qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robbie Gemmell (JIRA)" <qpid-...@incubator.apache.org>
Subject [jira] Created: (QPID-2133) PrincipalPermissions handling of exchange elements within the ACL v1 create subsection can lead to inconsistent behaviour
Date Thu, 08 Oct 2009 12:26:31 GMT
PrincipalPermissions handling of exchange elements within the ACL v1 create subsection can
lead to inconsistent behaviour
-------------------------------------------------------------------------------------------------------------------------

                 Key: QPID-2133
                 URL: https://issues.apache.org/jira/browse/QPID-2133
             Project: Qpid
          Issue Type: Bug
    Affects Versions: 0.5
            Reporter: Robbie Gemmell


Whilst investigating QPID-1204, a limitation was discovered in the ACL v1 PrincipalPermissions
handling for Exchange(s) elements within the Create subsection of the ACL configuration.

If no Exchange elements exist within the Create section for a given set of users, they will
have create capabilities for any exchange. This is accomplished by never creating a permissions
list for creating exchanges, and is covered in the authorise check by the null check in the
code below.

PrincipalPermissions: L483

                if (rights == null || rights.containsKey(exchangeName))
                {
                    return AuthzResult.ALLOWED; 
                }

However, if for example a Queue Create subsection for that user did specify a specific exchange
that the creation is permitted in, then the exchange creation rights list will be created.
As a result, any Create sections previously relying on the list being null to permit queue
creation in any exchange, or the ability to declare any exchange, will be broken (unless the
exchange name being used happens to match one which was specificlly defined, in which case
it will exist in the list)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org


Mime
View raw message