qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chuck Rolke (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-3799) ACL processing by C++ broker produces unexpected results
Date Thu, 01 Mar 2012 19:42:03 GMT

    [ https://issues.apache.org/jira/browse/QPID-3799?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13220289#comment-13220289
] 

Chuck Rolke commented on QPID-3799:
-----------------------------------

Here is a demonstration of how this update has changed ACL logging.
This note shows:
1. The ACL file.
2. The test case.
3. The old log output.
4. The new log output.

The log outputs are trimmed/formatted to be readable. The logs show 
the preprocessing phase of how the ACL file is processed into a set of 
rules and the lookup phase of how the rules are processed when a given 
test case is presented to the ACL engine for approval.

Differences to note:
* In the old processing phase the rules are shown numbered 0..6 
but then are processed numbered 7..1. This is confusing. 
In the new processsing the rules are numbered 1..7 and processed 7..1.

* In the old lookup phase the rule being processed is identified with
a [ log=0, logonly=0 ...]. Those are artifacts of internal structures
and don't help users know which rules are being processed. The new 
lookup phase shows the same rule numbers as in the processing phase.

* In the old lookup phase the rules are processed from the bottom of
the ACL file towards the top. In the new lookup phase the rules are
processed from the top of the ACL file towards the bottom.

* In the old ACL logs each line may or may not begin with ACL:. In the
new ACL logs every line begins with ACL:.

-----

1. The ACL file (from selftests acl.py):

  acl deny bob@QPID create queue name=q1 durable=true passive=true
  acl deny bob@QPID create queue name=q2 exclusive=true policytype=ring
  acl deny bob@QPID access queue name=q3
  acl deny bob@QPID purge queue name=q3
  acl deny bob@QPID delete queue name=q4
  acl deny bob@QPID create queue name=q5 maxqueuesize=1000 maxqueuecount=100
  acl allow all all

2. A test case:

  queue_options = {}
  queue_options["qpid.max_count"] = 200
  queue_options["qpid.max_size"] = 500
  session.queue_declare(queue="q5", exclusive=True, arguments=queue_options)
  self.fail("ACL should deny queue create request with 
             name=q2, qpid.max_size=500 and qpid.max_count=200");


3. Old log output.

3a. Old log processing phase
 notice Read ACL file "/home/chug/svn/qpid/cpp/src/tests/data_dir/policy.acl"
 debug Group list: 0 groups found:
 debug Name list: 2 names found:
 debug  * bob@QPID
 debug Rule list: 7 ACL rules found:
 debug    0 deny [bob@QPID] create queue name=q1 durable=true passive=true
 debug    1 deny [bob@QPID] create queue name=q2 exclusive=true policytype=ring
 debug    2 deny [bob@QPID] access queue name=q3
 debug    3 deny [bob@QPID] purge queue name=q3
 debug    4 deny [bob@QPID] delete queue name=q4
 debug    5 deny [bob@QPID] create queue name=q5 maxqueuesize=1000 maxqueuecount=100
 debug    6 allow [*] *
 debug ACL Load Rules
 debug ACL Processing  7 allow [*] *
 debug ACL FoundMode allow
 debug ACL Processing  6 deny [bob@QPID] create queue name=q5 maxqueuesize=1000 maxqueuecount=100
 debug ACL: Adding actions {create} 
       	    to objects {queue} 
	    with props { name=q5 maxqueuesize=1000 maxqueuecount=100 } 
	    for users {bob@QPID}
 debug ACL Processing  5 deny [bob@QPID] delete queue name=q4
 debug ACL: Adding actions {delete} 
       	    to objects {queue} 
	    with props { name=q4 } 
	    for users {bob@QPID}
 debug ACL Processing  4 deny [bob@QPID] purge queue name=q3
 debug ACL: Adding actions {purge} 
       	    to objects {queue} 
	    with props { name=q3 } 
	    for users {bob@QPID}
 debug ACL Processing  3 deny [bob@QPID] access queue name=q3
 debug ACL: Adding actions {access} 
       	    to objects {queue} 
	    with props { name=q3 } 
	    for users {bob@QPID}
 debug ACL Processing  2 deny [bob@QPID] create queue name=q2 exclusive=true policytype=ring
 debug ACL: Adding actions {create} 
       	    to objects {queue} 
	    with props { name=q2 exclusive=true policytype=ring } 
	    for users {bob@QPID}
 debug ACL Processing  1 deny [bob@QPID] create queue name=q1 durable=true passive=true
 debug ACL: Adding actions {create} 
       	    to objects {queue} 
	    with props { name=q1 durable=true passive=true } 
	    for users {bob@QPID}
 debug Found validator for property values should be between 0 and 9223372036854775807
 debug Found validator for property values should be between 0 and 9223372036854775807
 debug Found validator for property possible values are one of { 'ring' 'ring_strict' 'flow_to_disk'
'reject' }

