Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How configure an already ReadOnly user to allow just ReadOnly access in Amazon MQ WebConsole.

0

In my ActiveMQ broker setup, I have one user who should only be able to perform "read" actions on the queues, that's is the way I configured it in the Broker configuration.

Also, I would like to provide web console access to do some monitoring tasks, but then I realized that this ReadOnly user here got superpowers and is able to Delete queues, messages, which is not the expected behavior.

Any ideas of what kind of setup is needed in in-place to minimize their capabilities and do just what was conceived for him.

At configuration their settings are like: <authorizationEntry queue="SYSTEM.1" read="customerservice"

The group "customerservice" is the group where he belongs to.

Any ideas, Thanks.

Topics
Application Integration
Tags
Amazon MQ
Language
English
asked 2 years ago870 views
2 Answers
7

Hlo,

1. Configure Broker Authorization Firstly, ensure that the broker's authorization policy is correctly set up to grant read-only access. Your current setup is partially correct but needs to be expanded to cover the web console permissions.

Edit the activemq.xml configuration file to define the appropriate authorizationEntry tags. You need to specify the admin, read, and write permissions for each destination:

<authorizationPolicy>
    <map>
        <authorizationMap>
            <authorizationEntries>
                <authorizationEntry queue=">" read="customerservice" write="admin" admin="admin"/>
                <authorizationEntry topic=">" read="customerservice" write="admin" admin="admin"/>
                <!-- Add other necessary authorization entries -->
            </authorizationEntries>
        </authorizationMap>
    </map>
</authorizationPolicy>

In this example, the customerservice group has read-only access to all queues and topics (queue=">" and topic=">"). Adjust the destinations as per your requirements

2. Configure Web Console Security ActiveMQ’s web console uses JAAS (Java Authentication and Authorization Service) for authentication and authorization. You need to ensure that the roles and permissions for the web console are correctly defined.

JAAS Configuration Edit the login.config file to define roles and link them to your LDAP or the activemq.xml file for role management. For example:

activemq-domain {
    org.apache.activemq.jaas.PropertiesLoginModule required
        org.apache.activemq.jaas.properties.user="users.properties"
        org.apache.activemq.jaas.properties.group="groups.properties";
};

Web Console Role Configuration Edit the jetty-realm.properties file to set up the users and their roles. For example:

# users.properties
readonlyuser: readonlypassword, customerservice

# groups.properties
customerservice: readonlyuser

Web Console Context Configuration In the web.xml file located in the webapps/admin/WEB-INF directory of ActiveMQ, define the security constraints to restrict actions based on roles:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>ActiveMQ Console</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
        <role-name>customerservice</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>ActiveMQRealm</realm-name>
</login-config>

<security-role>
    <role-name>admin</role-name>
</security-role>
<security-role>
    <role-name>customerservice</role-name>
</security-role>

3. Adjust Console Permissions To enforce read-only access in the web console, you may need to modify the jetty.xml file to fine-tune permissions, or use a custom plugin if necessary. However, typically, setting the correct roles and permissions as shown above should suffice.

  1. Restart the Broker After making these changes, restart your ActiveMQ broker to apply the new configurations.
sudo service activemq restart

5. Verify the Configuration

Log in to the web console with the readonlyuser credentials and verify that they can only view the queues and topics but cannot delete or create them.

EXPERT
answered 2 years ago
  • alego
    2 years ago

    Hello Thanniru, I would like to say I'm glad about the detailed response, but still some pending's here. Let's clarify:

    • As you said I did't shared here the whole <authorizationEntries> just mentioned the part where I'm giving permissions to the user.

    But, because we are using hosted ActiveMQ, AmazonMQ ActiveMQ I'm unable to do and repeat all those steps. A partial section of my Broker Authorization also includes:

    <authorizationEntry admin="admins,activemq-webconsole" read="admins,users,activemq-webconsole" write="admins,activemq-webconsole" queue=">"/>

    Here is a link from AWS mentioning the activemq-webconsole group, and I have been thinking that in this context is like the activemq-webconsole prevails over signed user role. It's something I am minding. https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/child-element-details.html#authorizationEntry

    Since this user, that is configured with this read-only role is allowed to use Active Web Console, then ... The user was created using AmazonMQ Console, following similar indications like this one: https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-listing-managing-users.html#create-new-user-console

  • alego
    2 years ago

    Hi guys, Any response related to AmazonMQ ActiveMQ how to avoid users with webconsole access that we considered as Viewers got superpowers and have access to do everything. I think it's related to the "activemq-webconsole" internal group, where the signed user rests (incorrectly) on the mentioned role and is able to do things you never planned for him.

0

Hi,

The "activemq-webconsole" group in Amazon Active MQ has admin permissions on all queues and topics.

While it is possible to restrict access of web console users in the standalone ActiveMQ configuration via separate configuration files (conf/jetty-realm.properties. etc), this configuration change is not possible in the AmazonMQ service as of now. There is an existing feature request to support this feature, however there is no ETA or workaround.

I hope this addresses your concerns appropriately.

AWS
SUPPORT ENGINEER
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content