You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The jolokia api server is now in a mode where it doesn't perform
any login verification and just forward the Bearer token to the broker.
The user needs to provide a targetEndpoint and a Bearer token on every
request except api-info.
Based on @gaohoward's work there: artemiscloud#23
The optional -ns (or --nosec) argument can be used to disable security.
53
+
54
+
---
55
+
56
+
**Note:**
57
+
58
+
you should enable security in your application. Disable security can only
59
+
be used for test purposes.
60
+
61
+
---
62
+
52
63
The `deploy.sh` script uses `oc kustomize` (built-in
53
64
[kustomize](https://github.com/kubernetes-sigs/kustomize)) command to configure
54
65
and deploy the plugin using resources and patches defined under ./deploy
@@ -67,6 +78,53 @@ jwt tokens. It has a default value in .env for dev purposes.
67
78
68
79
In production you should override it with your own secret.
69
80
70
-
The jwt-key-gen.sh is a tool to generate a random key and used in Dockerfile.
81
+
The jwt-key-gen.sh is a tool to generate a random key and used in Dockerfile.
71
82
It makes sure when you build the api server image a new random key is used.
72
83
84
+
## Security Model of the API Server
85
+
86
+
The API Server provides a security model that provides authentication and authorization of incoming clients.
87
+
The security can be enabled/disabled (i.e. via `API_SERVER_SECURITY_ENABLED` env var)
88
+
89
+
### Authentication
90
+
91
+
Currently the api server support `jwt` token authentication.
92
+
93
+
#### The login api
94
+
95
+
The login api is defined in openapi.yml
96
+
97
+
```yaml
98
+
/server/login
99
+
```
100
+
101
+
A client logs in to an api server by sending a POST request to the login path. The request body contains login information (i.e. username and password for jwt authentication type)
102
+
103
+
Please refer to [api.md](api.md) for details of the log api.
104
+
105
+
Currently the security manager uses local file to store user's info. The default users file name is `.users.json`
106
+
The users file name can be configured using `USERS_FILE_URL` env var. See `.test.users.json` for sample values.
107
+
108
+
### Authorization
109
+
110
+
Currently the api server doesn't perform authorization on logged in users.
111
+
112
+
### Endpoints Management
113
+
114
+
The server keeps a list of jolokia endpoints for clients to access. The endpoints are loaded from a local file named
115
+
`.endpoints.json`. Each top level entry represents a jolokia endpoint. An entry has a unique name and details to access the jolokia api. See `.test.endpoints.json` for sample values.
116
+
117
+
### Accessing a jolokia endpoint
118
+
119
+
When an authenticated client sends a request to the api-server, it should present its token in the request header
120
+
121
+
'Authorization: Bearer `token`'
122
+
123
+
It also need to give the `targetEndpoint` in the query part of the request if the request is to access an jolokia endpoint.
124
+
125
+
For example `/execBrokerOperation?targetEndpoint=broker1`.
126
+
127
+
### Direct Proxy
128
+
129
+
Direct Proxy means a client can pass a broker's endpoint info to the api-server in order to access it via the api-server.
130
+
For example the [self-provisioning plugin](https://github.com/artemiscloud/activemq-artemis-self-provisioning-plugin) uses this api to access the jolokia of a broker's jolokia endpoint.
0 commit comments