3a. Old log lookup phase
 debug ACL: Lookup for id:bob@QPID 
        	       action:create 
		       objectType:queue 
		       name:q5 
		       with params { durable=false 
				     passive=false 
				     autodelete=false 
				     exclusive=true 
				     alternate= 
				     policytype= 
				     maxqueuesize=500 
				     maxqueuecount=200 }
 debug ACL: checking the following rules for : bob@QPID
 debug ACL: checking rule [log=0, logOnly=0 props{ name=q5 maxqueuesize=1000 maxqueuecount=100
}]
 debug ACL: name 'q5' matched with name 'q5' given in the rule
 debug ACL: Numeric comparison for property maxqueuesize (value given in lookup = 500, value
give in rule = 1000 )
 debug ACL: Numeric comparison for property maxqueuecount (value given in lookup = 200, value
give in rule = 100 )
 debug ACL: Limit exceeded and match=true as decision mode is allow
 debug Successful match, the decision is:deny


4. New log output.

4a. New log processing phase.

 notice ACL: Read file "/home/chug/svn/qpid/cpp/src/tests/data_dir/policy.acl"
 debug ACL: Group list: 0 groups found:
 debug ACL: name list: 2 names found:
 debug ACL:  * bob@QPID
 debug ACL: Rule list: 7 ACL rules found:
 debug ACL:    1 deny [bob@QPID] create queue name=q1 durable=true passive=true
 debug ACL:    2 deny [bob@QPID] create queue name=q2 exclusive=true policytype=ring
 debug ACL:    3 deny [bob@QPID] access queue name=q3
 debug ACL:    4 deny [bob@QPID] purge queue name=q3
 debug ACL:    5 deny [bob@QPID] delete queue name=q4
 debug ACL:    6 deny [bob@QPID] create queue name=q5 queuemaxsizeupperlimit=1000 queuemaxcountupperlimit=100
 debug ACL:    7 allow [*] *
 debug ACL: Load Rules
 debug ACL: Processing  7 allow [*] *
 debug ACL: FoundMode allow
 debug ACL: Processing  6 deny [bob@QPID] create queue name=q5 queuemaxsizeupperlimit=1000
queuemaxcountupperlimit=100
 debug ACL: Adding actions {create} 
       	    to objects {queue} 
	    with props { name=q5 queuemaxsizeupperlimit=1000 queuemaxcountupperlimit=100 } 
	    for users {bob@QPID}
 debug ACL: Processing  5 deny [bob@QPID] delete queue name=q4
 debug ACL: Adding actions {delete} 
       	    to objects {queue} 
	    with props { name=q4 } 
	    for users {bob@QPID}
 debug ACL: Processing  4 deny [bob@QPID] purge queue name=q3
 debug ACL: Adding actions {purge} 
       	    to objects {queue} 
	    with props { name=q3 } 
	    for users {bob@QPID}
 debug ACL: Processing  3 deny [bob@QPID] access queue name=q3
 debug ACL: Adding actions {access} 
       	    to objects {queue} 
	    with props { name=q3 } 
	    for users {bob@QPID}
 debug ACL: Processing  2 deny [bob@QPID] create queue name=q2 exclusive=true policytype=ring
 debug ACL: Adding actions {create} 
       	    to objects {queue} 
	    with props { name=q2 exclusive=true policytype=ring } 
	    for users {bob@QPID}
 debug ACL: Processing  1 deny [bob@QPID] create queue name=q1 durable=true passive=true
 debug ACL: Adding actions {create} 
       	    to objects {queue} 
	    with props { name=q1 durable=true passive=true } 
	    for users {bob@QPID}
 debug ACL: Found validator for property 'queuemaxsizeupperlimit'. values should be between
0 and 9223372036854775807
 debug ACL: Found validator for property 'queuemaxcountupperlimit'. values should be between
0 and 9223372036854775807
 debug ACL: Found validator for property 'policytype'. possible values are one of { 'ring'
'ring_strict' 'flow_to_disk' 'reject' }

