ActiveMQ topics and security (or Apollo)

Question

I am new to Active MQ. I was wondering is the following is possible in Active MQ (or Apollo).

Essentially, I have a process that will generate messages to enable or disable a particular site. When the message (enable/disable) is sent to ActiveMQ, there could be multiple consumers of that message depending on the routing key of the message. For example, if the message is to enable site A, the routing key would be site.A.enable. And site A who is monitoring their siteA queue would get this message as well as a system wide processor who monitors all enable/disable messages.

Now, I think this is doable in Active MQ using topics. SiteA would subscribe to all topics of site.A.* and the system process would subscribe to all topics of site.*.enable and site.*.disable. Is that the best way to do that in ActiveMQ?

I also want to make sure siteA cannot subscribe to site.B.* or site.C.* topics. They can only receive messages from site.A.*. And the system process can access all site.*.* topics. I also think this can be done via the security plugs. I would just update the config file and specify the read/write/admin access for each site topic and connect that to a user/pass or ldap that would identify what site is connecting. Is that correct? Will that work if the sites are external?

I want to be able to add new sites with minimal configuration/setup. When siteX comes on line, the publisher code will just publish messages just like all the other ones, except it will be to the topic site.X.* which will get created dynamically when the first message is publish. And the consumers can start consuming from site.X dynamically too.

This is where my issue is. How can I add the security that site X can only access site.X topic "dynamically"? I think I would have to edit the config file and add the security stuff for the new site. And then I would have to stop/start the server to pick up the new settings. I might be able to edit the config on the server, but I don't think we can do a stop/start every time we add a new site.

Is there a better way to accomplish this?

Thanks!

Answer 1

What you have outlined is pretty sensible. You would need to create a new ActiveMQ user for each site and give them read write and admin permissions on site.<whatever> using the authorization plugin. If you are using the simple security plugins, where both the authentication and authorization details are in your activemq.xml, then you will need to restart ActiveMQ after each site addition.

If you want to do this automatically (can't really do this dynamically), then you would need to used the LDAP versions of the authentication and authorization plugins, and have a script that writes the appropriate credentials and permissions into LDAP when a site is installed. I am guessing you would probably already need some sort of a scripted step to add the credentials to the site in the first place, so this shouldn't be a big deal. I am pretty sure that ActiveMQ should pick up the changes without a restart, but I haven't tried this myself, so you would need to test this.