qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-5599) C++ Broker silently ignores --max-connections option when no ACL file is loaded
Date Wed, 05 Mar 2014 02:35:42 GMT

    [ https://issues.apache.org/jira/browse/QPID-5599?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13920408#comment-13920408

ASF subversion and git services commented on QPID-5599:

Commit 1574291 from chug@apache.org in branch 'qpid/trunk'
[ https://svn.apache.org/r1574291 ]

QPID-5599: C++ Broker silently ignores --max-connections option when no ACL file is loaded

Simply installing a null and permissive rule file trips up the 'create link'
security check. The security check from 
https://issues.apache.org/jira/browse/QPID-4631 reasons that if authentication
is enabled and no ACL rule file is specified then interbroker links are 
denied. The check for 'ACL rule file is loaded' is simply the existence of
the ACL object. That check is voided by always having an ACL object regardless
of whether the ACL rule file was specified or not.

One fix considered was adding an ACL rule "acl deny-log all create link" to
the formerly null rule set when no ACL file is specified. This solution has
too much complexity in several places and is too hard.

The fix implemented here is a boolean flag indicating if the ACL rule set 
in force is specified by the user or not. Then the security check tests
that the acl exists (always true) and that the rule set is specified by the

> C++ Broker silently ignores --max-connections option when no ACL file is loaded
> -------------------------------------------------------------------------------
>                 Key: QPID-5599
>                 URL: https://issues.apache.org/jira/browse/QPID-5599
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.26
>            Reporter: Chuck Rolke
>            Assignee: Chuck Rolke
> ACL was converted from being a loadable module to being a built in but it still uses
the loadable module interface. In that process if no ACL file is specified on the command
line then no ACL object is created. The command line processing for --max-connections is in
the ACL constructor and with no ACL object the CLI option is ignored.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message