Merge pull request #1114 from jbonofre/AMQ-9296

AMQ-9296: Add authentication support in docker images

assembly/src/docker/Dockerfile

@@ -30,11 +30,14 @@ ENV ACTIVEMQ_OPTS $ACTIVEMQ_OPTS -Djetty.host=0.0.0.0
 # activemq_dist can point to a directory or a tarball on the local system
 ARG activemq_dist=NOT_SET
 
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+
 # Install build dependencies and activemq
 ADD $activemq_dist $ACTIVEMQ_INSTALL_PATH
 RUN set -x && \
   cp -r $ACTIVEMQ_INSTALL_PATH/apache-activemq-* $ACTIVEMQ_HOME && \
 	rm -r $ACTIVEMQ_INSTALL_PATH/apache-activemq-*
 
-EXPOSE 8161 61616 5672 61613 1883 61614
+EXPOSE 8161 61616 5672 61613 1883 61614 1099
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 CMD ["activemq", "console"]

assembly/src/docker/README.md

@@ -144,11 +144,23 @@ docker kill activemq
 
 ### Ports
 
-* ActiveMQ web console on `8161`
+* ActiveMQ WebConsole on `8161`
+* ActiveMQ JMX MBean server on `1099`
 * ActiveMQ tcp connector on `61616`
 * ActiveMQ AMQP connector on `5672`
 * ActiveMQ STOMP connector on `61613`
 * ActiveMQ MQTT connector on `1883`
 * ActiveMQ WS connector on `61614`
 
 Edit the `docker-compose.yml` file to edit port settings.
+
+### Environment variables
+
+| Environment Variable | Description |
+|----------------------|-------------|
+| `ACTIVEMQ_CONNECTION_USER` | Username to access transport connector on the broker (JMS, ...). If not set, no user and password are required |
+| `ACTIVEMQ_CONNECTION_PASSWORD` | Password to access transport connector on the broker (JMS, ...). It should be used with `ACTIVEMQ_CONNECTION_USER`. |
+| `ACTIVEMQ_JMX_USER` | Username to access the JMX MBean server of the broker. If set, ActiveMQ accepts remote JMX connection, else, only local connection are allowed. |
+| `ACTIVEMQ_JMX_PASSWORD` | Password to access the JMX MBean server of the broker. It should be used with `ACTIVEMQ_JMX_USER`/  |
+| `ACTIVEMQ_WEB_USER` | Username to access the ActiveMQ WebConsole. |
+| `ACTIVEMQ_WEB_PASSWORD` | Password to access the ActiveMQ WebConsole. |

assembly/src/docker/docker-compose.yml

@@ -26,14 +26,16 @@ services:
       - "61613"
       - "1883"
       - "61614"
-      - "8161"
+      - "8161"`
+      - "1099"
     ports:
       - "8161:8161"
       - "61616:61616"
       - "5672:5672"
       - "61613:61613"
       - "1883:1883"
       - "61614:61614"
+      - "1099:1099"
     command: activemq console
     stdin_open: true
     tty: true

assembly/src/docker/entrypoint.sh

@@ -0,0 +1,81 @@
+#!/bin/sh
+
+################################################################################
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+# limitations under the License.
+################################################################################
+
+# Transport/connection security
+if [ -n "${ACTIVEMQ_CONNECTION_USER}" ]; then
+  if [ -f "${ACTIVEMQ_HOME}/conf/connection.security.enabled" ]; then
+    echo "ActiveMQ Connection Security enabled"
+  else
+    echo "Enabling ActiveMQ Connection Security"
+    sed -i "s/activemq.username=system/activemq.username=${ACTIVEMQ_CONNECTION_USER}/" ${ACTIVEMQ_HOME}/conf/credentials.properties
+    sed -i "s/activemq.password=manager/activemq.password=${ACTIVEMQ_CONNECTION_PASSWORD}/" ${ACTIVEMQ_HOME}/conf/credentials.properties
+    read -r -d '' REPLACE << END
+      <plugins>
+        <simpleAuthenticationPlugin>
+          <users>
+            <authenticationUser username="$\{activemq.username}" password="$\{activemq.password}"/>
+          </users>
+        </simpleAuthenticationPlugin>
+      </plugins>
+    </broker>
+END
+    REPLACE=${REPLACE//$\\/$}
+    REPLACE=${REPLACE//\//\\\/}
+    REPLACE=$(echo $REPLACE | tr '\n' ' ')
+    sed -i "s/<\/broker>/$REPLACE/" ${ACTIVEMQ_HOME}/conf/activemq.xml
+    touch "${ACTIVEMQ_HOME}/conf/connection.security.enabled"
+  fi
+fi
+
+# JMX security
+if [ -n "${ACTIVEMQ_JMX_USER}" ]; then
+  if [ -f "${ACTIVEMQ_HOME}/conf/jmx.security.enabled" ]; then
+    echo "JMX Security already enabled"
+  else
+     echo "Enabling ActiveMQ JMX security"
+     read -r -d '' REPLACE << END
+       <managementContext>
+         <managementContext createConnector="true" />
+       </managementContext>
+     </broker>
+END
+     REPLACE=${REPLACE//\//\\\/}
+     REPLACE=${REPLACE//$\\/$}
+     REPLACE=$(echo $REPLACE | tr '\n' ' ')
+     sed -i "s/<\/broker>/$REPLACE/" ${ACTIVEMQ_HOME}/conf/activemq.xml
+     sed -i "s/admin/${ACTIVEMQ_JMX_USER}/" ${ACTIVEMQ_HOME}/conf/jmx.access
+     sed -i "s/admin/${ACTIVEMQ_JMX_USER}/" ${ACTIVEMQ_HOME}/conf/jmx.password
+     if [ -n "${ACTIVEMQ_JMX_PASSWORD}" ]; then
+       sed -i "s/\ activemq/\ ${ACTIVEMQ_JMX_PASSWORD}/" ${ACTIVEMQ_HOME}/conf/jmx.password
+     fi
+     touch "${ACTIVEMQ_HOME}/conf/jmx.security.enabled"
+  fi
+fi
+
+# WebConsole security
+if [ -n "${ACTIVEMQ_WEB_USER}" ]; then
+  echo "Enabling ActiveMQ WebConsole security"
+  sed -i s/admin=/${ACTIVEMQ_WEB_USER}=/g ${ACTIVEMQ_HOME}/conf/users.properties
+  if [ -n "${ACTIVEMQ_WEB_PASSWORD}" ]; then
+    sed -i s/=admin/=${ACTIVEMQ_WEB_PASSWORD}/g ${ACTIVEMQ_HOME}/conf/users.properties
+  fi
+fi
+
+exec "$@"