Support TextFileCertificateLoginModule without using init container

[gaohoward]

Is your feature request related to a problem? Please describe.
Currently adding TextFileCertificateLoginModule login module using jaas-config secret is not enought, user has to modify bootstrap.xml to add certificate-domain like this as required:

Using custom init image it can be done. A better solution should be provided to eliminate the use of init image.

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
Optional. A clear and concise description of any alternative solutions or features you've considered.

Additional context
Optional. Add any other context or screenshots about the feature request here.

[gtully]

wondering if there really is a need to change the jaas-domain, the TextFileCertificateLoginModule can be added as a sufficient module in the default "activemq" domain. The generic jaas callback will be able to provide it with the certs from any tls endpoint.

[skeeey]

Added some details

I want to use https://activemq.apache.org/components/artemis/documentation/latest/security.html#dual-authentication, following the doc https://github.com/artemiscloud/activemq-artemis-operator/blob/main/docs/help/operator.md#configuring-jaas-for-brokers

Using the below configuration:

apiVersion: broker.amq.io/v1beta1
kind: ActiveMQArtemis
metadata:
  name: ex-aao
spec:
  deploymentPlan:
    size: 1
    image: placeholder
    requireLogin: false
    persistenceEnabled: true
    journalType: nio
    messageMigration: true
    extraMounts:
      secrets:
        - mqtt-jaas-config
        - mqtt-roles
  acceptors:
  - name: mqtt
    protocols: mqtt
    port: 1883
    expose: true
    sslEnabled: true
    sslSecret: mqtt-tls-secret
    needClientAuth: true
  env:
    - name: JAVA_ARGS_APPEND
      value: -Dbroker.properties=/amq/extra/secrets/mqtt-roles/broker.properties
---
apiVersion: v1
kind: Secret
metadata:
  name: mqtt-jaas-config
type: Opaque
stringData:
  login.config: |
    activemq {
        // ensure the operator can connect to the broker by referencing the existing properties config
        org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient
            org.apache.activemq.jaas.properties.user="artemis-users.properties"
            org.apache.activemq.jaas.properties.role="artemis-roles.properties"
            baseDir="/home/jboss/amq-broker/etc";
        org.apache.activemq.jaas.TextFileCertificateLoginModule required
          debug=true
          org.apache.activemq.jaas.textfiledn.user="users.properties"
          org.apache.activemq.jaas.textfiledn.role="roles.properties";
    };
  roles.properties: |
    acm-users=cluster1
  users.properties: |
    cluster1=CN=cluster1, OU=core, O=ACM 

Then I connected the amq with certificates, I got

2023-10-26 01:43:13,220 WARN  [org.apache.activemq.artemis.core.server] AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /10.128.0.178:49754. Username: null; SSL certificate subject DN: CN=cluster1, OU=core, O=ACM

Then I only keep the TextFileCertificateLoginModule plugin

apiVersion: v1
kind: Secret
metadata:
  name: mqtt-jaas-config
type: Opaque
stringData:
  login.config: |
    activemq {
        org.apache.activemq.jaas.TextFileCertificateLoginModule required
          debug=true
          org.apache.activemq.jaas.textfiledn.user="users.properties"
          org.apache.activemq.jaas.textfiledn.role="roles.properties";
    };
  roles.properties: |
    acm-users=cluster1
  users.properties: |
    cluster1=CN=cluster1, OU=core, O=ACM

then I got

2023-10-26 01:51:25,435 WARN  [io.hawt.system.Authenticator] Login failed due to: No LoginModule found for org.apache.activemq.jaas.TextFileCertificateLoginModule

It seems I need to configure the amq bootstrap.xml with <jaas-security domain="PropertiesLogin" certificate-domain="CertLogin"/> (by default it's <jaas-security domain="activemq"/>), but I cannot configure this with ActiveMQArtemis CR

[brusdev]

@skeeey your first configuration with both login modules in the activemq domain should work but the package of TextFileCertificateLoginModule is wrong, it should be org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule. Could you try with the correct TextFileCertificateLoginModule package?

[skeeey]

@brusdev, thanks your feedback, I will have a try

[skeeey]

@brusdev

I changed to org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule, I got the similar waring

2024-04-16 02:49:50,469 WARN  [org.apache.activemq.artemis.core.server] AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /10.128.0.188:58418. Username: null; SSL certificate subject DN: CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ

when I pub a message with MQTT

mosquitto_pub --cafile server-ca.crt --cert client-cert.pem --key client-key.pem -h "" -p 443 -t 'test' -m 'hello' -d
Client null sending CONNECT
Client null received CONNACK (5)
Connection error: Connection Refused: not authorised.
Error: The connection was refused.

my cr is https://github.com/skeeey/acm-scaffold/blob/master/amq-broker/amq.yaml
secret is https://github.com/skeeey/acm-scaffold/blob/master/amq-broker/config/secret.sh#L10

BTW.

if I only enable the mTLS it works
mosquitto_pub --cafile server-ca.crt --cert client-cert.pem --key client-key.pem -h "" -p 443 -t 'test' -m 'hello' -d
Client null sending CONNECT
Client null received CONNACK (0)
Client null sending PUBLISH (d0, q0, r0, m1, 'test', ... (5 bytes))
Client null sending DISCONNECT

[brusdev]

@skeeey if mTLS works that issue should be due to a mismatch between the certificate and the user properties file of the TextFileCertificateLoginModule. For further details you can ask ActiveMQ users mailing list.