Effective October 27, 2012, online and email support for FuseSource products will move to Red Hat support channels. For more information, please see the JIRA Migration to Red Hat FAQ.
As of October 27th, please open all new issues in the Red Hat Customer Portal .
Issue Details (XML | Word | Printable)

Key: ESB-1445
Type: Bug Bug
Status: Open Open
Priority: Major Major
Assignee: Unassigned
Reporter: Susan Javurek
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
FUSE ESB

Embedded Activemq Authorization failing with blueprint configuration

Created: 22/Apr/11 03:32 PM   Updated: 16/Mar/12 03:20 PM
Component/s: None
Affects Version/s: 4.3.1-fuse-01-09
Fix Version/s: 4.3.1-fuse-xx-00

File Attachments: 1. File amq_nohup.out (144 kB)
2. XML File blueprint_activemq-broker.xml (7 kB)
3. XML File ldap_amq_module.xml (1 kB)
4. XML File LdapSpringBroker-broker.xml (7 kB)
5. File patched.ldif (6 kB)
6. File smx_nohup.out (82 kB)


 Description  « Hide
Hi,

I've run into an additional issue when testing the fix for MB-851. MB-851 corrected some several issues with activemq and LDAP authorization. Once this patch was made available, I tried to set it up as an embedded broker in Servicemix, 4.3.1-09 with the following results:

Once the work-around for ESB-1434 was applied to use the Felix framework instead of Equinox, I was able to successfully authorize a request through a "Spring" configured broker. Unfortunately, when using a blueprint configured broker, my request fails with "User jdoe is not authorized to create: topic://ActiveMQ.Advisory.Connection". This was the exact issue that MB-851 was to fix. Upon further analysis, I can see that the spring configured broker has additional requests in the LDAP log:

ldap_read: want=8, got=8
  0000:  30 81 a1 02 01 02 63 7f                            0.....c.
ldap_read: want=156, got=156
  0000:  04 57 63 6e 3d 41 63 74  69 76 65 4d 51 2e 41 64   .Wcn=ActiveMQ.Ad
  0010:  76 69 73 6f 72 79 2c 6f  75 3d 54 6f 70 69 63 2c   visory,ou=Topic,
  0020:  6f 75 3d 44 65 73 74 69  6e 61 74 69 6f 6e 2c 6f   ou=Destination,o
  0030:  75 3d 41 63 74 69 76 65  4d 51 2c 6f 75 3d 73 79   u=ActiveMQ,ou=sy
  0040:  73 74 65 6d 2c 64 63 3d  66 75 73 65 73 6f 75 72   stem,dc=fusesour
  0050:  63 65 2c 64 63 3d 63 6f  6d 0a 01 01 0a 01 03 02   ce,dc=com.......
  0060:  01 00 02 01 00 01 01 00  a3 0b 04 02 63 6e 04 05   ............cn..
  0070:  61 64 6d 69 6e 30 08 04  06 6d 65 6d 62 65 72 a0   admin0...member.
  0080:  1b 30 19 04 17 32 2e 31  36 2e 38 34 30 2e 31 2e   .0...2.16.840.1.
  0090:  31 31 33 37 33 30 2e 33  2e 34 2e 32               113730.3.4.2
ber_get_next: tag 0x30 len 161 contents:

...

The configurations are identical and they both reference a jaas configuration from ./deploy. There's a bug somewhere.

To summarize:

  • Updating the ./etc/activemq-broker.xml to use LDAP authorization (see attached blueprint_activemq_broker.xml) results in an authorization error on an ActiveMQ topic
  • Creating a new spring based configuration using activemq-create and then adding same LDAP configurations, works. (with workaround for ESB-1434)

Re-creation steps:

LDAP Set-up

1. Open LDAP comes pre-installed on MAC:

A. As root user copy, /private/var/db/openldap/openldap-data/DB_CONFIG.example to /private/var/db/openldap/openldap-data/DB_CONFIG. I didn't make any changes. 

B. Put attached slapd.conf based on slapd.conf.default in /private/etc/openldap

C. Start the server:
 nohup /usr/libexec/slapd -d 255 &

D. Add entries: 
 ldapadd -x -D"cn=admin,dc=fusesource,dc=com" -W -f patched.ldif (attached)

The password is "sunflower"

Initial Servicemix Set-up

1. Update Servicemix 4.3.1-09 to use the patched version of activemq (MB-851)
A. Edit the system/org/apache/servicemix/apache-servicemix/4.3.1-fuse-01-09/apache-servicemix-4.3.1-fuse-01-09-activemq-features.xml : 


replace <bundle>mvn:org.apache.activemq/activemq-core/5.4.2-fuse-01-00</bundle> with 
<bundle>mvn:org.apache.activemq/activemq-core/5.4.2-fuse-03-00-SNAPSHOT</bundle>

