Red Hat Training

A Red Hat training course is available for Red Hat Fuse

Chapter 3. Securing the Management Console

Overview

Securing the Management Console consists of the following aspects:
  • Authentication
  • Authorization and Roles
  • SSL/TLS security
  • Configuring Hawtio

Authentication

Authentication is enabled by default on the Management Console and is required in order for the Management Console to function correctly. The authentication mechanism consists of the following key elements:
  • HTTP BASIC authentication protocol—the standard HTTP protocol for transferring username/password credentials is the BASIC authentication protocol. This protocol sends username/password credentials in plaintext, so these credentials are vulnerable to snooping, unless you enable SSL/TLS security.
  • JAAS authentication—the Java Authentication and Authorization Service (JAAS) is a pluggable framework for authenticating credentials on the server side. The Jetty servlet container (which hosts the Management Console) is configured to use the karaf JAAS realm by default. This ensures that the Management Console uses the same pool of user credentials as the other standard container services (where the user credentials are usually stored in the etc/users.properties file by default, in a standalone container).

Authorization and Roles

The operations that an authenticated user is allowed to perform depend on the role (or roles) assigned to that user. The following table summarizes the management console operations that different roles are allowed to perform:
admin
Administrator
SuperUser
Deployer
Auditor
viewer
Monitor
Operator
Maintainer
Standalone Karaf
login/logout Y Y Y
ActiveMQ
amq - Atttibutes
view Y Y Y
change attribute value Y Y N
amq - Create
Create queue & topic Y Y N
Queues & Topics
View topics and queues Y Y Y
Browse
list messages Y Y Y
resend, move messages Y Y N
delete messages Y N N
Delete
purge queue Y Y N
delete queue Y Y N
Send
send messages Y Y N
Connect
connect to another Fuse Y Y Y
Dashboard
create/remove dashboard Y Y Y
create/remove/move widgets Y Y Y
Jetty
Connectors
start/stop Y N N
Applications
start/stop/uninstall Y N N
JMX
change attribute value Y Y N
view chart Y Y Y
Logs
view logs Y Y Y
OSGi
bundle operations Y Y N
features un/install Y N N
Declarative services
activate/deactivate Y N N
Framework configuration
set startlevels Y N N
Terminal Y N N
Threads
view threads Y Y Y
Fabric
Containers
create/start/stop/delete Y N N
Profiles
Deploy, Assign, Add Requirements Y Y N
Wiki
create/delete/edit/move/rename file Y N N
create/delete version Y N N
change default version Y N N
Services
Containers
create/start/stop/delete Y N N
add/remove profile Y N N
open container in a new window Y Y Y
Profiles
change requirements (Target) Y N N
MQ
view the brokers Y Y Y
create a new broker Y N N
view Diagram Y Y Y
APIs
deploy quickstarts Y N N
EIPs
deploy quickstarts Y N N
Scaling
set requirements Y N N
Dashboard
create/remove dashboard Y N N
copy dashboard/to profiles Y N N
create/remove/move widgets Y N N
Preferences
all settings (all are user-related) Y Y Y
Help
read all help topics Y Y Y
Logging console
all logging console operations Y Y Y
Insight perspective
view logs Y Y Y
view camel exchanges Y Y Y

SSL/TLS security

SSL/TLS security is not enabled by default for the Management Console. It is recommended that you enable SSL/TLS security on the Management Console to protect username/password credentials from snooping. For detailed instructions on how to enable SSL/TLS security, please see the following reference:

Configuring Hawtio

To patch a security hole, Hawtio's proxy servlet now introduces whitelist host protection, with which by default Hawtio will only be able to connect to localhost. If you want to connect Hawtio to other remote Fuse instances, you need to configure the whitelist via:
  • For Apache Karaf, make the following configuration changes in etc/system.properties file: 
     hawtio.proxyWhitelist = localhost, 127.0.0.1, myhost1, myhost2, myhost3
  • For JBoss EAP, make the following configuration changes in standalone/configuration/standalone-*.xml file: 
      <property name=hawtio.proxyWhitelist" value="localhost, 127.0.0.1, myhost1, myhost2, myhost3"/>
Note
  • In the Standalone mode, Hawtio automatically probes the local network interfaces other than localhost/ 127.0.0.1 and add them to the whitelist. Hence, there is no need to manually register the local machine's addresses to the whitelist.
  • In the Fabric mode, Hawtio automatically gathers IP addresses of containers in the same fabric and add them to the whitelist. Hence, there is no need to be aware of this proxy whitelist configuration.

Upload Filter

You can implement a new filter to prevent an arbitrary file upload to Hawtio. It allows you to verify the uploaded file content against the whitelisted filters that are configured via a system property. You can configure this filter via Hawtio.upload.filter property key. Following is the syntax to configure the property: 
hawtio.upload.filter="signature=504B0304,offset=0,maxSize=10kb,exc=[@ *]"
In the above configuration, the filter pattern syntax definition is as follows:
  • signature- file magic number
  • offset- from which a magic number starts
  • maxSize- allowed max file size
  • exc- list of space separated characters allowed for Ascii file within an opening and a closing bracket

Adding Cache to RBACRestrictor

JBoss Hawtio causes a high load on the server within the ActiveMQ tab. Since, the refresh rate is one second by multiple users, therefore the load on the server is too high.
You can reduce the load, by adding a cache based on Guava cache to RBACRestrictor, so that the MBean invocations may not occur so often. The cache entries expires in 10 minutes. Therefore, if you change the configuration of RBAC, the changes propagation to Hawtio may take up to 10 minutes.
However, you can restart the Hawtio-Web console in order to invalidate cache and make changes visible immediately.