java.lang.Exception: 操作不足 roles/credentials
java.lang.Exception: Insufficient roles/credentials for operation
我正在使用 ActiveMQ Artemis 2.16.0,管理控制台基于 Hawtio。我已经使用 this instructions 成功地将它与 Keycloak (OpenID Connect) 集成。
现在我已经升级到 ActiveMQ Artemis 2.17.0,它停止工作了。 hawtio版本好像一样:
[io.hawt.jmx.JmxTreeWatcher] Welcome to Hawtio 2.11.0
由于 ActiveMQ Artemis 非常容易升级,我可以轻松地从一个版本切换到另一个版本。我做到了,日志似乎输出相同:
[org.apache.activemq.artemis.core.server] AMQ221001: Apache ActiveMQ Artemis Message Broker version 2.17.0 [node1.some.domain, nodeID=bcf5b788-c0fd-11ea-9c54-0050568bf82b]
[org.apache.activemq.artemis.core.server] AMQ221053: Disallowing use of vulnerable protocol 'SSLv2Hello' on acceptor 'artemis'. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.
[io.hawt.web.plugin.HawtioPlugin] Registering plugin hawtio:type=plugin,name=activemq-branding
[org.apache.activemq.hawtio.branding.PluginContextListener] Initialized activemq-branding plugin
[io.hawt.web.plugin.HawtioPlugin] Registering plugin hawtio:type=plugin,name=artemis-plugin
[org.apache.activemq.hawtio.plugin.PluginContextListener] Initialized artemis-plugin plugin
[io.hawt.HawtioContextListener] Initialising hawtio services
[io.hawt.system.ConfigManager] Failed to look up environment context: null
[io.hawt.system.ConfigManager] Configuration will be discovered via system properties
[io.hawt.jmx.JmxTreeWatcher] Welcome to Hawtio 2.11.0
[io.hawt.system.ConfigManager] Property realm is set to value hawtio
[io.hawt.system.ConfigManager] Property role is set to value null
[io.hawt.system.ConfigManager] Property roles is set to value amq,artemis_admin,artemis_manager,artemis_viewer
[io.hawt.system.ConfigManager] Property rolePrincipalClasses is set to value org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.ConfigManager] Property authenticationEnabled is set to value true
[io.hawt.system.ConfigManager] Property noCredentials401 is set to value false
[io.hawt.system.ConfigManager] Property keycloakEnabled is set to value true
[io.hawt.system.ConfigManager] Property authenticationContainerDiscoveryClasses is set to value io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery
[io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery] Realm explicit configured hawtio. Apache Tomcat userdata authentication integration not in use.
[io.hawt.web.auth.AuthenticationConfiguration] Starting hawtio authentication filter, JAAS realm: "hawtio" authorized role(s): "amq,artemis_admin,artemis_manager,artemis_viewer" role principal classes: "org.keycloak.adapters.jaas.RolePrincipal"
[io.hawt.system.ConfigManager] Property keycloakClientConfig is set to value file:/opt/artemis-broker/etc/keycloak-client-hawtio.json
[io.hawt.web.filters.ContentSecurityPolicyFilter] Found Keycloak URL: https://auth.some.domain/auth
[io.hawt.system.ConfigManager] Property http.strictTransportSecurity is set to value null
[io.hawt.web.filters.PublicKeyPinningFilter] HTTP Strict Transport Security is disabled
[io.hawt.system.ConfigManager] Property http.publicKeyPins is set to value null
[io.hawt.web.filters.PublicKeyPinningFilter] Public Key Pinning is disabled
[io.hawt.system.ConfigManager] Property sessionTimeout is set to value 1800
[io.hawt.system.ConfigManager] Property disableProxy is set to value false
[io.hawt.system.ConfigManager] Property proxyAllowlist is set to value localhost,
[io.hawt.system.ConfigManager] Property localAddressProbing is set to value true
[io.hawt.system.ProxyAllowlist] Probing local addresses ...
