Sunday, September 13, 2015

How to create users and assign permissions in Apache ActiveMQ broker using Simple Authentication Plugin




Recently I wanted to create a user in Apache ActiveMQ with permission only to Publish and subscribe but not to create queues. So, I was playing around with the broker and found out a simple quick way to configure and create users and permissions.

I will be using the Simple Authentication Plugin in order to configure this.

Follow the below steps in order to create a user and assign user roles.


Step 1  Download Apache ActiveMQ


Download Apache ActiveMQ link.


Step 2 Open Activemq.xml


Extract the downloaded ActiveMQ pack to a desired location and navigate to {ACTIVEMQ_HOME}/conf/activemq.xml


 Step 3 Create ActiveMQ User



The below snippet will invoke the Simple Authentication Plugin. I have created two users with passwords  and assigned groups. Groups represent the permissions that  the respective user is given. These groups can be given different levels of permissions.

<plugins>
      <simpleAuthenticationPlugin>
        <users>
           <authenticationUser username="super" password="super" groups="admins"/>
          <authenticationUser username="jason" password="jason" groups="jrole"/>
        </users>
      </simpleAuthenticationPlugin>
</plugins>



Step 4 Assign Permission to the groups



Now that we created a user lets see how we can assign permission to the groups "jrole" & "admins" which we created. There are 3 main roles in ActiveMQ,


  1. Write - Publish rights
  2. Read - Consume rights
  3. Admin - Create rights

Below snippet describes how we can assign permission to the group that we created.

<authorizationPlugin>
        <map>
          <authorizationMap>
            <authorizationEntries>
              <authorizationEntry queue=">" write="admins" read="admins" admin="admins" />
              <authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
             <authorizationEntry queue=">" write="jrole" read="jrole"  />
              <authorizationEntry topic=">" write="jrole" read="jrole" admin="jrole"/>
            </authorizationEntries>
          </authorizationMap>
        </map>
</authorizationPlugin>

So for "admins" role we have given write, read and admins permission for both queues and topics. This means users who are given this role can create, consume and publish from queues and topics.
The "jrole" role is also given the same permissions but you can see that the queue admin rights is not given.

If you try to create a queue from user jason now it will be refused from the broker.


Plugin configuration 


Below is the full plugin snippet, place it between the <broker> </broker> tag in activemq.xml config file.

<plugins>
      <simpleAuthenticationPlugin>
        <users>
          <authenticationUser username="super" password="super" groups="admins"/>
          <authenticationUser username="jason" password="jason" groups="jrole"/>
        </users>
      </simpleAuthenticationPlugin>
      </simpleAuthenticationPlugin>
      <authorizationPlugin>
        <map>
          <authorizationMap>
            <authorizationEntries>
              <authorizationEntry queue=">" write="admins" read="admins" admin="admins" />
              <authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
             <authorizationEntry queue=">" write="jrole" read="jrole"  />
              <authorizationEntry topic=">" write="jrole" read="jrole" admin="jrole"/>
            </authorizationEntries>
          </authorizationMap>
        </map>
      </authorizationPlugin>
</plugins>


Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)