FUSE Message Broker
  1. FUSE Message Broker
  2. MB-859

Add support for wildcards for LDAP authorization map

    Details

    • Similar Issues:
      Show 10 results 

      Description

      Currently there's no support for using wildcard while setting security policies in ldap.

      1. activemq-apacheds.ldif
        6 kB
        Dejan Bosanac
      2. activemq-apacheds.xml
        2 kB
        Dejan Bosanac
      3. activemq-openldap.ldif
        7 kB
        Dejan Bosanac
      4. activemq-openldap.xml
        3 kB
        Dejan Bosanac

        Activity

        Hide
        Ashwin Karpe
        added a comment -

        Hi All,

        I am at a customer who needs this to be added as a feature... They do not want to have individual queue/topic entries for authorization which is very inconvenient.

        In any case, I am still trying to get past MB-851 & DEV-3028

        Cheers,

        Ashwin...

        Show
        Ashwin Karpe
        added a comment - Hi All, I am at a customer who needs this to be added as a feature... They do not want to have individual queue/topic entries for authorization which is very inconvenient. In any case, I am still trying to get past MB-851 & DEV-3028 Cheers, Ashwin...
        Hide
        Matt Hernon
        added a comment -

        BQ:Medium It was reiterated on an FAA call that this will become a very important feature.

        Show
        Matt Hernon
        added a comment - BQ:Medium It was reiterated on an FAA call that this will become a very important feature.
        Hide
        Dejan Bosanac
        added a comment -

        I did a research on the topic and here's the proposal of the new feature.

        Instead of modifying the existing LDAP authorization plugin we should create a new one that will basically work the same as a default authorization module work at the moment. It will load all information from the LDAP at startup and refresh those data in timely intervals (configurable). In this way we would have best of both worlds:

        • Flexibility of authorization plugin as users are used to have. The current LDAP schema could be used as well, apart that we should use different symbols for wildcards as DN can't contain > symbol. So this should be configurable as well, but by default we could use ANY_CHILD (for *) and ANY_DESCENDENT (for >). If no entries are found for certain privilege, we should assume that access is denied for everyone.
        • Good performances, as plugin will not access LDAP for every authorization request
        • A near real-time updates of data which should be good enough for most users. Plugin would be updated without the restart of the broker which I think is the main requirement for this kind of plugin. Waiting for a few minutes for the refresh should be ok.

        We could call the new module "cachedLDAPAuthorizationMap" or something similar.

        Show
        Dejan Bosanac
        added a comment - I did a research on the topic and here's the proposal of the new feature. Instead of modifying the existing LDAP authorization plugin we should create a new one that will basically work the same as a default authorization module work at the moment. It will load all information from the LDAP at startup and refresh those data in timely intervals (configurable). In this way we would have best of both worlds: Flexibility of authorization plugin as users are used to have. The current LDAP schema could be used as well, apart that we should use different symbols for wildcards as DN can't contain > symbol. So this should be configurable as well, but by default we could use ANY_CHILD (for *) and ANY_DESCENDENT (for >). If no entries are found for certain privilege, we should assume that access is denied for everyone. Good performances, as plugin will not access LDAP for every authorization request A near real-time updates of data which should be good enough for most users. Plugin would be updated without the restart of the broker which I think is the main requirement for this kind of plugin. Waiting for a few minutes for the refresh should be ok. We could call the new module "cachedLDAPAuthorizationMap" or something similar.
        Hide
        Dejan Bosanac
        added a comment -

        So I finally have this working. The source code is for now available in the fon project (ssh://git@forge.fusesource.com/fon.git) in the fon-activemq module.

        I spoke with Rob about this and the idea is that we should keep this closed source (for now) as an enterprise feature. This all can be discussed further of course.

        As for the functionality of the plugin, it implements both pull and push changes (as I discovered in the process of developing that OpenLdap, which afaik customer is using, does not support "persistent search" option so we need to pull for changes).

        Attached you can find 4 files, that represent ldif and broker configuration for both ApacheDS (supports push) and OpenLdap (does not). ApacheDS configuration is used in tests and if you install it on some other port, you should change the connection uri in the xml config (take openldap xml for example). OpenLdap example is done using the server setup according to Susan's description in MB-851.

        You can also notice that there is smaller number of configuration params. You can only set ldap connection stuff and baseDn where ActiveMQ entries should be. I think this is the right approach as it eliminates most of the complexity of configuring the plugin.