[io.hawt.system.ProxyAllowlist] Initial proxy allowlist: [localhost, 127.0.0.1, 10.3.84.148, node01.some.domain]
[io.hawt.web.servlets.JolokiaConfiguredAgentServlet] Jolokia overridden property: [key=policyLocation, value=file:/opt/artemis-broker/etc/jolokia-access.xml]
[org.apache.activemq.artemis] AMQ241001: HTTP Server started at https://0.0.0.0:8443
[org.apache.activemq.artemis] AMQ241002: Artemis Jolokia REST API available at https://0.0.0.0:8443/console/jolokia
[org.apache.activemq.artemis] AMQ241004: Artemis Console available at https://0.0.0.0:8443/console
[io.hawt.web.auth.SessionExpiryFilter] Accessing [/console/jolokia/], hawtio path is [jolokia]
[io.hawt.web.auth.AuthenticationFilter] Handling request for path /jolokia
[io.hawt.web.auth.AuthenticationFilter] Doing authentication and authorization for path /jolokia
[io.hawt.system.Authenticator] doAuthenticate[realm=hawtio, role=amq,artemis_admin,artemis_manager,artemis_viewer, rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal, configuration=null, username=myuser, password=******]
[org.keycloak.adapters.jaas.BearerTokenLoginModule] Declared options: keycloak-config-file=/export/opt/artemis-broker/etc/keycloak-server-bearer.json, role-principal-class=org.keycloak.adapters.jaas.RolePrincipal
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Using provider 'secret' for authentication of client 'artemis'
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider jwt
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret-jwt
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider jwt
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret-jwt
[org.keycloak.adapters.KeycloakDeployment] Resolving URLs from https://auth.some.domain/auth/realms/myrealm/.well-known/openid-configuration
[org.keycloak.adapters.KeycloakDeployment] Loaded URLs from https://auth.some.domain/auth/realms/myrealm/.well-known/openid-configuration
[org.keycloak.adapters.rotation.JWKPublicKeyLocator] Realm public keys successfully retrieved for client artemis. New kids: [kkFaKnnudVd5UxaVISthQL6VgTRIKYCUGanBKIiGGZg, kyipLFJfqsg9TxC94XAXy4VahWRbDRD0F_spMHJzhzk]
[io.hawt.system.Authenticator] Looking for rolePrincipalClass: org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.KeycloakPrincipal toString: 771b46db-5e22-4318-8ef3-0ffd4b10d223
[io.hawt.system.Authenticator] principal class org.keycloak.KeycloakPrincipal doesn't match org.keycloak.adapters.jaas.RolePrincipal, continuing
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.adapters.jaas.RolePrincipal toString: amq
[io.hawt.system.Authenticator] Matched role and role principal class
[io.hawt.web.auth.SessionExpiryFilter] Accessing [/console/jolokia/], hawtio path is [jolokia]
[io.hawt.web.auth.AuthenticationFilter] Handling request for path /jolokia
[io.hawt.web.auth.AuthenticationFilter] Doing authentication and authorization for path /jolokia
[io.hawt.system.Authenticator] doAuthenticate[realm=hawtio, role=amq,artemis_admin,artemis_manager,artemis_viewer, rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal, configuration=null, username=myuser, password=******]
[org.keycloak.adapters.jaas.BearerTokenLoginModule] Declared options: keycloak-config-file=/export/opt/artemis-broker/etc/keycloak-server-bearer.json, role-principal-class=org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Looking for rolePrincipalClass: org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.KeycloakPrincipal toString: 771b46db-5e22-4318-8ef3-0ffd4b10d223
[io.hawt.system.Authenticator] principal class org.keycloak.KeycloakPrincipal doesn't match org.keycloak.adapters.jaas.RolePrincipal, continuing
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.adapters.jaas.RolePrincipal toString: amq
[io.hawt.system.Authenticator] Matched role and role principal class
[io.hawt.web.auth.SessionExpiryFilter] Accessing [/console/jolokia/], hawtio path is [jolokia]
[io.hawt.web.auth.AuthenticationFilter] Handling request for path /jolokia
[io.hawt.web.auth.AuthenticationFilter] Doing authentication and authorization for path /jolokia
