Cannot login in to the webconsole with default credentials: username `amq-broker `and password `amq-broker`

RobertFloor commented 2 years ago

SUMMARY

Cannot login in to the webconsole with default credentials: username amq-brokerand password amq-broker

ISSUE TYPE

Bug Report

STEPS TO REPRODUCE

Using AMQ version 7.10
Installed default playbooks with small changes to permission to run the playbook
Visit web console https://192.168.2.211:8161/console/auth/login (192.168.2.211 is my VM running AMQ)
login using credentials: username amq-broker and password amq-broker

EXPECTED RESULTS

I expected to enter the AMQ webconsole with these credentials.

ACTUAL RESULTS

I got Invalid login credentials
No mention in the log, even after setting the logging to INFO
content of login.config

[root@amq1 etc]# cat login.config
activemq {
   org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
       debug=true
       reload=true
       org.apache.activemq.jaas.properties.user="artemis-users.properties"
       org.apache.activemq.jaas.properties.role="artemis-roles.properties";
};

Schermafbeelding 2022-08-25 om 15 43 29

RobertFloor commented 2 years ago

I believe this login problem is caused by the in the file /etc/sysconfig/amq-broker. This file does not have the correct JAVA_ARGS environment variable

[root@amq1 sysconfig]# cat amq-broker
# Ansible managed
JAVA_ARGS='-Xms1024m -Xmx2048m'
JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.16.0.8-1.el8_6.x86_64

While the JAVA_ARGS in artermis.profile is |

# Java Opts
if [ -z "$JAVA_ARGS" ]; then
    JAVA_ARGS="-XX:+PrintClassHistogram -XX:+UseG1GC -XX:+UseStringDeduplication -Xms512M -Xmx2G -Dhawtio.disableProxy=true -Dhawtio.realm=activemq -Dhawtio.offline=true -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml "
fi

This file is used by the systemd service file

[root@amq1 sysconfig]# cat /etc/systemd/system/amq-broker.service
# Ansible managed
[Unit]
Description=amq-broker Apache ActiveMQ Service
After=network.target

[Service]
Type=forking
EnvironmentFile=-/etc/sysconfig/amq-broker
PIDFile=/opt/amq/amq-broker/data/artemis.pid
ExecStart=/opt/amq/amq-broker/bin/artemis-service start
ExecStop=/opt/amq/amq-broker/bin/artemis-service stop
SuccessExitStatus = 0 143
RestartSec = 60
Restart = on-failure
LimitNOFILE=102642

[Install]
WantedBy=multi-user.target
[root@amq1 sysconfig]#

RobertFloor commented 2 years ago

So I was able to solve it by 1 Disabling the Environment file in the service (the broker functioned fine without it)

[root@amq1 etc]# cat /etc/systemd/system/amq-broker.service
# Ansible managed
[Unit]
Description=amq-broker Red Hat AMQ Broker Service
After=network.target

[Service]
Type=forking
#EnvironmentFile=-/etc/sysconfig/amq-broker
PIDFile=/opt/amq/amq-broker/data/artemis.pid
ExecStart=/opt/amq/amq-broker/bin/artemis-service start
ExecStop=/opt/amq/amq-broker/bin/artemis-service stop
SuccessExitStatus = 0 143
RestartSec = 60
Restart = on-failure
LimitNOFILE=102642

[Install]
WantedBy=multi-user.target

2 disabling the user task a in the systemd.ymlplaybook (currently it is not working correctly)

# - name: Create user and roles
#   ansible.builtin.include_tasks: user_roles.yml
#   when: amq_broker_users | length > 0

3 Allowed for all hosts in the CORS policy in jolokia-access.xml

[root@amq1 etc]# cat jolokia-access.xml
<?xml version="1.0" encoding="utf-8"?>

<!-- This policy file controls the Jolokia JMX-HTTP bridge security options for the web console.
   see: https://jolokia.org/reference/html/security.html -->
<restrict>

    <cors>
        <!-- Allow cross origin access from 0.0.0.0 ... -->
        <allow-origin>*://*</allow-origin>

        <!-- Options from this point on are auto-generated by Create.java from the Artemis CLI -->
        <!-- Check for the proper origin on the server side, too -->
        <strict-checking/>
    </cors>

</restrict>

RobertFloor commented 2 years ago

I believe the order should be role=user in the file etc/artemis-roles.properties

Currently it is the other way round in the template

Source: https://access.redhat.com/documentation/en-us/red_hat_amq/7.2/html/using_amq_broker/users

guidograzioli commented 2 years ago

You are absolutely right; at this point I'd create a PR to fix the template and also refactor the activemq_users and activemq_roles to a single dict of the form:

activemq_roles:
  - name: amq
    permissions: [ createNonDurableQueue, ... ]
    users:
      - name: "{{ activemq_instance_username }}"
        password: "{{ activemq_instance_password }}"
      - name: otheruser
        password: otherpass

I believe it would be less error-prone from the user side; what do you reckon?

