, and there are a few others out there as well. OpenLDAP is your basic OSS implementation. I have a feeling there are also OS J2EE components which can provide LDAP services. Not familiar with them, but I bet you can find something.

Getting your data INTO LDAP and managing it are a whole other kettle of fish. There are command line and GUI tools that will do it. Basically they're similar to RDBMS tools like the mysql command line tool, except they work with LDAP databases.

greenapple wrote:

Thanks Abdul and Dejan,

Do you need an LDAP server to use LDAP authorization? My knowledge is minimal in LDAP.

I found out through trial and error that you can add users on the fly using JAAS authentication and by editing users.properties and groups.properties

But somehow, doing this does not seem right since I would like to provide a UI for users to
Thanks,

Abdul Alhazred wrote:

greenapple wrote:

I have activemq running and a new user asks for an account. Is it possible to add users and groups on the fly to the list of users and groups in activemq without restarting it?

If so, how? Can I do it programmatically?

Well, you'd need to have an implementation of an AuthorizationMap that picks up its data from someplace. I think I saw there is an LDAP one. The default just gets it from the XML in the config file, which is obviously no good for your purposes. There doesn't seem to be one that supports JDBC right now, but I know one of these days soon I'm going to have to write one because all my JAAS stuff is in there (I did write a JAAS auth module for JDBC which works). You'll probably need something like that too in order to authenticate the users from your data store. As a guess I'd say it might take a couple days to unravel the AuthorizationMap interface and implement something that works. Have a go at it!

greenapple wrote:

Say a new application yyy requested to use JMS.

My job as a JMS admin is to create the queues needed (on the fly), add users and groups (on the fly) and grant permissions to certain users and groups to read/write/both/etc (also on the fly).

By on the fly, I mean: without having to restart ActiveMQ. TIBCO EMS for example had some user interface to do this.

I'm in the middle of an ActiveMQ 5.1 rollout using LDAP configuration for this very reason
(I will be contributing some patches so apologies if the following instructions won't work out of the box)...

There are several components required for an LDAP solution:
1. An LDAP server (there are several Open Source options - we're using OpenLDAP)
2. An LDAP GUI client - you don't want to be editing/importing LDIF files all the time or mucking about with the command line - we've got phpldapadmin.

Once these are installed you need to perform a base set-up on LDAP:
1. Create the structure for ActiveMQ in your LDAP server (sample LDIF file attached)
2. Create a 'bind user' for ActiveMQ to logon to the LDAP server (included in LDIF)

To configure ActiveMQ (assuming you don't need networked brokers):
1. Configure the JAAS LDAPLoginModule and the LDAPAuthorizationMap in activemq.xml:
    <plugins>
      <!--  use JAAS to authenticate using the login.config file on the classpath to configure JAAS -->
      <jaasAuthenticationPlugin configuration="LdapConfiguration" />
      <!--  lets configure a destination based role/group authorization mechanism -->
      <authorizationPlugin>
        <map>
                  <bean xmlns="http://www.springframework.org/schema/beans" id="lDAPAuthorizationMap" class="org.apache.activemq.security.LDAPAuthorizationMap">
                                <property name="initialContextFactory" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                                <property name="connectionURL" value="ldap://ldap.acme.com:389"/>
                                <property name="authentication" value="simple"/>
                                <property name="connectionUsername" value="cn=mqbroker,ou=Services,dc=acme,dc=com"/>
                                <property name="connectionPassword" value="password"/>
                                <property name="connectionProtocol" value="s"/>
                                <property name="topicSearchMatching" value="cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=systems,dc=acme,dc=com"/>
                                <property name="topicSearchSubtreeBool" value="true"/>
                                <property name="queueSearchMatching" value="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=systems,dc=acme,dc=com"/>
                                <property name="queueSearchSubtreeBool" value="true"/>
                                <property name="adminBase" value="(cn=admin)"/>
                                <property name="adminAttribute" value="member"/>
                                <property name="adminAttributePrefix" value="cn="/>
                                <property name="readBase" value="(cn=read)"/>
                                <property name="readAttribute" value="member"/>
                                <property name="readAttributePrefix" value="cn="/>
                                <property name="writeBase" value="(cn=write)"/>
                                <property name="writeAttribute" value="member"/>
                                <property name="writeAttributePrefix" value="cn="/>
                        </bean>
        </map>
      </authorizationPlugin>
    </plugins>

2. Configure the JAAS login.config (I haven't de-duplicated the config yet):

LdapConfiguration {
   org.apache.activemq.jaas.LDAPLoginModule required
       debug=true
       initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
       connectionURL="ldap://ldap.acme.com:389"
       connectionUsername="cn=mqbroker,ou=Services,dc=acme,dc=com"
       connectionPassword=password
       connectionProtocol=s
       authentication=simple
       userBase="ou=User,ou=ActiveMQ,ou=systems,dc=acme,dc=com"
       userRoleName=dummyUserRoleName
       userSearchMatching="(uid={0})"
       userSearchSubtree=false
       roleBase="ou=Group,ou=ActiveMQ,ou=systems,dc=acme,dc=com"
       roleName=cn
       roleSearchMatching="(member:=uid={1})"
       roleSearchSubtree=true
       ;
};

3. Fire it up...

You can then perform your runtime tasks using the LDAP admin tool.

Hope this helps,

Robin
sample.ldif