[AMQ-7186] Network bridge failing after authentication-plugin use - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 5.15.8
Fix Version/s: 5.15.8
Component/s: AMQP
Labels:
None

Description

We are using Apache ActiveMQ version 5.15.8.

We have created Broker to Broker ActiveMQ network using ssh tunneling.

Broker-A is enqueuing messages & messages are getting dequeued at Broker-B end.

We have added below configuration to restrict the Broker-A from creating new queues other than specified one.

Below is configuration at Broker-B:

Contents added in activemq.xml

        <plugins>
            <simpleAuthenticationPlugin>
                <users>
                    <authenticationUser username="admin" password=" adminpassword" groups="admins,all" />
                    <authenticationUser username="test" password="testpassword " groups="admins,all" />
                </users>
            </simpleAuthenticationPlugin>
            <jaasAuthenticationPlugin configuration="activemq" />
            <authorizationPlugin>
              <map>
                <authorizationMap>
                  <authorizationEntries>
                    <authorizationEntry queue="demo.test " read="admins" write="admins" admin="admins" />
                    <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins" write="admins" admin="admins"/>
                  </authorizationEntries>
                </authorizationMap>
              </map>
            </authorizationPlugin>
        </plugins>

Contents of users.properties

admin= adminpassword
test= testpassword

Contents of groups.properties

admins=admin,test
all=admin,test

Contents of credentials.properties

activemq.username=admin
activemq.password= adminpassword

Contents of jetty-realm.properties

admin: adminpassword, admin
test: testpassword, admin

Below is configuration at Broker-A:

Contents added in activemq.xml

If we just add <simpleAuthenticationPlugin> plugin in Broker-B configuration then bridge connection is working between Broker-A to Broker-B.

But when are adding <simpleAuthenticationPlugin>, <jaasAuthenticationPlugin> and <authorizationPlugin> Broker-B configuration then bridge connection is not working.

We are getting below error at Broker-A end.

2019-04-18 05:04:20,932 | INFO | localhost bridge to localhost stopped | org.apache.activemq.network.DemandForwardingBridgeSupport | ActiveMQ BrokerService[localhost] Task-2263
2019-04-18 05:04:50,930 | INFO | Establishing network connection from vm://localhost to tcp://127.0.0.1:61618 | org.apache.activemq.network.DiscoveryNetworkConnector | ActiveMQ Task-2
2019-04-18 05:04:50,973 | INFO | Network connection between vm://localhost#4146 and tcp:///127.0.0.1:61618@37514 (localhost) has been established. | org.apache.activemq.network.DemandForwardingBridgeSupport | triggerStartAsyncNetworkBridgeCreation: remoteBroker=tcp:///127.0.0.1:61618@37514, localBroker= vm://localhost#4146
2019-04-18 05:04:50,977 | ERROR | Network connection between vm://localhost#4146 and tcp:///127.0.0.1:61618@37514 shutdown due to a remote error: {} | org.apache.activemq.network.DemandForwardingBridgeSupport | ActiveMQ Transport: tcp:///127.0.0.1:61618@37514
java.lang.SecurityException: User name [admin] or password is invalid.
        at org.apache.activemq.security.JaasAuthenticationBroker.authenticate(JaasAuthenticationBroker.java:97)[activemq-broker-5.15.8.jar:5.15.8]
        at org.apache.activemq.security.JaasAuthenticationBroker.addConnection(JaasAuthenticationBroker.java:68)[activemq-broker-5.15.8.jar:5.15.8]
        at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)[activemq-broker-5.15.8.jar:5.15.8]
        at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)[activemq-broker-5.15.8.jar:5.15.8]
        at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:843)[activemq-broker-5.15.8.jar:5.15.8]
        at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:77)[activemq-broker-5.15.8.jar:5.15.8]
        at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)[activemq-client-5.15.8.jar:5.15.8]
        at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:330)[activemq-broker-5.15.8.jar:5.15.8]
        at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:194)[activemq-broker-5.15.8.jar:5.15.8]
        at org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)[activemq-client-5.15.8.jar:5.15.8]
        at org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:125)[activemq-client-5.15.8.jar:5.15.8]
        at org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:301)[activemq-client-5.15.8.jar:5.15.8]
        at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)[activemq-client-5.15.8.jar:5.15.8]
        at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)[activemq-client-5.15.8.jar:5.15.8]
        at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)[activemq-client-5.15.8.jar:5.15.8]
        at java.lang.Thread.run(Thread.java:748)[:1.8.0_191]

We want that Broker-A can only send messages if it is having proper credentials and Broker-A can only create or sends messages to the specific queue (demo.test)at Broker-B end.

Broker-A can only create demo.test queue at Broker-B end if it does not exist. Broker-A should not create or sends messages to any other queue at Broker-B end though it is having proper credentials.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Pratibha

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 18/Apr/19 08:22

Updated:: 24/Jun/20 05:53

Resolved:: 24/Jun/20 05:53