guidograzioli commented 2 years ago

Reopening because molecule test still missing

RobertFloor commented 2 years ago

Hi thanks for the fixes. I still believe there is a problem with the mask-passwords task. It masks the password but the format is incorrect in the fileetc/artemis-users.properties. i believe it should be salt:hashed_password.

amq-broker = ENC(16c4530d16e06cc5e6b2a760123f4360) vs

amq-broker = ENC(1024:FC3B94BB48CCBE5C1F49CBF590ABCBBA6174767243CF833547F4397790D14544:029ED239602334711A80481D16062F30F05CED28E4EFB47C132A0AFC486DDB84D45CD42EF659393331D09A3C2130E2229F6D40463A1FCB26B969ADD4DBF2CA1D)

This leads to the following error:

2022-09-02 08:01:50,668 WARN  [io.hawt.system.Authenticator] Login failed due to: java.lang.NumberFormatException: For input string: "16c4530d16e06cc5e6b2a760123f4360"
    at java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
    at java.base/java.lang.Integer.parseInt(Integer.java:652)
    at java.base/java.lang.Integer.parseInt(Integer.java:770)
    at org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec$PBKDF2Algorithm.verify(DefaultSensitiveStringCodec.java:229)
    at org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.verify(DefaultSensitiveStringCodec.java:108)
    at org.apache.activemq.artemis.utils.SecureHashProcessor.compare(SecureHashProcessor.java:36)
    at org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule.login(PropertiesLoginModule.java:102)
    at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:747)
    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:672)
    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:670)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:670)
    at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:581)
    at io.hawt.system.Authenticator.login(Authenticator.java:208)
    at io.hawt.system.Authenticator.doAuthenticate(Authenticator.java:171)
    at io.hawt.system.Authenticator.authenticate(Authenticator.java:144)
    at io.hawt.web.auth.LoginServlet.doPost(LoginServlet.java:75)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1459)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
    at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)
    at io.hawt.web.auth.LoginRedirectFilter.doFilter(LoginRedirectFilter.java:57)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:43)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:43)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:43)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:43)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:43)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:43)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:43)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at io.hawt.web.filters.HttpHeaderFilter.doFilter(HttpHeaderFilter.java:43)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at io.hawt.web.auth.SessionExpiryFilter.process(SessionExpiryFilter.java:107)
    at io.hawt.web.auth.SessionExpiryFilter.doFilter(SessionExpiryFilter.java:60)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at org.apache.activemq.artemis.component.AuthenticationFilter.doFilter(AuthenticationFilter.java:43)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at org.apache.activemq.artemis.component.JolokiaFilter.doFilter(JolokiaFilter.java:50)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
    at org.eclipse.jetty.server.Server.handle(Server.java:516)
    at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:386)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
    at java.base/java.lang.Thread.run(Thread.java:829)

guidograzioli commented 2 years ago

Hello, thanks for reporting. Have you added any configuration around the Codec for passwords? There are two formats understood by the default codec [1]:

two-way encrypt-decrypt (uses Blowfish), in the form ENC(<encrypted-secret>)
one-way hashing (uses PBKDF2), in the form ENC(<iterations>:<hash>:<digest>)

In your stack-trace it is using the second, while it should have gone the former way

[1] https://github.com/apache/activemq-artemis/blob/main/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java

guidograzioli commented 2 years ago

OK, found it in the docs, for artemis-user.properties they must be hashed, not encrypted [1]:

The default PropertiesLoginModule will not decode the passwords in artemis-users.properties but will instead hash the input and compare the two hashed values for password verification.

[1] https://github.com/apache/activemq-artemis/blob/fd9eb2ec9fe94aad1ef47e5139e4481eeb529de6/docs/user-manual/en/masking-passwords.md

RobertFloor commented 2 years ago

Hi guido thanks for the investigation I have not made any changes to the Ansible code, only using this host file:

❯ cat hosts_vagrant.yml

all:
  children:
    amq:
      children:
        left:
          hosts: 192.168.2.211
        right:
          hosts: 192.168.2.212
      vars:
        #amq_broker_configure_firewalld: True
        #amq_broker_version: 7.10.0
        #amq_broker_ha_enabled: True
        #amq_broker_prometheus_enabled: True

guidograzioli commented 2 years ago

We switched from hashed to encrypted because it is not trivial to implement changed_when with hashed passwords (salt changes everytime, templating the users would report a change triggering restarts, and breaking idem-potency). However, since it seems we need hashed one-way passwords, we will have to take the long path: we'll have to write a filter to generate the hash with the existing salt, compare, and replace only if changes detected; it will also require an additional python lib on the controller (passlib)

RobertFloor commented 2 years ago

can't you use the artemis create user command?

[root@amq1 bin]# ./artemis user
NAME
        artemis user - default file-based user management (add|rm|list|reset)
        (example ./artemis user list)

Or a Jolokia Call?

guidograzioli commented 2 years ago

Both require the service to be configured and running, statically having the artemis-users.properties template would be beneficial

ansible-middleware / amq