Configure Access Control for the Bridge Service in OpenMQ 4.4

Bridging destinations

In a topology with multiple brokers bridging them to move messages from one messaging domain to another is easy to achieve as I showed in my last post.
One thing I did not show was how to create the bridges when you also want to enforce access management to destinations.

When you create the reference to the local connection factory in your bridge xml configuration file the configuration I showed in the last post was like this:


<jmsbridge name="c1_to_c2">
<!-- the link is what connects the destinations -->
    <link name="initial_link" enabled="true" transacted="true">
        <source connection-factory-ref="c1b1b2cf" destination-ref="src_dst_ref">
        </source>
        <target connection-factory-ref="c2b1cf" destination-ref="trg_dst_ref">
        </target>
    </link>
    <connection-factory ref-name="c1b1b2cf" />
<!-- this is the default connection factory definition -->
    <connection-factory ref-name="c2b1cf" lookup-name="c2b1cf"> <!-- contains the remote broker references -->
        <property name="java.naming.factory.initial"
              value="com.sun.jndi.fscontext.RefFSContextFactory"/>
        <property name="java.naming.provider.url" value="file:///opt/sun/mq44/var/mq/instances/c1b1/c1b1_os"/>
    </connection-factory>
    <destination ref-name="src_dst_ref" name="sourcedest" type="queue"></destination>
    <destination ref-name="trg_dst_ref" name="targetdest" type="queue"></destination>
</jmsbridge>


The interesting thing here is the connection factory that is specified without properties, (in bold above) this is a default connection factory that connects to the local broker to consume messages. It does however connect as guest/guest.

When enforcing access management on your destinations you'd like specific users to be able to consume and produce messages.
In the etc/accesscontrol.properties file you can set up lists of destinations and users like:
queue.\*.produce.allow.user=\*
#for the queue sourcedest only the user "bridge" is allowed to consume
queue.sourcedest.consume.allow.user=bridge
queue.\*.browse.allow.user=\*
topic.\*.produce.allow.user=\*
topic.\*.consume.allow.user=\*

More details are in the excellent docs.sun.com reference on OpenMQ 4.4, note that to actually create users you need to use imqusermgr.
For accesscontrol to be enabled set the property
imq.accesscontrol.enabled=true
in the props/config.properties file.

With the bridge xml definition above the local access to a destination will be done as guest/guest.
In order to specify which user you want to be when consuming messages from a local queue you need to create a concrete connection factory definition, but make it connect to the local broker.
Thus:


<jmsbridge name="source_to_target">
<!-- the link is what connects the destinations -->
    <link name="initial_link" enabled="true" transacted="true">
        <source connection-factory-ref="sourcecf" destination-ref="src_dst_ref">
        </source>
        <target connection-factory-ref="targetcf" destination-ref="trg_dst_ref">
        </target>
    </link>
    <connection-factory ref-name="sourcecf" lookup-name="localcf">
        <property name="java.naming.factory.initial" value="com.sun.jndi.fscontext.RefFSContextFactory"/>
        <property name="java.naming.provider.url" value="file:///Users/trondstrmme/Downloads/mq44/localos"/>
    </connection-factory>
    <connection-factory ref-name="targetcf" lookup-name="sourcecf">
        <property name="java.naming.factory.initial" value="com.sun.jndi.fscontext.RefFSContextFactory"/>
        <property name="java.naming.provider.url" value="file:///Users/trondstrmme/Downloads/mq44/os"/>
    </connection-factory>

    <destination ref-name="src_dst_ref" name="sourcedest" type="queue">
    </destination>
    <destination ref-name="trg_dst_ref" name="targetdest" type="queue">
    </destination>
</jmsbridge>


The important thing to notice here is that I've defined two connection factories.
In the example above I've declared them in two separate object stores (in bold italics), they can be declared in the same object store if you want, just use the same directory as an argument to the java.naming.provider.url  property below.
To set up a connection factory in an object store use imqobjmgr
Example:
./imqobjmgr add -t xcf -j "java.naming.factory.initial=com.sun.jndi.fscontext.RefFSContextFactory" -j  "java.naming.provider.url=file:///Users/trondstrmme/Downloads/mq44/os" -o  "imqAddressList=localhost:7676" -o "imqDefaultUsername=bridge" -o "imqDefaultPassword=bridge" -l sourcecf
For the connection factory that connects to the local broker use localhost:port  as an argument for imqAddressList
Note the properties imqDefaultUsername and imqDefaultPassword, these will be used to connect to the broker specified in the imqAddressList property

Update:
I have received a clarification on how to configure the local connection factory.
A connection factory that is specified without lookup-name is a connection factory that would be created automatically. It connects to the broker that the bridge is running in, as specified in the sun_jmsbridge_1_0.dtd - "If no lookup-name is specified, a default MQ connection factory to the MQ broker with properties in property elements will be created." - Therefore it's possible to specify username/password to such a connection factory, that is, through the property element using MQ connection factory properties "imqDefaultUsername" and "imqDefaultPassword".

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog will be about software that i work with; Java, OpenESB, GlassFish and perhaps a bit about photography.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today