        One note about ldif format. It is very similar to the one that is used by the current plugin. The only important thing is that '>' character is replaced with '$' for "any descendent" as some LDAP server does not support > in dn.

        The main parameter that determines whether we use push or pull for update is "refreshInterval". If it's not set (or set to -1) it means that we will try to use LDAP server "persistent search" feature and will expect changes to be pushed to us. If you try this with the server that doesn't support it, you'll see an exception like "Operation not supported" on broker startup and no changes will be pushed.

        If you set "refreshInterval" to some meaningful value (in ms), on every authorization request we will check if we need to update our in-memory cache. This should all work fine as well and not impact performances of the broker.

        Also I needed to add one improvement to the broker core in order to pull option work fine, so at the moment you'll need to use either apache 5.6-SNAPSHOT or 5.5-fuse-SNAPSHOT versions of broker for this to work properly. This improvement can be easily merged to any version we need it in.

        To test this all out:

        It'd be great if you could test this all out and see if it is fitting customer's requirements.

        Show
        Dejan Bosanac
        added a comment - So I finally have this working. The source code is for now available in the fon project (ssh://git@forge.fusesource.com/fon.git) in the fon-activemq module. I spoke with Rob about this and the idea is that we should keep this closed source (for now) as an enterprise feature. This all can be discussed further of course. As for the functionality of the plugin, it implements both pull and push changes (as I discovered in the process of developing that OpenLdap, which afaik customer is using, does not support "persistent search" option so we need to pull for changes). Attached you can find 4 files, that represent ldif and broker configuration for both ApacheDS (supports push) and OpenLdap (does not). ApacheDS configuration is used in tests and if you install it on some other port, you should change the connection uri in the xml config (take openldap xml for example). OpenLdap example is done using the server setup according to Susan's description in MB-851 . You can also notice that there is smaller number of configuration params. You can only set ldap connection stuff and baseDn where ActiveMQ entries should be. I think this is the right approach as it eliminates most of the complexity of configuring the plugin. One note about ldif format. It is very similar to the one that is used by the current plugin. The only important thing is that '>' character is replaced with '$' for "any descendent" as some LDAP server does not support > in dn. The main parameter that determines whether we use push or pull for update is "refreshInterval". If it's not set (or set to -1) it means that we will try to use LDAP server "persistent search" feature and will expect changes to be pushed to us. If you try this with the server that doesn't support it, you'll see an exception like "Operation not supported" on broker startup and no changes will be pushed. If you set "refreshInterval" to some meaningful value (in ms), on every authorization request we will check if we need to update our in-memory cache. This should all work fine as well and not impact performances of the broker. Also I needed to add one improvement to the broker core in order to pull option work fine, so at the moment you'll need to use either apache 5.6-SNAPSHOT or 5.5-fuse-SNAPSHOT versions of broker for this to work properly. This improvement can be easily merged to any version we need it in. To test this all out: Install appropriate broker and set ldap server you want to use Import appropriate ldif into ldap server Get http://repo.fusesource.com/nexus/content/repositories/subscriber-snapshot/org/fusesource/fon/fon-activemq/1.0-SNAPSHOT/fon-activemq-1.0-20110601.093247-42.jar and copy it to the broker's lib/ folder Use appropriate configuration and start the broker It'd be great if you could test this all out and see if it is fitting customer's requirements.
        Hide
        Dejan Bosanac
        added a comment -

        This feature is now pushed to apache trunk and is merged to 5.4.x-fuse branch. You can test it in the latest (20110718.094326-5) snapshot from

        http://repo.fusesource.com/nexus/content/repositories/snapshots/org/apache/activemq/apache-activemq/5.4.2-fuse-03-00-SNAPSHOT/

        Documentation is now available at http://activemq.apache.org/cached-ldap-authorization-module.html

        Show
        Dejan Bosanac
        added a comment - This feature is now pushed to apache trunk and is merged to 5.4.x-fuse branch. You can test it in the latest (20110718.094326-5) snapshot from http://repo.fusesource.com/nexus/content/repositories/snapshots/org/apache/activemq/apache-activemq/5.4.2-fuse-03-00-SNAPSHOT/ Documentation is now available at http://activemq.apache.org/cached-ldap-authorization-module.html

          People

          • Assignee:
            Dejan Bosanac
            Reporter:
            Dejan Bosanac
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: