Skip to content

Commit

Permalink
WIP: no login, token transferred to the broker
Browse files Browse the repository at this point in the history
PoC to test the jolokia api server in a mode where it doesn't perform
any login verification and just forward the Bearer token to the broker.
The user needs to provide a targetEndpoint and a Bearer token on every
request except api-info.

Based on Howard's work there: artemiscloud#23

This PoC is a simple stripped down version of Howard's work. It's a
draft for now, but it still demonstrate the capability, a bunch of work
is going to be needed to make it to a final version.
  • Loading branch information
lavocatt committed Dec 16, 2024
1 parent f65dc48 commit 3626508
Show file tree
Hide file tree
Showing 31 changed files with 1,917 additions and 521 deletions.
12 changes: 12 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
.git/
.gitignore
node_modules/
dist/
*.md
logs/
tmp
.eslintrc.yml
.prettierrc.yml
.test*
.jest.config.js
.users.json
16 changes: 10 additions & 6 deletions .env
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,16 @@ PLUGIN_NAME='ActiveMQ Artemis Jolokia api-server'
SERVER_CERT=/var/serving-cert/tls.crt
SERVER_KEY=/var/serving-cert/tls.key

# replace the token in production deployment
SECRET_ACCESS_TOKEN=1e13d44f998dee277deae621a9012cf300b94c91

# to trust jolokia certs
NODE_TLS_REJECT_UNAUTHORIZED='0'

# logging
LOG_LEVEL='info'
ENABLE_REQUEST_LOG='false'

# security

# replace the token in production deployment
SECRET_ACCESS_TOKEN=1e13d44f998dee277deae621a9012cf300b94c91

API_SERVER_SECURITY_ENABLED=true
API_SERVER_SECURITY_AUTH_TYPE=jwt
USERS_FILE_URL=.users.json
ENDPOINTS_FILE_URL=.endpoints.json
5 changes: 5 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -121,3 +121,8 @@ dist
.yarn/build-state.yml
.yarn/install-state.gz
.pnp.*

# vs code config
.vscode


62 changes: 60 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ yarn run build-api-doc
### deploy the service

```sh
./deploy.sh [-i <image> -n]
./deploy.sh [-i <image> -ns]
```

The optional `-i <image>` (or `--image <image>`) argument allows you to pass in
Expand All @@ -49,6 +49,17 @@ deployed. for example:
./deploy.sh -i quay.io/<repo-username>/activemq-artemis-jolokia-api-server:1.0.1
```

The optional -ns (or --nosec) argument can be used to disable security.

---

**Note:**

you should enable security in your application. Disable security can only
be used for test purposes.

---

The `deploy.sh` script uses `oc kustomize` (built-in
[kustomize](https://github.com/kubernetes-sigs/kustomize)) command to configure
and deploy the plugin using resources and patches defined under ./deploy
Expand All @@ -67,6 +78,53 @@ jwt tokens. It has a default value in .env for dev purposes.

In production you should override it with your own secret.

The jwt-key-gen.sh is a tool to generate a random key and used in Dockerfile.
The jwt-key-gen.sh is a tool to generate a random key and used in Dockerfile.
It makes sure when you build the api server image a new random key is used.

## Security Model of the API Server

The API Server provides a security model that provides authentication and authorization of incoming clients.
The security can be enabled/disabled (i.e. via `API_SERVER_SECURITY_ENABLED` env var)

### Authentication

Currently the api server support `jwt` token authentication.

#### The login api

The login api is defined in openapi.yml

```yaml
/server/login
```

A client logs in to an api server by sending a POST request to the login path. The request body contains login information (i.e. username and password for jwt authentication type)

Please refer to [api.md](api.md) for details of the log api.

Currently the security manager uses local file to store user's info. The default users file name is `.users.json`
The users file name can be configured using `USERS_FILE_URL` env var. See `.test.users.json` for sample values.

### Authorization

Currently the api server doesn't perform authorization on logged in users.

### Endpoints Management

The server keeps a list of jolokia endpoints for clients to access. The endpoints are loaded from a local file named
`.endpoints.json`. Each top level entry represents a jolokia endpoint. An entry has a unique name and details to access the jolokia api. See `.test.endpoints.json` for sample values.

### Accessing a jolokia endpoint

When an authenticated client sends a request to the api-server, it should present its token in the request header

'Authorization: Bearer `token`'

It also need to give the `targetEndpoint` in the query part of the request if the request is to access an jolokia endpoint.

For example `/execBrokerOperation?targetEndpoint=broker1`.

### Direct Proxy

Direct Proxy means a client can pass a broker's endpoint info to the api-server in order to access it via the api-server.
For example the [self-provisioning plugin](https://github.com/artemiscloud/activemq-artemis-self-provisioning-plugin) uses this api to access the jolokia of a broker's jolokia endpoint.
Loading

0 comments on commit 3626508

Please sign in to comment.