[io.hawt.system.Authenticator] doAuthenticate[realm=hawtio, role=amq,artemis_admin,artemis_manager,artemis_viewer, rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal, configuration=null, username=myuser, password=******]
[org.keycloak.adapters.jaas.BearerTokenLoginModule] Declared options: keycloak-config-file=/export/opt/artemis-broker/etc/keycloak-server-bearer.json, role-principal-class=org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Looking for rolePrincipalClass: org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.KeycloakPrincipal toString: 771b46db-5e22-4318-8ef3-0ffd4b10d223
[io.hawt.system.Authenticator] principal class org.keycloak.KeycloakPrincipal doesn't match org.keycloak.adapters.jaas.RolePrincipal, continuing
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.adapters.jaas.RolePrincipal toString: amq
[io.hawt.system.Authenticator] Matched role and role principal class
我正在使用这些参数:
-Dhawtio.authenticationEnabled=true
-Dhawtio.offline=true -Dhawtio.realm=hawtio
-Dhawtio.keycloakEnabled=true -Dhawtio.roles=amq,artemis_admin,artemis_manager,artemis_viewer
-Dhawtio.rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal
-Dhawtio.keycloakClientConfig=${ARTEMIS_INSTANCE_ETC_URI}keycloak-client-hawtio.json
-Dhawtio.keycloakServerConfig=${ARTEMIS_INSTANCE_ETC}/keycloak-server-bearer.json
-Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml
而 management.xml
是:
...
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="amq,artemis_admin"/>
<access method="get*" roles="amq,artemis_admin"/>
<access method="is*" roles="amq,artemis_admin"/>
<access method="set*" roles="amq,artemis_admin"/>
<access method="*" roles="amq,artemis_admin"/>
</match>
...
但似乎来自OpenID Connect 的角色与其不匹配。
有任何想法吗?如果您需要更多配置详细信息,我可以在此处添加。
自 ActiveMQ Artemis 2.18 以来,与第三方登录模块的集成得到改进,请参阅 ARTEMIS-3168。
https://github.com/apache/activemq-artemis/tree/2.20.0/examples/features/standard/security-keycloak
提供了一个很好的例子
我正在使用 ActiveMQ Artemis 2.16.0,管理控制台基于 Hawtio。我已经使用 this instructions 成功地将它与 Keycloak (OpenID Connect) 集成。 现在我已经升级到 ActiveMQ Artemis 2.17.0,它停止工作了。 hawtio版本好像一样:
[io.hawt.jmx.JmxTreeWatcher] Welcome to Hawtio 2.11.0
由于 ActiveMQ Artemis 非常容易升级,我可以轻松地从一个版本切换到另一个版本。我做到了,日志似乎输出相同:
[org.apache.activemq.artemis.core.server] AMQ221001: Apache ActiveMQ Artemis Message Broker version 2.17.0 [node1.some.domain, nodeID=bcf5b788-c0fd-11ea-9c54-0050568bf82b]
[org.apache.activemq.artemis.core.server] AMQ221053: Disallowing use of vulnerable protocol 'SSLv2Hello' on acceptor 'artemis'. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.
[io.hawt.web.plugin.HawtioPlugin] Registering plugin hawtio:type=plugin,name=activemq-branding
[org.apache.activemq.hawtio.branding.PluginContextListener] Initialized activemq-branding plugin
[io.hawt.web.plugin.HawtioPlugin] Registering plugin hawtio:type=plugin,name=artemis-plugin
[org.apache.activemq.hawtio.plugin.PluginContextListener] Initialized artemis-plugin plugin
[io.hawt.HawtioContextListener] Initialising hawtio services
[io.hawt.system.ConfigManager] Failed to look up environment context: null
[io.hawt.system.ConfigManager] Configuration will be discovered via system properties
[io.hawt.jmx.JmxTreeWatcher] Welcome to Hawtio 2.11.0
[io.hawt.system.ConfigManager] Property realm is set to value hawtio
[io.hawt.system.ConfigManager] Property role is set to value null
[io.hawt.system.ConfigManager] Property roles is set to value amq,artemis_admin,artemis_manager,artemis_viewer
[io.hawt.system.ConfigManager] Property rolePrincipalClasses is set to value org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.ConfigManager] Property authenticationEnabled is set to value true
[io.hawt.system.ConfigManager] Property noCredentials401 is set to value false
[io.hawt.system.ConfigManager] Property keycloakEnabled is set to value true
[io.hawt.system.ConfigManager] Property authenticationContainerDiscoveryClasses is set to value io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery
[io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery] Realm explicit configured hawtio. Apache Tomcat userdata authentication integration not in use.
