Issue on Security Domains

[lordigon]

Hi all.
I have some issues trying to configure different security domains for Jolokia and TLS connection.
I created a custom JAAS login module to manage certificates for TLS connections and I want to use another security domain for jlokia.
This is the CRD definition

apiVersion: broker.amq.io/v1beta1
kind: ActiveMQArtemis
metadata:
  name: exoo
spec:
  deploymentPlan:
    size: 1
    image: external-releases-quay-proxy.common.repositories.cloud.sap/artemiscloud/activemq-artemis-broker-kubernetes:1.0.15
    initImage: custom-jaas-init:1.0.0
    extraMounts:
      secrets:
        - cert-jaas-config
    labels:
      app: artemis-cluster
  env:
    - name: JAVA_ARGS_APPEND
      value: "-Dhawtio.realm=activemq -Djava.security.auth.login.config=/amq/extra/secrets/cert-jaas-config/login.config"
  acceptors:
    - name: tcp-mqtt
      protocols: MQTT
      port: 61616
      expose: false
      sslEnabled: false
    - name: tcp-mqtt-tls
      protocols: MQTT
      port: 61617
      expose: true
      sslEnabled: true
      needClientAuth: true
      verifyHost: false
  console:
    expose: true
  brokerProperties:
    - 'acceptorConfigurations.tcp-mqtt-tls.extraParams.securityDomain=certlogin'

and the content of login.config file stored as secret named cert-jaas-config

certlogin {
    com.test.jaas.TestCertificateLoginModule required
        debug=true
        reload=true
        com.test.jaas.identity-constraints-subject-cn="test.jaas-identity-constraints-subject-cn.properties"
        com.test.jaas.roles="test.jaas-roles.properties"
        com.test.jaas.identity-constraints-issuer-cn="test.jaas-identity-constraints-issuer-cn.properties";
};

activemq {
    org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
        debug=false
        org.apache.activemq.jaas.properties.user="artemis-users.properties"
        org.apache.activemq.jaas.properties.role="artemis-roles.properties";
 };

"artemis-roles.properties": "amq=admin"

"artemis-users.properties": "admin=admin"

Applying this artemis CRD I found this error inside its log

2023-04-20T13:44:57.118Z    INFO    unknown status reported from Jolokia.    {"ActiveMQArtemis Name": "exoo", "IP": "10.244.0.22", "Ordinal": "0", "error": "EOF"}       

trying to execute a Jolokia call from a POD

 curl -v -H "Origin: http://exoo-ss-0.exoo-hdls-svc.test.svc.cluster.local" -u admin:admin http://exoo-ss-0.exoo-hdls-svc.test.svc.cluster.local:8161/console/jolokia/read/org.apache.activemq.artemis:broker=\"amq-broker\"/Status
*   Trying 10.244.0.22:8161...
* Connected to exoo-ss-0.exoo-hdls-svc.test.svc.cluster.local (10.244.0.22) port 8161 (#0)
* Server auth using Basic with user 'admin'
> GET /console/jolokia/read/org.apache.activemq.artemis:broker="amq-broker"/Status HTTP/1.1
> Host: exoo-ss-0.exoo-hdls-svc.test.svc.cluster.local:8161
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.74.0
> Accept: */*
> Origin: http://exoo-ss-0.exoo-hdls-svc.test.svc.cluster.local
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Date: Thu, 20 Apr 2023 13:33:45 GMT
< Cache-Control: max-age=0, no-cache, must-revalidate, proxy-revalidate, private
< Pragma: no-cache
< Access-Control-Allow-Origin: *
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:; connect-src 'self' ; frame-src 'self'
< Strict-Transport-Security: max-age=31536000;includeSubDomains;preload
< Hawtio-Forbidden-Reason: NONE
< Content-Length: 0
<
* Connection #0 to host exoo-ss-0.exoo-hdls-svc.test.svc.cluster.local left intact

How the operator knows user and password to execute Jolokia calls?
What I'm doing wrong?

[gaohoward]

Can you pass the full log? Normally jolokia will get the user/password from env var AMQ_USER and AMQ_PASSWORD.
However you can create a secret to supply the credentials for jolokia instead. The secret name follows the pattern:
<Cr.Name> + "-jolokia-secret
and the secret should have 2 entries whose keys are 'jolokiaUser' and 'jolokiaPassword'.