I create an ActiveMQ Artemis broker with a user (system) and password (systempass). The broker assigns a role to this user and the broker instance artemis-users.properties and artemis-roles.properties are updated accordingly
I then create new users & roles for the broker instance as follows:
./artemis user add --user-command-user guest --user-command-password guest --role amq --user system --password systempass
The broker's artemis-users.properties and artemis-roles.properties are not updated with the new user, password, and role. Is this a problem?
Related
How do I set MQ permissions for a windows user (username and password)
to be able to use a queue, so a java client can get and put messages ?
I already have a queue manager up and listening on (windows) port 1414 on locallost and a queue defined.
Summary
The main question is how does one secure the setting of of ACLs on Kafka. ACLs can be used to restrict who can consume / produce to topics, but how is the setting of ACLs restricted? E.g. some user on another network machine using kafka-acls.sh
Details
I am quite new to kafka and I've just setup up my first kafka 1.0.0 cluster and I am using the Kafka admin CLI(kafka-acls.sh) to grant acls for principals.
Here is problem I found: I can use this kafka-acls.sh on any other machine to manipulate my kafka cluster, without any permission required?! Is this an existing security issue?
My requirement is, as an admin, for my kafka topics I would grant read permission to the consumers. But if the consumer owners can use the kafka-acls.sh, they could add that permission by themselves.
I've tried these:
kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --cluster --operation Create --deny-principal User:*
kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --cluster --operation Alter--deny-principal User:*
Current ACLs for resource Cluster:kafka-cluster:
User:* has Deny permission for operations: Create from hosts: *
User:* has Deny permission for operations: Alter from hosts: *
I was hoping this can stop anyone to change ACLs on any topics; but I still can grant permission to any principal. I am expecting some settings in kafka properties file that can do the work. My properties settings regarding ACL are:
# Switch to enable topic deletion or not, default value is false
#delete.topic.enable=true
###To enable ZooKeeper authentication on brokers
zookeeper.set.acl=true
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:Admin
Any Ideas to restrict the admin CLI, guys?
Any advice would be appreciated.
ACLs are stored in Zookeeper so you need to run Zookeeper in secure mode with authenticated access (requires Apache Kafka 0.9 or higher).
https://cwiki.apache.org/confluence/display/KAFKA/KIP-38%3A+ZooKeeper+Authentication
This will allow you to restrict the ACL admin tools from working anywhere and by anyone since they include a zookeeper client which will have to be configured with valid admin credentials in order to connect and change Kafka ACLs stored in Zookeeper.
There is an example secure Kafka broker and Zookeeper setup explained in this blog post
https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/
In more recent versions of Apache Kafka there is also an API called AdminClient which allows apps to be written without direct Zookeeper dependency or connections. In 1.0.0 the AdminClient includes methods to create ACLs.
https://kafka.apache.org/10/javadoc/index.html?org/apache/kafka/clients/admin/AdminClient.html
However at the moment the CLI commands in /bin have not been rewritten to use this new API which is why they still connect directly to Zookeeper.
i'm trying to connect my VB.net application to Remote Queue Manager.
but keep getting the followig Erorr: MQRC_Q_MGR_NAME_ERROR. can anyone tell me what i'm doing wrong?
here is the code i'm using:
Dim mqQMgr As MQQueueManager = Nothing
Dim props As New Hashtable()
props.Add(MQC.HOST_NAME_PROPERTY, "192.168.28.191")
props.Add(MQC.CHANNEL_PROPERTY, "SYSTEM.ADMIN.SVRCONN")
props.Add(MQC.USER_ID_PROPERTY, "AQ")
props.Add(MQC.PORT_PROPERTY, 1313)
props.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_BINDINGS)
mqQMgr = New MQQueueManager("QMSEPAM", props)
i also tried differentconnection method (MQC.TRANSPORT_MQSERIES_CLIENT) and i get the following error:
"MQRC_NOT_AUTHORIZED"
Thanks in advance.
You need to set MQC.TRANSPORT_PROPERTY property to MQC.TRANSPORT_MQSERIES_MANAGED or MQC.TRANSPORT_MQSERIES_CLIENT for connecting through TCP/IP socket to a queue manager that is running on a remote machine or on the same machine as your application . The MQC.TRANSPORT_MQSERIES_BINDINGS should be used only when the queue manager is running on the same machine as your application in which case your application would communicate with queue manager using shared memory.
The MQRC_NOT_AUTHORIZED (2035) is thrown if the user with which your application is attempting to connect to a remote queue manager does not have authority. There are multiple ways of providing access to queue manager, talk to your IBM MQ Administrator to provide you the required authority. Take a look at this link. BTW what version of MQ are you using?
Update: Two points
1) Is user AQ same as logged in user of the machine where the .NET application is running? MQ .NET v7.5 sends the logged in user id to queue manager for authorization unless you are using a security exit. If you are not using any security exit then the logged in user id must exist on remote machine and has authorizations to connect.
2) Do not add user to mqm as users in that group are blocked from connecting to queue manager by the Channel Authentication feature
There are couple of posts in SO that you can read:
WebSphere MQ v7.1 Security User Credentials
MQRC_NOT_AUTHORIZED error while connecting to Websphere MQ 7.1
Finally if you are just testing out your application and do not really need user id authorization, then you can disable channel authentication by running the below runmqsc command.
ALTER QMGR CHLAUTH (DISABLED)
I am newbie with RabbitMQ planning to use this in one of our product lines. I read in RabbitMQ documents that only ROOT user can install and setup RabbitMQ. Is this a mandate??
In conventional configurations unix systems only the root user can perform system installations
On the other hand the user's default rabbitmq
user: guest
pass: guest
I've got rabbitmq 2.8.2 set up with the web management interface running. The Queues and Exchanges show no data.
rabbitmqctl list_queues works and shows my queues.
I've done rabbitmqctl stop_app, start_app.. and also service rabbitmq-server restart.
Any idea how to get the queue & exchange details to populate?
I had removed the guest user and created a new user for myself. My new user did not have permission to access the / vhost. Adding that permission fixed my issue.
Rabbitmq users only have permission to view the queues that they created by default. Also if you want the user to have access to the management console you need to grant the right privileges.
To solve this problem I ran:
rabbitmqctl set_user_tags <user> management
There is more information on setting up the correct permissions for accessing the management console on RabbitMQs website: https://www.rabbitmq.com/management.html