Custom Login Module and ActiveMQArtemisSecurity settings

[lordigon]

Hi all, I've created a custom Login Module that inherits from TextFileCertificateLoginModule because I wanted to add it some custom logics. This new Login Module uses same properties file defined by the parent module where I defined user and roles e.g

my-custom-cert-roles.properties
test-role = myuser

my-custom-cert-users.properties
myuser = <regular expression>

I would like to install it into Artemis and apply security-settings with this value

<security-setting match="test.#">
            <permission type="createNonDurableQueue" roles="test-role"/>
            <permission type="deleteNonDurableQueue" roles="test-role"/>
            <permission type="createDurableQueue" roles="test-role"/>
            <permission type="deleteDurableQueue" roles="test-role"/>
            <permission type="createAddress" roles="test-role"/>
            <permission type="deleteAddress" roles="test-role"/>
            <permission type="consume" roles="test-role"/>
            <permission type="browse" roles="test-role"/>
            <permission type="send" roles="test-role"/>
            <permission type="manage" roles="test-role"/>
</security-setting>

What I've done till now is to create a custom init image containing the custom JAAS module and related property files and I think I have to define an ActiveMQArtemisSecurity CR to define the previous settings. Looking at ActiveMQArtemisSecurity CRD definition It seems that Login Module that can be used are fixed e.g. guestLoginModules, keycloakLoginModules, propertiesLoginModules and so on. Am I wrong can you please suggest me the right approach for this use case?
How can I update dynamically those security settings?

[gaohoward]

Yes the security CR only support fixed types of login modules. I think for your case you can use broker.properties in the CR to define the security settings. For your custom login module you may take a look at the jaas login configmap to configure it.
take a look at this
https://github.com/artemiscloud/activemq-artemis-operator/issues/356

[lordigon]

Can you please give me an example of security settings via brokerProperties?
I would like to create something that via xml is configured in this way

<security-setting match="globalqueues.europe.#">
   <permission type="createDurableQueue" roles="admin"/>
   <permission type="send" roles="admin, europe-users"/>
   <permission type="consume" roles="admin, europe-users"/>
</security-setting>

[brusdev]

@lordigon addresses that include dots require to be double quoted, i.e.:

apiVersion: broker.amq.io/v1beta1
kind: ActiveMQArtemis
metadata:
  name: artemis-security-settings
spec:
  brokerProperties:
    - 'securityRoles."globalqueues.europe.#".admin.createDurableQueue=true'
    - 'securityRoles."globalqueues.europe.#".europe-users.send=true'
    - 'securityRoles."globalqueues.europe.#".europe-users.consume=true'
...

[lordigon]

@brusdev is there a way to verify that such configuration was applied with success? Is it persisted somewhere?
I applied what you suggested but I would like to verify it.

Another question related to this subject: reading from documentation I saw the chance to specify a property file to the artemis run commad.
The artemis run command script supports --properties , where a properties file can be configured.
Is it possible to do the same by specifying a configmap containing such property file passing it via --properties configuration parameter?

[brusdev]

@lordigon you could query the effective roles using the jolokia endpoint, i.e.:

curl -u admin:admin http://<CR_NAME>-ss-0:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\"amq-broker\",component=addresses,address=\"globalqueues.europe.test\"/RolesAsJSON

The artemis run command script supports --properties , where a properties file can be configured.
Is it possible to do the same by specifying a configmap containing such property file passing it via --properties configuration parameter?
This is what the operator does when you set spec.brokerProperties.

[lordigon]

@brusdev just another question related to my first one at the beginning of the discussion: to configure the custom JAAS module I've created a ConfigMap following the naming convention supported by the Operator e.g. defining a configmap's name with a suffix equal to "-jaas-config".
Somtehing like the following

apiVersion: v1
kind: ConfigMap
metadata:
  name: test-jaas-config
data:
  login.config: |
    activemq {
    com.test.activemq.artemis.plugins.security.jaas.LogLoginModule sufficient
    debug=true;
    };

My custom JAAS module now needs three property files let's name them: prop1.properties, prop2.properties, prop3.properties.
Is it possible to pass them as ConfigMap as well?
I don't know if Operator supports JAAS Config with multiple entries something like

apiVersion: v1
kind: ConfigMap
metadata:
  name: test-jaas-config
data:
  login.config: |
    activemq {
    com.test.activemq.artemis.plugins.security.jaas.LogLoginModule sufficient
    com.test.activemq.artemis.plugins.security.jaas.prop1=prop1.properties
    com.test.activemq.artemis.plugins.security.jaas.prop2=prop2.properties
    com.test.activemq.artemis.plugins.security.jaas.prop3=prop3.properties
    debug=true;
    };
  prop1.properties: |
    prop1a=value1a
    prop1b=value1b
  prop2.properties: |
    prop2a=value2a
    prop2b=value2b
  prop3.properties: |
    prop3a=value3a
    prop3b=value3b

or if I can create another configmap along with the JAAS config one containing all three property files content.
Is it possible to configure this use case?

[brusdev]

@lordigon yes, if your login module need property files the best solution is to include them in the same ConfigMap.