2. Change Framework to felix in ./etc/config.properties (per ESB-1434)

karaf.framework=felix

B. Start Servicemix, make sure activemq core file is correct and there is only one
[ 45] [Active ] [Created ] [ ] [ 60] activemq-core (5.4.2.fuse-03-00-SNAPSHOT)

Blueprint Use Case

1. Deploy jaas configuration, attached ldap_amq_module.xml
2. Stop current, default activemq-broker.xml.
3. Replace the existing ./etc/activemq-broker.xml with the attached blueprint_activemq-broker.xml. The only change here is to remove connection pooling stuff and add the authentication and authorization. I removed the first part as the log fills up with the authorization errors based on the connection. It's easier to see it once with a producer (in my opinion).
4. Update and restart the broker.
5. Using the ProducerTool shipped with activemq, run run the demo "ant producer -Durl=tcp://0.0.0.0:61616 -Dmax=1"

[java] javax.jms.JMSException: User jdoe is not authorized to create: topic://ActiveMQ.Advisory.Connection
     [java] 	at org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:49)
     [java] 	at org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1295)
     [java] 	at org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent(ActiveMQConnection.jav

Spring Use case

1. Install activemq-spring if need be
2. copy the attached LdapSpringBroker-broker.xml to ./deploy directory

karaf@root> list |grep -i ldap
[  31] [Active     ] [Created     ] [       ] [   60] ldap_amq_module.xml (0.0.0)
[ 197] [Active     ] [            ] [Started] [   60] LdapSpringBroker-broker.xml (0.0.0)

3. Using the ProducerTool shipped with activemq, run run the demo:
"ant producer -Durl=tcp://0.0.0.0:61617 -Dmax=1"
(Note slight IP change at end, 7 instead of 6).

Message successfully put on queue.

Other Considerations
I do have problems with my blueprint broker going into a GracePeriod:

[  55] [Active     ] [GracePeriod ] [       ] [   60] activemq-broker.xml (0.0.0)
..
6:11:13,879 | WARN  | rint Extender: 3 | BlueprintContainerImpl           | 7 - org.apache.aries.blueprint - 0.2.0.incubating | Bundle activemq-broker.xml is waiting for namespace handlers [(&(objectClass=org.apache.aries.blueprint.NamespaceHandler)(osgi.service.blueprint.namespace=http://activemq.apache.org/schema/core))]
16:12:21,172 | ERROR | rint Extender: 3 | BlueprintContainerImpl           | 7 - org.apache.aries.blueprint - 0.2.0.incubating | Unable to start blueprint container for bundle org.apache.servicemix.jbi.cluster.config due to unresolved dependencies [(objectClass=org.apache.servicemix.jbi.cluster.engine.ClusterRegistration), (objectClass=javax.jms.ConnectionFactory)]
java.util.concurrent.TimeoutException
	at org.apache.aries.blueprint.container.BlueprintContainerImpl$1.run(BlueprintContainerImpl.java:273)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)[:1.6.0_22]
	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)[:1.6.0_22]
	at java.util.concurrent.FutureTask.run(FutureTask.java:138)[:1.6.0_22]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:98)[:1.6.0_22]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:206)[:1.6.0_22]
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)[:1.6.0_22]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)[:1.6.0_22]
	at java.lang.Thread.run(Thread.java:680)[:1.6.0_22]

To get around this I have to shutdown and/or blow away the data directory. I haven't been able to nail this down although various experiments in an non-patched version without LDAP seem to be fine.

I think I have everything. I unzipped a fresh install of servicemix while I was doing this. If there any problems setting it up, please let me know.

Susan

 All   Comments   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Susan Javurek added a comment - 22/Apr/11 03:41 PM
I've also attached two more files:

amq_nohup.out - LDAP debug output when authorization works

smx_nohup.out - LDAP debug output in the blueprint configuration.


[ Permlink | « Hide ]
Guillaume Nodet added a comment - 22/Apr/11 04:21 PM
The error seen (TimeoutException) is unrelated. That one is caused because the NMR cluster engine could not find any JMS broker. So it's a consequence, not a cause.
However the warning is actually problematic. It could mean that activemq-blueprint has not been deployed correctly or is not started.
I've just sucessfully deployed the blueprint_activemq-broker.xml to a bare karaf after installing activemq-blueprint feature.

[ Permlink | « Hide ]
Susan Javurek added a comment - 25/Apr/11 08:52 AM
Thanks Guillaume for looking at this farther and the feedback on the timeout. While I was writing up the test case Friday, I walked through
a new install. I had two brokers deployed, spring version and the blueprint version. After I wrote the test case, I was trying out some more
things as soon as I "updated" the blueprint activemq configuration, it flipped into this state. I tried un-installing activemq-blueprint, my broker
and re-installing everything, however, it was still hung in that state. After shutting servicemix down and deleting the ./data directory, I got passed the
issue. There were no other changes.

As soon as I'm caught up on my other work, I'll try to make a concise test case just for that issue and get it logged separately.
I mainly mentioned it in case you ran into it as I've hit it many times now.

Susan
Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators