ActiveMQ中的只读Web控制台访问 [英] Read-only web console access in ActiveMQ
问题描述
我正在使用ActiveMQ 5.10,并希望创建一个通过Web控制台具有只读访问权限的用户。
I'm using ActiveMQ 5.10 and would like to create a user that has read-only access through the web console.
Red Hat已发布本文,并指出由于ActiveMQ中的错误,它并不是真正的只读。
根据错误报告 AMQ-4567 ,该错误已修复自ActiveMQ 5.9起。但是,我认为它不能正常工作。
Red Hat published this article, mentioning that it's not really read only due to a bug in ActiveMQ. According to the bug report AMQ-4567, the bug is fixed as of ActiveMQ 5.9. However, I'm not seeing it work appropriately.
我尝试了许多不同的配置,最近的配置是两个单独的JAAS实现,一个用于Jetty,另一个用于用于ActiveMQ。相关属性文件摘录如下。
I have tried a number of different configurations, with the most recent being two separate JAAS implementations, one for Jetty and one for ActiveMQ. The relevant property files are excerpted below.
我可以主要使用系统用户登录Web控制台。但是来宾用户根本无法工作。应用程序用户(appuser)完全不需要访问Web控制台。
I can mostly log in to the web console using the "system" user. But the guest user doesn't work at all. The application user (appuser) doesn't need access to the web console at all.
我的authN / authZ需求微不足道:一个管理员用户,一个应用程序帐户,和一个只读的监视帐户。
My authN/authZ needs are pretty trivial: one admin user, one application account, and one read-only monitoring account.
有什么好的方法可以使它与ActiveMQ的最新版本(> = 5.9.0)一起使用吗?
Is there any good way to get this working with a recent version of ActiveMQ (>= 5.9.0)?
groups.properties
groups.properties
admins = system
admins=system
users = appuser,admin
users=appuser,admin
guests = guest
guests=guest
users.properties
users.properties
system = {passwordacted}
system={password redacted}
appuser = appuser
appuser=appuser
guest = guest
guest=guest
jetty-realm.properties
jetty-realm.properties
系统:MD5:46cf1b5451345f5176cd70713e0c9e07,user,admin
system: MD5:46cf1b5451345f5176cd70713e0c9e07,user,admin
guest:guest,guest
guest: guest,guest
顺便说一句,我使用了 Jetty教程和 Rundeck说明找出jetty-realm.properties文件和 ActiveMQ in Action 的第6章来计算ActiveMQ JAAS。
As an aside, I used the Jetty tutorial and the Rundeck instructions to figure out the jetty-realm.properties file and chapter 6 of ActiveMQ in Action to work out the ActiveMQ JAAS.
推荐答案
我终于可以通过将Web控制台部署到外部Tomcat实例来实现自己想要的功能。我认为当它用尽进程时,它无法绕过安全性,因此必须使用您提供的任何凭据。在这种情况下,我为Tomcat实例提供了只读的JMX用户凭据。
I was finally able to get to what I wanted by deploying the web console to an external Tomcat instance. I assume that when it runs out of process, it can't bypass security and so has to use whatever credentials you provide. In this case, I gave the Tomcat instance the read-only JMX user credentials.
这不是很好,因为没有经过安全调整的UI。您仍然可以尝试创建新的目的地,删除目的地等。当您尝试使用只读用户时,会出现错误。对于UX,这得到一个 D,但是对于安全性,它得到一个 B。
It's not great, as there is no security trimmed UI. You can still attempt to create new destinations, delete destinations, etc. When you try with a read-only user, you get an error. That gets a "D" for UX, but a "B" for security.
这篇关于ActiveMQ中的只读Web控制台访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!