FUSE ESB
  1. FUSE ESB
  2. ESB-1445

Embedded Activemq Authorization failing with blueprint configuration

    Details

    • Type: Bug Bug
    • Status: Open Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 4.3.1-fuse-01-09
    • Fix Version/s: 4.3.1-fuse-xx-00
    • Component/s: None
    • Labels:
      None
    • Similar Issues:
      Show 10 results 

      Description

      Hi,

      I've run into an additional issue when testing the fix for MB-851. MB-851 corrected some several issues with activemq and LDAP authorization. Once this patch was made available, I tried to set it up as an embedded broker in Servicemix, 4.3.1-09 with the following results:

      Once the work-around for ESB-1434 was applied to use the Felix framework instead of Equinox, I was able to successfully authorize a request through a "Spring" configured broker. Unfortunately, when using a blueprint configured broker, my request fails with "User jdoe is not authorized to create: topic://ActiveMQ.Advisory.Connection". This was the exact issue that MB-851 was to fix. Upon further analysis, I can see that the spring configured broker has additional requests in the LDAP log:

      ldap_read: want=8, got=8
        0000:  30 81 a1 02 01 02 63 7f                            0.....c.
      ldap_read: want=156, got=156
        0000:  04 57 63 6e 3d 41 63 74  69 76 65 4d 51 2e 41 64   .Wcn=ActiveMQ.Ad
        0010:  76 69 73 6f 72 79 2c 6f  75 3d 54 6f 70 69 63 2c   visory,ou=Topic,
        0020:  6f 75 3d 44 65 73 74 69  6e 61 74 69 6f 6e 2c 6f   ou=Destination,o
        0030:  75 3d 41 63 74 69 76 65  4d 51 2c 6f 75 3d 73 79   u=ActiveMQ,ou=sy
        0040:  73 74 65 6d 2c 64 63 3d  66 75 73 65 73 6f 75 72   stem,dc=fusesour
        0050:  63 65 2c 64 63 3d 63 6f  6d 0a 01 01 0a 01 03 02   ce,dc=com.......
        0060:  01 00 02 01 00 01 01 00  a3 0b 04 02 63 6e 04 05   ............cn..
        0070:  61 64 6d 69 6e 30 08 04  06 6d 65 6d 62 65 72 a0   admin0...member.
        0080:  1b 30 19 04 17 32 2e 31  36 2e 38 34 30 2e 31 2e   .0...2.16.840.1.
        0090:  31 31 33 37 33 30 2e 33  2e 34 2e 32               113730.3.4.2
      ber_get_next: tag 0x30 len 161 contents:
      
      ...
      

      The configurations are identical and they both reference a jaas configuration from ./deploy. There's a bug somewhere.

      To summarize:

      • Updating the ./etc/activemq-broker.xml to use LDAP authorization (see attached blueprint_activemq_broker.xml) results in an authorization error on an ActiveMQ topic
      • Creating a new spring based configuration using activemq-create and then adding same LDAP configurations, works. (with workaround for ESB-1434)

      Re-creation steps:

      LDAP Set-up

      1. Open LDAP comes pre-installed on MAC:

      A. As root user copy, /private/var/db/openldap/openldap-data/DB_CONFIG.example to /private/var/db/openldap/openldap-data/DB_CONFIG. I didn't make any changes. 

      B. Put attached slapd.conf based on slapd.conf.default in /private/etc/openldap

      C. Start the server:
 nohup /usr/libexec/slapd -d 255 &

      D. Add entries: 
 ldapadd -x -D"cn=admin,dc=fusesource,dc=com" -W -f patched.ldif (attached)

      The password is "sunflower"

      Initial Servicemix Set-up

      1. Update Servicemix 4.3.1-09 to use the patched version of activemq (MB-851)
      A. Edit the system/org/apache/servicemix/apache-servicemix/4.3.1-fuse-01-09/apache-servicemix-4.3.1-fuse-01-09-activemq-features.xml :

      
replace <bundle>mvn:org.apache.activemq/activemq-core/5.4.2-fuse-01-00</bundle> with 
      <bundle>mvn:org.apache.activemq/activemq-core/5.4.2-fuse-03-00-SNAPSHOT</bundle>
      

      2. Change Framework to felix in ./etc/config.properties (per ESB-1434)

      karaf.framework=felix
      

      B. Start Servicemix, make sure activemq core file is correct and there is only one
      [ 45] [Active ] [Created ] [ ] [ 60] activemq-core (5.4.2.fuse-03-00-SNAPSHOT)

      Blueprint Use Case

      1. Deploy jaas configuration, attached ldap_amq_module.xml
      2. Stop current, default activemq-broker.xml.
      3. Replace the existing ./etc/activemq-broker.xml with the attached blueprint_activemq-broker.xml. The only change here is to remove connection pooling stuff and add the authentication and authorization. I removed the first part as the log fills up with the authorization errors based on the connection. It's easier to see it once with a producer (in my opinion).
      4. Update and restart the broker.
      5. Using the ProducerTool shipped with activemq, run run the demo "ant producer -Durl=tcp://0.0.0.0:61616 -Dmax=1"

       [java] javax.jms.JMSException: User jdoe is not authorized to create: topic://ActiveMQ.Advisory.Connection
           [java] 	at org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:49)
           [java] 	at org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1295)
           [java] 	at org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent(ActiveMQConnection.jav
      

      Spring Use case

      1. Install activemq-spring if need be
      2. copy the attached LdapSpringBroker-broker.xml to ./deploy directory

      karaf@root> list |grep -i ldap
      [  31] [Active     ] [Created     ] [       ] [   60] ldap_amq_module.xml (0.0.0)
      [ 197] [Active     ] [            ] [Started] [   60] LdapSpringBroker-broker.xml (0.0.0)
      

      3. Using the ProducerTool shipped with activemq, run run the demo:
      "ant producer -Durl=tcp://0.0.0.0:61617 -Dmax=1"
      (Note slight IP change at end, 7 instead of 6).

