Chapter 3. Securing the Management Console
Overview
Securing the Management Console consists of the following aspects:
- Authentication
- Authorization and Roles
- SSL/TLS security
- Configuring Hawtio
Authentication
Authentication is enabled by default on the Management Console and is required in order for the Management Console to function correctly. The authentication mechanism consists of the following key elements:
- HTTP BASIC authentication protocol—the standard HTTP protocol for transferring username/password credentials is the BASIC authentication protocol. This protocol sends username/password credentials in plaintext, so these credentials are vulnerable to snooping, unless you enable SSL/TLS security.
- JAAS authentication—the Java Authentication and Authorization Service (JAAS) is a pluggable framework for authenticating credentials on the server side. The Jetty servlet container (which hosts the Management Console) is configured to use the
karaf
JAAS realm by default. This ensures that the Management Console uses the same pool of user credentials as the other standard container services (where the user credentials are usually stored in theetc/users.properties
file by default, in a standalone container).
Authorization and Roles
The operations that an authenticated user is allowed to perform depend on the role (or roles) assigned to that user. The following table summarizes the management console operations that different roles are allowed to perform:
admin
Administrator
SuperUser
|
Deployer
Auditor
|
viewer
Monitor
Operator
Maintainer
|
|
Standalone Karaf | |||
login/logout | Y | Y | Y |
ActiveMQ | |||
amq - Atttibutes | |||
view | Y | Y | Y |
change attribute value | Y | Y | N |
amq - Create | |||
Create queue & topic | Y | Y | N |
Queues & Topics | |||
View topics and queues | Y | Y | Y |
Browse | |||
list messages | Y | Y | Y |
resend, move messages | Y | Y | N |
delete messages | Y | N | N |
Delete | |||
purge queue | Y | Y | N |
delete queue | Y | Y | N |
Send | |||
send messages | Y | Y | N |
Connect | |||
connect to another Fuse | Y | Y | Y |
Dashboard | |||
create/remove dashboard | Y | Y | Y |
create/remove/move widgets | Y | Y | Y |
Jetty | |||
Connectors | |||
start/stop | Y | N | N |
Applications | |||
start/stop/uninstall | Y | N | N |
JMX | |||
change attribute value | Y | Y | N |
view chart | Y | Y | Y |
Logs | |||
view logs | Y | Y | Y |
OSGi | |||
bundle operations | Y | Y | N |
features un/install | Y | N | N |
Declarative services | |||
activate/deactivate | Y | N | N |
Framework configuration | |||
set startlevels | Y | N | N |
Terminal | Y | N | N |
Threads | |||
view threads | Y | Y | Y |
Fabric | |||
Containers | |||
create/start/stop/delete | Y | N | N |
Profiles | |||
Deploy, Assign, Add Requirements | Y | Y | N |
Wiki | |||
create/delete/edit/move/rename file | Y | N | N |
create/delete version | Y | N | N |
change default version | Y | N | N |
Services | |||
Containers | |||
create/start/stop/delete | Y | N | N |
add/remove profile | Y | N | N |
open container in a new window | Y | Y | Y |
Profiles | |||
change requirements (Target) | Y | N | N |
MQ | |||
view the brokers | Y | Y | Y |
create a new broker | Y | N | N |
view Diagram | Y | Y | Y |
APIs | |||
deploy quickstarts | Y | N | N |
EIPs | |||
deploy quickstarts | Y | N | N |
Scaling | |||
set requirements | Y | N | N |
Dashboard | |||
create/remove dashboard | Y | N | N |
copy dashboard/to profiles | Y | N | N |
create/remove/move widgets | Y | N | N |
Preferences | |||
all settings (all are user-related) | Y | Y | Y |
Help | |||
read all help topics | Y | Y | Y |
Logging console | |||
all logging console operations | Y | Y | Y |
Insight perspective | |||
view logs | Y | Y | Y |
view camel exchanges | Y | Y | Y |
SSL/TLS security
SSL/TLS security is not enabled by default for the Management Console. It is recommended that you enable SSL/TLS security on the Management Console to protect username/password credentials from snooping. For detailed instructions on how to enable SSL/TLS security, please see the following reference:
Configuring Hawtio
To patch a security hole, Hawtio's proxy servlet now introduces whitelist host protection, with which by default Hawtio will only be able to connect to localhost. If you want to connect Hawtio to other remote Fuse instances, you need to configure the whitelist via:
- For Apache Karaf, make the following configuration changes in
etc/system.properties
file:hawtio.proxyWhitelist = localhost, 127.0.0.1, myhost1, myhost2, myhost3
- For JBoss EAP, make the following configuration changes in
standalone/configuration/standalone-*.xml
file:<property name=hawtio.proxyWhitelist" value="localhost, 127.0.0.1, myhost1, myhost2, myhost3"/>
Note
- In the Standalone mode, Hawtio automatically probes the local network interfaces other than
localhost/ 127.0.0.1
and add them to the whitelist. Hence, there is no need to manually register the local machine's addresses to the whitelist. - In the Fabric mode, Hawtio automatically gathers IP addresses of containers in the same fabric and add them to the whitelist. Hence, there is no need to be aware of this proxy whitelist configuration.
Upload Filter
You can implement a new filter to prevent an arbitrary file upload to Hawtio. It allows you to verify the uploaded file content against the whitelisted filters that are configured via a system property. You can configure this filter via Hawtio.upload.filter property key. Following is the syntax to configure the property:
hawtio.upload.filter="signature=504B0304,offset=0,maxSize=10kb,exc=[@ *]"
In the above configuration, the filter pattern syntax definition is as follows:
- signature- file magic number
- offset- from which a magic number starts
- maxSize- allowed max file size
- exc- list of space separated characters allowed for Ascii file within an opening and a closing bracket
Adding Cache to RBACRestrictor
JBoss Hawtio causes a high load on the server within the ActiveMQ tab. Since, the refresh rate is one second by multiple users, therefore the load on the server is too high.
You can reduce the load, by adding a cache based on Guava cache to RBACRestrictor, so that the MBean invocations may not occur so often. The cache entries expires in 10 minutes. Therefore, if you change the configuration of RBAC, the changes propagation to Hawtio may take up to 10 minutes.
However, you can restart the Hawtio-Web console in order to invalidate cache and make changes visible immediately.