[io.hawt.web.auth.AuthenticationConfiguration] Starting hawtio authentication filter, JAAS realm: "hawtio" authorized role(s): "amq,artemis_admin,artemis_manager,artemis_viewer" role principal classes: "org.keycloak.adapters.jaas.RolePrincipal"
[io.hawt.system.ConfigManager] Property keycloakClientConfig is set to value file:/opt/artemis-broker/etc/keycloak-client-hawtio.json
[io.hawt.web.filters.ContentSecurityPolicyFilter] Found Keycloak URL: https://auth.some.domain/auth
[io.hawt.system.ConfigManager] Property http.strictTransportSecurity is set to value null
[io.hawt.web.filters.PublicKeyPinningFilter] HTTP Strict Transport Security is disabled
[io.hawt.system.ConfigManager] Property http.publicKeyPins is set to value null
[io.hawt.web.filters.PublicKeyPinningFilter] Public Key Pinning is disabled
[io.hawt.system.ConfigManager] Property sessionTimeout is set to value 1800
[io.hawt.system.ConfigManager] Property disableProxy is set to value false
[io.hawt.system.ConfigManager] Property proxyAllowlist is set to value localhost,
[io.hawt.system.ConfigManager] Property localAddressProbing is set to value true
[io.hawt.system.ProxyAllowlist] Probing local addresses ...
[io.hawt.system.ProxyAllowlist] Initial proxy allowlist: [localhost, 127.0.0.1, 10.3.84.148, node01.some.domain]
[io.hawt.web.servlets.JolokiaConfiguredAgentServlet] Jolokia overridden property: [key=policyLocation, value=file:/opt/artemis-broker/etc/jolokia-access.xml]
[org.apache.activemq.artemis] AMQ241001: HTTP Server started at https://0.0.0.0:8443
[org.apache.activemq.artemis] AMQ241002: Artemis Jolokia REST API available at https://0.0.0.0:8443/console/jolokia
[org.apache.activemq.artemis] AMQ241004: Artemis Console available at https://0.0.0.0:8443/console
[io.hawt.web.auth.SessionExpiryFilter] Accessing [/console/jolokia/], hawtio path is [jolokia]
[io.hawt.web.auth.AuthenticationFilter] Handling request for path /jolokia
[io.hawt.web.auth.AuthenticationFilter] Doing authentication and authorization for path /jolokia
[io.hawt.system.Authenticator] doAuthenticate[realm=hawtio, role=amq,artemis_admin,artemis_manager,artemis_viewer, rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal, configuration=null, username=myuser, password=******]
[org.keycloak.adapters.jaas.BearerTokenLoginModule] Declared options: keycloak-config-file=/export/opt/artemis-broker/etc/keycloak-server-bearer.json, role-principal-class=org.keycloak.adapters.jaas.RolePrincipal
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Using provider 'secret' for authentication of client 'artemis'
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider jwt
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret-jwt
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider jwt
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret-jwt
[org.keycloak.adapters.KeycloakDeployment] Resolving URLs from https://auth.some.domain/auth/realms/myrealm/.well-known/openid-configuration
[org.keycloak.adapters.KeycloakDeployment] Loaded URLs from https://auth.some.domain/auth/realms/myrealm/.well-known/openid-configuration
[org.keycloak.adapters.rotation.JWKPublicKeyLocator] Realm public keys successfully retrieved for client artemis. New kids: [kkFaKnnudVd5UxaVISthQL6VgTRIKYCUGanBKIiGGZg, kyipLFJfqsg9TxC94XAXy4VahWRbDRD0F_spMHJzhzk]
[io.hawt.system.Authenticator] Looking for rolePrincipalClass: org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.KeycloakPrincipal toString: 771b46db-5e22-4318-8ef3-0ffd4b10d223
[io.hawt.system.Authenticator] principal class org.keycloak.KeycloakPrincipal doesn't match org.keycloak.adapters.jaas.RolePrincipal, continuing
