In this demo, we are using s2i to apply customizations to AMQ 6 xPaaS Images.
The following customizations will be applied
-
create destinations on startup
-
RBAC for destinations
-
Loading a customized plugin to intercept the addConnection and addConsumer usecases
-
Changes to
activemq.xml
is to be loaded into a fileopenshift-activemq.xml
and placed into a folder callconfiguration
-
assemble
script in .s2i/bin -
Additional jar files to be placed in a
lib
folder -
Destinations to be created during startup are specified in the
<destinations>
section in openshift-activemq.xml.
We are using the default PropertyLoginModule
in the image.
It means a login.config
is present in /opt/amq/conf
which
points to users.properties
and groups.properties
Changes to users.properties
is to be pushed in via openshift-users.properties
This file will be placed configuration
#
# You must have at least one users to be able to access JBoss A-MQ resources
##### AUTHENTICATION #####
admin=admin
hr-user=password
finance-user=password
it-user=password
ops-user=password
superUser=password
Changes to groups.properties
can be pushed in via the same file
This file will be placed in configuration
#
# This file contains the roles for users who can log into JBoss A-MQ.
# Each line has to be of the format:
#
# GROUP=USER1,USER2,....
#
admin=admin,superUser
hr=hr-user
finance=finance-user
it=it-user
operation=ops-user
users=admin,superUser,it-user,hr-user,finance-user,ops-user
Authorization to the destinations will be handled by the <authorizationPlugin>
<plugins>
<!-- ##### AUTHENTICATION ##### -->
<bean id="customAuthenticationPlugin" class="com.demo.amqplugins.CustomAuthenticationPlugin" xmlns="http://www.springframework.org/schema/beans">
</bean>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic=">" write="admin" read="admin" admin="admin" />
<authorizationEntry topic="demo.finance.>" write="finance" read="operation,finance" admin="admin" />
<authorizationEntry topic="demo.hr.>" write="hr" read="operation,hr" admin="admin" />
<authorizationEntry topic="demo.it.>" write="it" read="operation,it" admin="admin" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="users" write="users" admin="users"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
$ oc new-project custom-amq
$ oc new-build registry.access.redhat.com/jboss-amq-6/amq63-openshift~https://github.com/wohshon/custom-xpaas-amq
$ oc get is
NAME DOCKER REPO TAGS UPDATED
amq63-openshift 172.30.1.1:5000/custom-amq/amq63-openshift latest 41 minutes ago
custom-xpaas-amq 172.30.1.1:5000/custom-amq/custom-xpaas-amq latest 41 minutes ago
-
the image stream must point to our newly created one
-
Optionally, point to a dedicated service account
$ sed -i 's/"image": "jboss-amq-63"/"image": "172.30.1.1:5000\/custom-amq\/custom-xpaas-amq"/g' amq63-basic.json $ sed -i '/"terminationGracePeriodSeconds": 60,/a\ "serviceAccountName": "amq-service-account",' amq63-basic.json
$ oc create -f ./amq63-basic.json
-
Create Service Account
$ echo '{"kind": "ServiceAccount", "apiVersion": "v1", "metadata": {"name": "amq-service-account"}}' | oc create -f -
$ oc policy add-role-to-user view system:serviceaccount:custom-amq:amq-service-account
$ oc new-app --template="custom-amq/amq63-basic" -p MQ_USERNAME=admin -p MQ_PASSWORD=admin -p AMQ_STORAGE_USAGE_LIMIT=2gb -p IMAGE_STREAM_NAMESPACE=custom-amq -p MQ_PROTOCOL="openwire,mqtt,amqp"
$ oc patch dc/broker-amq --patch '{"spec":{"triggers":[{"type": "ImageChange","imageChangeParams":{"containerNames": ["broker-amq"],"from": {"name": "custom-xpaas-amq:latest"}}}]}}'
$ oc rollout latest broker-amq
sample nodeport config
apiVersion: v1
kind: Service
metadata:
name: amq-mqtt-nodeport
namespace: amq
labels:
application: broker
spec:
ports:
- name: port-1
protocol: TCP
port: 1883
targetPort: 1883
nodePort: 30001
selector:
application: broker
type: NodePort
sessionAffinity: None
The mappings of the users to the topics are
- it-user : demo/it/request
- finance-user: demo/finance/job
- hr-user : demo/hr/newhire
- admin has all rights, and only they can create queue/topics
CustomPlugin:
Custom plugin intercepts and print out subscriber info
INFO | TOPIC topic://demo.hr.newhire
INFO | User hr-user
INFO | Context org.apache.activemq.security.JaasAuthenticationBroker$JaasSecurityContext@1e129afe
INFO | Principals [hr, users, hr-user]
INFO | Write Destinations {topic://demo.hr.newhire=topic://demo.hr.newhire}
INFO | ROLES: hr
INFO | ROLES: users
reference: https://access.redhat.com/solutions/2963501