      Message successfully put on queue.

      Other Considerations
      I do have problems with my blueprint broker going into a GracePeriod:

      [  55] [Active     ] [GracePeriod ] [       ] [   60] activemq-broker.xml (0.0.0)
      ..
      6:11:13,879 | WARN  | rint Extender: 3 | BlueprintContainerImpl           | 7 - org.apache.aries.blueprint - 0.2.0.incubating | Bundle activemq-broker.xml is waiting for namespace handlers [(&(objectClass=org.apache.aries.blueprint.NamespaceHandler)(osgi.service.blueprint.namespace=http://activemq.apache.org/schema/core))]
      16:12:21,172 | ERROR | rint Extender: 3 | BlueprintContainerImpl           | 7 - org.apache.aries.blueprint - 0.2.0.incubating | Unable to start blueprint container for bundle org.apache.servicemix.jbi.cluster.config due to unresolved dependencies [(objectClass=org.apache.servicemix.jbi.cluster.engine.ClusterRegistration), (objectClass=javax.jms.ConnectionFactory)]
      java.util.concurrent.TimeoutException
      	at org.apache.aries.blueprint.container.BlueprintContainerImpl$1.run(BlueprintContainerImpl.java:273)[7:org.apache.aries.blueprint:0.2.0.incubating]
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)[:1.6.0_22]
      	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)[:1.6.0_22]
      	at java.util.concurrent.FutureTask.run(FutureTask.java:138)[:1.6.0_22]
      	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:98)[:1.6.0_22]
      	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:206)[:1.6.0_22]
      	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)[:1.6.0_22]
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)[:1.6.0_22]
      	at java.lang.Thread.run(Thread.java:680)[:1.6.0_22]
      
      

      To get around this I have to shutdown and/or blow away the data directory. I haven't been able to nail this down although various experiments in an non-patched version without LDAP seem to be fine.

      I think I have everything. I unzipped a fresh install of servicemix while I was doing this. If there any problems setting it up, please let me know.

      Susan

      1. amq_nohup.out
        144 kB
        Susan Javurek
      2. blueprint_activemq-broker.xml
        7 kB
        Susan Javurek
      3. ldap_amq_module.xml
        1 kB
        Susan Javurek
      4. LdapSpringBroker-broker.xml
        7 kB
        Susan Javurek
      5. patched.ldif
        6 kB
        Susan Javurek
      6. smx_nohup.out
        82 kB
        Susan Javurek

        Activity

        Hide
        Susan Javurek
        added a comment -

        I've also attached two more files:

        amq_nohup.out - LDAP debug output when authorization works

        smx_nohup.out - LDAP debug output in the blueprint configuration.

        Show
        Susan Javurek
        added a comment - I've also attached two more files: amq_nohup.out - LDAP debug output when authorization works smx_nohup.out - LDAP debug output in the blueprint configuration.
        Hide
        Guillaume Nodet
        added a comment -

        The error seen (TimeoutException) is unrelated. That one is caused because the NMR cluster engine could not find any JMS broker. So it's a consequence, not a cause.
        However the warning is actually problematic. It could mean that activemq-blueprint has not been deployed correctly or is not started.
        I've just sucessfully deployed the blueprint_activemq-broker.xml to a bare karaf after installing activemq-blueprint feature.

        Show
        Guillaume Nodet
        added a comment - The error seen (TimeoutException) is unrelated. That one is caused because the NMR cluster engine could not find any JMS broker. So it's a consequence, not a cause. However the warning is actually problematic. It could mean that activemq-blueprint has not been deployed correctly or is not started. I've just sucessfully deployed the blueprint_activemq-broker.xml to a bare karaf after installing activemq-blueprint feature.
        Hide
        Susan Javurek
        added a comment -

        Thanks Guillaume for looking at this farther and the feedback on the timeout. While I was writing up the test case Friday, I walked through
        a new install. I had two brokers deployed, spring version and the blueprint version. After I wrote the test case, I was trying out some more
        things as soon as I "updated" the blueprint activemq configuration, it flipped into this state. I tried un-installing activemq-blueprint, my broker
        and re-installing everything, however, it was still hung in that state. After shutting servicemix down and deleting the ./data directory, I got passed the
        issue. There were no other changes.

        As soon as I'm caught up on my other work, I'll try to make a concise test case just for that issue and get it logged separately.
        I mainly mentioned it in case you ran into it as I've hit it many times now.

        Susan

        Show
        Susan Javurek
        added a comment - Thanks Guillaume for looking at this farther and the feedback on the timeout. While I was writing up the test case Friday, I walked through a new install. I had two brokers deployed, spring version and the blueprint version. After I wrote the test case, I was trying out some more things as soon as I "updated" the blueprint activemq configuration, it flipped into this state. I tried un-installing activemq-blueprint, my broker and re-installing everything, however, it was still hung in that state. After shutting servicemix down and deleting the ./data directory, I got passed the issue. There were no other changes. As soon as I'm caught up on my other work, I'll try to make a concise test case just for that issue and get it logged separately. I mainly mentioned it in case you ran into it as I've hit it many times now. Susan

          People

          • Assignee:
            Unassigned
            Reporter:
            Susan Javurek
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated: