How do the auth and RBAC systems work?

[doxsch]

I am currently trying to figure out how all the authentications and authorizations work.

Here is what I have identified so far.

Client -> Broker (Acceptors):

• Authentication: Can be configured via JAAS modules. Default PropertiesLoginModule configs are located under /home/jboss/amq-broker/etc. It can be customized using a secret ending with -jaas-config. To use mTLS, we additionally configured TextFileCertificateLoginModule and required the client to present its certificate using needClientAuth: true.
• Authorization: Configured using broker properties in the form securityRoles."<matcher>".<role>.<permission>=true. See ActiveMQ Artemis Security Documentation.

Console:

• Authentication: Same as Client -> Broker.
• Authorization: By default, all users from the PropertiesLoginModule with the role "admin" can access the console. By default, this is just the randomly generated default user. The role that has access to the console can be overridden using -Dhawtio.role=<role>. However, if this is done, the status check from the operator no longer works (see below).
  If useClientAuth: true, a valid client certificate is also expected. Certain operations like sending messages seem to consider the securityRoles permission. However, if a new address and queue are created and securityRoles are more specific than the default # matcher, the admin user does not seem to have send permission on it. I couldn't quite figure out how the RBAC system works here.

Operator -> Jolokia (Status check):

The operator performs status checks against the cluster.

• Authentication: Default username and password using the randomly generated default user and BasicAuth. If useClientAuth=true is enabled for the console, the operator must also be provided with a valid certificate: Artemis Cloud Operator PKI.
• Authorization: The user needs admin role

Broker -> Broker:

• I don't know how this works. However, there are AMQ_CLUSTER_USER and AMQ_CLUSTER_PASSWORD in the environment variables.

Open Questions:

1. What happens if I enable ManagementRBACEnabled? Can individual management operations in the console be configured granularly? If so, how can it be configured which role can use which operations?
2. Can the status check from the operator also be done using mTLS including subject check, so that username/password can be omitted?
3. Are there any other connections from the operator to the broker/console/Jolokia/JMX? If so, which ones?
4. Is the following representation correct and how do authentications and authorizations take place in the individuall components?
   • Broker -> embedded Server -> hawtio (/console) -> jolokia (/console/jolokia) -> JMX (internal port exposed by Jolokia as a web service)
5. How does broker-to-broker communication work?

[brusdev]

@doxsch thanks for sharing your findings about the authentications and authorizations, they are correct.

Open Questions:

1. What happens if I enable ManagementRBACEnabled? Can individual management operations in the console be configured granularly? If so, how can it be configured which role can use which operations?

ManagementRBACEnabled is enabled by default. Individual management operations in the console be configured granularly by using ArtemisRbacMBeanServerBuilder, see the test security with management role access
ArtemisRbacMBeanServerBuilder is used by default in the restricted mode

2. Can the status check from the operator also be done using mTLS including subject check, so that username/password can be omitted?

The status check from the operator can use mTLS and it is so by default in the restricted mode

3. Are there any other connections from the operator to the broker/console/Jolokia/JMX? If so, which ones?

The operator only connects to the broker/console/Jolokia endpoint.

4. Is the following representation correct and how do authentications and authorizations take place in the individuall components?

   • Broker -> embedded Server -> hawtio (/console) -> jolokia (/console/jolokia) -> JMX (internal port exposed by Jolokia as a web service)

I'm not sure about what this representation means. The jolokia endpoint authentication is the same for the console and the authorization is the same for JMX, see https://activemq.apache.org/components/artemis/documentation/latest/management.html#configuring-jmx

5. How does broker-to-broker communication work?

The broker-to-broker communication uses the special cluster credentials (cluster-user, cluster-password), see https://activemq.apache.org/components/artemis/documentation/latest/clusters.html#cluster-user-credentials