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.adapters.jaas.RolePrincipal toString: amq
[io.hawt.system.Authenticator] Matched role and role principal class
[io.hawt.web.auth.SessionExpiryFilter] Accessing [/console/jolokia/], hawtio path is [jolokia]
[io.hawt.web.auth.AuthenticationFilter] Handling request for path /jolokia
[io.hawt.web.auth.AuthenticationFilter] Doing authentication and authorization for path /jolokia
[io.hawt.system.Authenticator] doAuthenticate[realm=hawtio, role=amq,artemis_admin,artemis_manager,artemis_viewer, rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal, configuration=null, username=myuser, password=******]
[org.keycloak.adapters.jaas.BearerTokenLoginModule] Declared options: keycloak-config-file=/export/opt/artemis-broker/etc/keycloak-server-bearer.json, role-principal-class=org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Looking for rolePrincipalClass: org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.KeycloakPrincipal toString: 771b46db-5e22-4318-8ef3-0ffd4b10d223
[io.hawt.system.Authenticator] principal class org.keycloak.KeycloakPrincipal doesn't match org.keycloak.adapters.jaas.RolePrincipal, continuing
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.adapters.jaas.RolePrincipal toString: amq
[io.hawt.system.Authenticator] Matched role and role principal class
[io.hawt.web.auth.SessionExpiryFilter] Accessing [/console/jolokia/], hawtio path is [jolokia]
[io.hawt.web.auth.AuthenticationFilter] Handling request for path /jolokia
[io.hawt.web.auth.AuthenticationFilter] Doing authentication and authorization for path /jolokia
[io.hawt.system.Authenticator] doAuthenticate[realm=hawtio, role=amq,artemis_admin,artemis_manager,artemis_viewer, rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal, configuration=null, username=myuser, password=******]
[org.keycloak.adapters.jaas.BearerTokenLoginModule] Declared options: keycloak-config-file=/export/opt/artemis-broker/etc/keycloak-server-bearer.json, role-principal-class=org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Looking for rolePrincipalClass: org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.KeycloakPrincipal toString: 771b46db-5e22-4318-8ef3-0ffd4b10d223
[io.hawt.system.Authenticator] principal class org.keycloak.KeycloakPrincipal doesn't match org.keycloak.adapters.jaas.RolePrincipal, continuing
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.adapters.jaas.RolePrincipal toString: amq
[io.hawt.system.Authenticator] Matched role and role principal class
我正在使用这些参数:
-Dhawtio.authenticationEnabled=true
-Dhawtio.offline=true -Dhawtio.realm=hawtio
-Dhawtio.keycloakEnabled=true -Dhawtio.roles=amq,artemis_admin,artemis_manager,artemis_viewer
-Dhawtio.rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal
-Dhawtio.keycloakClientConfig=${ARTEMIS_INSTANCE_ETC_URI}keycloak-client-hawtio.json
-Dhawtio.keycloakServerConfig=${ARTEMIS_INSTANCE_ETC}/keycloak-server-bearer.json
-Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml
而 management.xml
是:
...
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="amq,artemis_admin"/>
<access method="get*" roles="amq,artemis_admin"/>
<access method="is*" roles="amq,artemis_admin"/>
<access method="set*" roles="amq,artemis_admin"/>
<access method="*" roles="amq,artemis_admin"/>
</match>
...
但似乎来自OpenID Connect 的角色与其不匹配。 有任何想法吗?如果您需要更多配置详细信息,我可以在此处添加。
自 ActiveMQ Artemis 2.18 以来,与第三方登录模块的集成得到改进,请参阅 ARTEMIS-3168。
https://github.com/apache/activemq-artemis/tree/2.20.0/examples/features/standard/security-keycloak
提供了一个很好的例子