4b. New log lookup phase.

 debug ACL: Lookup for id:bob@QPID 
       	    	       action:create 
		       objectType:queue 
		       name:q5 
		       with params { durable=false 
		       	    	     passive=false 
				     autodelete=false 
				     exclusive=true 
				     alternate= 
				     policytype= 
				     maxqueuesize=500 
				     maxqueuecount=200 }
 debug ACL: checking rule [rule 1 ruleMode = deny props{ name=q1 durable=true passive=true
}]
 debug ACL: lookup name 'q5' didn't match with rule name 'q1'
 debug ACL: checking rule [rule 2 ruleMode = deny props{ name=q2 exclusive=true policytype=ring
}]
 debug ACL: lookup name 'q5' didn't match with rule name 'q2'
 debug ACL: checking rule [rule 6 ruleMode = deny props{ name=q5 queuemaxsizeupperlimit=1000
queuemaxcountupperlimit=100 }]
 debug ACL: lookup name 'q5' matched with rule name 'q5'
 debug ACL: Numeric greater-than comparison for property queuemaxsizeupperlimit (value given
in lookup = 500, value give in rule = 1000 )
 debug ACL: Numeric greater-than comparison for property queuemaxcountupperlimit (value given
in lookup = 200, value give in rule = 100 )
 debug ACL: Max limit exceeded for property 'queuemaxcountupperlimit'
 debug ACL: Successful match, the decision is:deny

                
> ACL processing by C++ broker produces unexpected results
> --------------------------------------------------------
>
>                 Key: QPID-3799
>                 URL: https://issues.apache.org/jira/browse/QPID-3799
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.14
>         Environment: C++ Broker
>            Reporter: Chuck Rolke
>
> There are several instances of C++ ACL-processing code that produce results that do not
match what would be expected after reading the Developer Pages, ACL site page. Clean up of
both the site page and the code in a few cases requires an agreement on the actual desired
behaviour.
> Some of the rule sets below are contrived and not something that a normal person would
write. However, rule sets may be machine generated or they may be in a confused state due
to cut and paste errors. Rule processing must be predictable regardless of how the rule sets
came to be.
> 1. Conflicting permissions rules. Given the following rule set[1]:
>     acl allow bob@QPID create queue
>     acl deny  bob@QPID create queue
>     acl allow all all
> What happens when bob tries to create a queue? The site page suggests that the rules
are processed in order and the first rule that matches defines the action to take. By that
reading bob should be allowed to create a queue. In the C++ broker, however, the first 'acl
allow' rule is discarded. Then the first rule to match is the deny rule.
> Q1: What is the correct behaviour for the conflicting rules in rule set 1?
> 2. ACL lines greater that 1000 characters are silently truncated. ACL processing should
stop and emit an error if lines are too long.
> 3. The C++ broker handles some numeric limits on queue creation but these limits are
not documented in the wiki page.
> We have the following rule set[2]:
>        1. acl allow bob create queue maxqueuesize=1000
>        2. acl deny  bob all    all
> Line 1 allows bob to create queues as long as the qpid.max_size
> argument in the queue_declare request is<= 1000.
> Line 2 prevents bob from doing anything else.
> We have another rule set[3]:
>        1. acl allow bob create queue maxqueuesize=1000
>        2. acl allow bob create queue maxqueuesize=10000
>        3. acl deny  bob all    all
> What happens when ACL processing gets to Line 1 when bob tries to create a queue with
max_size = 2000? Line 1 disallows the creation but Line 2 allows it.
>      * If code treats the numeric tests as another "comparison criteria" then Line 1
will not match. This allows processing to move to Line 2 where the action will be allowed.
>      * If the code treats the numeric tests as a "deny subclause" then Line 1 will be
a match and bob will be denied.
> Q3: What should happen when bob tries to create a queue with max_size = 2000 using rule
set [3]?
> 4. Numeric limits should work differently on deny rules[4].
>        1. acl deny  bob create queue maxqueuesize=1000
>        2. acl allow bob all    all
> I suggest that when the numeric tests specifying max values are used as "comparison criteria"
then:
>   * In an allow rule the match is true when the user's value is "less than or equal to"
the ACL max limit.
>   * In a deny rule the match is true when the user's value is "greater than" the ACL
max limit.
> Q4: How should numeric limits be applied in deny rules?
> I'm interested to know what folks think is the "correct" behaviour for these rules and/or
how the Java broker would handle them.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org


Mime
View raw message