New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ARTEMIS-1884 add plugin API for message level authorization policies #3281
Conversation
this looks nice but it seem too many hoops to go through to have a plugin implement a filter and a very specific new plugin type. A generic filter may be more generally applicable. canAccept behaving like filter.match and gating delivery. maybe the existing broker plugin can have a new:
and with the new getSubject accessor that can implement authorization. |
a6cde3e
to
b867432
Compare
@@ -2444,6 +2446,25 @@ public void callBrokerMessagePlugins(final ActiveMQPluginRunnable<ActiveMQServer | |||
callBrokerPlugins(getBrokerMessagePlugins(), pluginRun); | |||
} | |||
|
|||
@Override | |||
public boolean callBrokerMessagePluginsCanAccept(ServerConsumer serverConsumer, MessageReference messageReference) throws ActiveMQException { | |||
for (ActiveMQServerMessagePlugin plugin : getBrokerMessagePlugins()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Default return should surely be false.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am probably not following what you are getting at. If no MessagePlugins are present or if all the plugins are using default canAccept implementation this returns true and no messages are filtered out. I am making an assumption that the results of all MessagePlugin#canAccept calls should be combined as an AND though so if any single plugin returns false the message will not be delivered to that consumer.
...is-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerConsumerImpl.java
Outdated
Show resolved
Hide resolved
...is-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerConsumerImpl.java
Outdated
Show resolved
Hide resolved
*/ | ||
@Override | ||
public Subject getSessionSubject(SecurityAuth session) { | ||
if (securityManager instanceof ActiveMQSecurityManager5) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a little specific, why only 5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ActiveMQSecurityManager5 is the only ActiveMQSecurityManager API that exposes returning a users subject the other APIs abstracts away the details of JAAS to a greater extent.
8a3e5c2
to
f58ccf5
Compare
@ryeats for big features like this, it would be nice to also have a DISCUSS thread on the dev list explaining how things works, some designs.. etc... I'm not trying to pedantic or anything.. just saying it would be nice.. (like if you look at the dev-list now, you will see a thread I started myself for a PR I am going to make next week). |
Yeah this turned into a bigger change than i was thinking i am requesting permission to post to the dev forums now. |
@ryeats, I think this looks good for the most part, but it's a little hard to review with the commits separated out. Can you squash all the commits together? |
4768227
to
52e97b0
Compare
Hacked at the Perf test to try out a few cases. Turns out Roles are stored in the javax.security.auth.Subject as a "Set" thats really backed by linked list so they do effect performance which is disappointing. I tried to run the test in a way that made the worst case take place every time so canAccept returns true on the 100th role on the 100th consumer. Performance Test on a Queue:
I also tested against a topic worst case 50 consumers have the role and it is their 100th role. Had some trouble hitting memory or other system limits on this one so adjusted the consumers down to avoid that noise but it still wasn't super consistent. Performance Test on a Topic:
The numbers were not super consistent but do seem to show a trend towards higher with more consumers and roles. I think there has to be some expectation of a trade off in performance when doing message level authentication though. It is disappointing that java's role principles are not backed by a hash lookup but the number of roles is normally small. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You a need "negative" queue test in tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/MessageAuthorizationTest.java
(i.e. a test where the consumers can't receive the messages due to the incorrect role).
7a8e6d9
to
c103946
Compare
@jbertram don't know a better way to touch base but wanted to checkin and see if there was anything else holding this PR up and if so what are the next steps to push it along? |
@ryeats, sorry it took me so long to get back to this. Everything looks good. I'll merge it ASAP. |
@ryeats, nice work, BTW! |
No description provided.