8.6. Add Authorization Entries

Overview

Before enabling LDAP authorization in the broker, you need to create a suitable tree of entries in the directory server to represent permissions. You need to create the following kinds of entry:
Queue entries
Each queue entry has a Common Name (cn), which can be the name of a specific queue or a wildcard pattern that matches multiple queues. Under each queue entry, you must create sub-entries for the admin, read, and write permissions.
Topic entries
Each topic entry has a Common Name (cn), which can be the name of a specific topic or a wildcard pattern that matches multiple topics. Under each topic entry, you must create sub-entries for the admin, read, and write permissions.
Advisory topics entry
In particular, you must define one topic entry with the Common Name, ActiveMQ.Advisory.$, which is a wildcard pattern that matches all advisory topics.
Temporary queues entry
A single Temp entry contains the admin, read, and write permissions that apply to all temporary queues.

Using wildcards in queue and topic entries

When setting the common name of queue and topic entries in the directory server, you can use any of the wildcards shown in Table 8.1, “Destination Name Wildcards in LDAP” to match one or more segments of a destination name.

Table 8.1. Destination Name Wildcards in LDAP

WildcardDescription
.Separates segments in a path name.
*Matches any single segment in a path name.
$Matches any number of segments in a path name.
For example, the pattern, FOO.*, will match FOO.BAR, but not FOO.BAR.LONG; whereas the pattern, FOO.$, will match FOO.BAR and FOO.BAR.LONG.
Note
In the context of LDAP entries, the $ character is used instead of the usual > character to match multiple destination name segments.

Steps to add authorization entries

Perform the following steps to add authorization entries to the directory server:
  1. The next few steps describe how to create the ou=ActiveMQ node.
    1. Right-click on the ou=system node and select NewNew Entry. The New Entry wizard appears.
    2. In the Entry Creation Method pane, select the Create entry from scratch radiobutton. Click Next.
    3. In the Object Classes pane, select organisationalUnit from the list of Available object classes on the left and then click Add to populate the list of Selected object classes. Click Next.
    4. In the Distinguished Name pane, complete the RDN field, putting ou in front and ActiveMQ after the equals sign. Click Next and then click Finish.
  2. The next few steps describe how to create the ou=Destination, ou=Queue, ou=Topic, and ou=Temp nodes.
    1. Right-click on the ou=ActiveMQ node and select NewNew Entry. The New Entry wizard appears.
    2. In the Entry Creation Method pane, select the Create entry from scratch radiobutton. Click Next.
    3. In the Object Classes pane, select organisationalUnit from the list of Available object classes on the left and then click Add to populate the list of Selected object classes. Click Next.
    4. In the Distinguished Name pane, complete the RDN field, putting ou in front and Destination after the equals sign. Click Next and then click Finish.
    5. In a similar manner to the preceding steps, by right-clicking on the ou=Destination node and invoking the New Entry wizard, create the following organisationalUnit nodes as children of the ou=Destination node: 
      ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
  3. In the LDAP Browser window, you should now see the following tree:

    Figure 8.3. DIT after Creating Destination, Queue, Topic and Temp Nodes

    DIT after Creating Destination, Queue, Topic and Temp Nodes
  4. The next few steps describe how to create the following nodes: 
    cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
    These nodes represent name patterns that match queue names and topic names, respectively. The cn=$ queue node defines an entry that matches all queue names, so it can be used to define access rights for all queues. The cn=ActiveMQ.Advisory.$ node defines a topic entry that matches all advisory topics.
    1. Right-click on the ou=Queue node and select NewNew Entry. The New Entry wizard appears.
    2. In the Entry Creation Method pane, select the Create entry from scratch radiobutton. Click Next.
    3. In the Object Classes pane, select applicationProcess from the list of Available object classes on the left and then click Add to populate the list of Selected object classes. Click Next.
    4. In the Distinguished Name pane, complete the RDN field, putting cn in front and $ after the equals sign (where $ represents the wildcard that matches any queue name). Click Next and then click Finish.
    5. In a similar manner to the preceding steps, by right-clicking on the ou=Topic node and invoking the New Entry wizard, create the following applicationProcess node as a child of the ou=Topic node: 
      cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
  5. In the LDAP Browser window, you should now see the following tree:

    Figure 8.4. DIT after Creating Children of Queue and Topic Nodes

    DIT after Creating Children of Queue and Topic Nodes
  6. The next few steps describe how to create nodes that represent admin, read, and write permissions for the queues and topics.
    1. Right-click on the cn=$ node and select NewNew Entry. The New Entry wizard appears.
    2. In the Entry Creation Method pane, select the Create entry from scratch radiobutton. Click Next.
    3. In the Object Classes pane, select groupOfNames from the list of Available object classes on the left and then click Add to populate the list of Selected object classes. Click Next.
    4. In the Distinguished Name pane, complete the RDN field, putting cn in front and admin after the equals sign. Click Next.
    5. You are now prompted to provide a value for the mandatory member attribute, through the DN Editor dialog. In the text field, enter cn=admin,ou=roles,ou=system. Click Ok.
      Note
      The cn=admin,ou=roles,ou=system references a role that was created for the Apache Karaf JAAS authentication plug-in in a previous tutorial. These roles can be reused by the Apache ActiveMQ authorization plug-in, under certain conditions. See the section called “Compatibility with Apache Karaf principals” for details.
    6. Click Finish, to close the New Entry wizard.
    7. In a similar manner to the preceding steps, by right-clicking on the cn=$ node and invoking the New Entry wizard, create the following additional groupOfNames nodes as children of the cn=$ node: 
      cn=read,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
cn=write,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
  7. Copy the cn=admin, cn=read, and cn=write permission nodes and paste them as children of the cn=ActiveMQ.Advisory.$ node, as follows.
    Using a combination of mouse and keyboard, select the three nodes, cn=admin, cn=read, and cn=write, and type Ctrl-C to copy them. Select the cn=ActiveMQ.Advisory.$ node and type Ctrl-V to paste the copied nodes as children.
  8. Similarly, copy the cn=admin, cn=read, and cn=write permission nodes and paste them as children of the ou=Temp node.
  9. In the LDAP Browser window, you should now see the following tree:

    Figure 8.5. DIT after Creating Children of Queue, Topic and Temp Nodes

    DIT after Creating Children of Queue, Topic and Temp Nodes