AMQ Permissions: The Problem

This scenario may sound very familiar to you. You successfully install the AMQ Broker in your development environment, configure the queues, and develop components that publish/subscribe messages in the broker. Everything works flawlessly according to your plan until you encounter a major challenge: attempting to replicate the setup in a non-development environment such as production. But now, at this point, you encounter your first roadblock – you lack the privileges to install the broker.

For security reasons, it is typically entrusted to someone with administrative rights instead of yourself, which is understandable. However, the real problem arises when you realize that you are unable to create addresses or queues without depending on the administrator for each task. Relying on the administrator can become a significant bottleneck. While one possible solution is to become an administrator yourself, it is often not a viable option. Alternatively, a better approach would be to obtain the necessary permissions to manage the AMQ broker independently. In this blog entry, I will explain precisely how to achieve this.

Current Status

A little bit of AMQ Background

There are two types of permissions needed in order to make this work. Firstly, you need AMQ Broker permissions to create the necessary elements. Secondly, you need permissions within Openshift (Kubernetes) for accessing the administrative console.

AMQ components are defined as Custom Resource Definitions within Openshift. The broker itself, along with the addresses and securities, are all instances of these custom resources. Overall access to custom resources in Openshift is determined by the „apiextensions.k8s.io“ API Group, whereas the permissions specifically for AMQ elements reside within the „broker.amq.io“ group.

Custom Resource Definitions

Step 1: Creating the Role with the AMQ Permissions

It is very easy to configure the permission. First, you have to create the Role in Openshift. Save this configuration in a yml file (like AMQPermissions.yml) and execute the following command:

oc create -f AMQPermissions.yml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: crd-queue-admin
rules:
- apiGroups: ["broker.amq.io"]
  resources: ["activemqartemisaddresses"]
  verbs: ["get","view" ,"list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["broker.amq.io"]
  resources: ["activemqartemises"]
  verbs: ["get","view" ,"list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["broker.amq.io"]
  resources: ["activemqartemisscaledowns"]
  verbs: ["get","view" ,"list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["broker.amq.io"]
  resources: ["activemqartemissecurities"]
  verbs: ["get","view" ,"list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

Step 2: Assign the AMQ Role to a user

Now that you have created the role, you can assign it to the desired user: oc adm policy add-role-to-user crd-queue-admin

Role Bindings

References:

  • https://docs.openshift.com/container-platform/4.8/authentication/using-rbac.html
  • https://access.redhat.com/documentation/en-us/red_hat_amq/7.2/html/deploying_amq_broker_on_openshift_container_platform/install-deploy-ocp-broker-ocp

Nimm gerne Kontakt zu uns auf!

Hast Du Fragen zu unseren Ideen, Konzepten oder Abschlussarbeiten? Dann freue ich mich immer über den Austausch mit Dir!

Sende mir gerne eine Mail, vernetze Dich mit mir oder hinterlasse Deine Kontaktdaten.

Nicolás Fonnegra Martínez, Lead Service Symphony esentri AG

Nicolás Fonnegra Martínez
Lead Service Symphony