qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keith Wall (JIRA)" <j...@apache.org>
Subject [jira] [Created] (QPID-7928) [Java Broker] [ACL] Authorisation decisions about the access control provider itself consider its own local rules rather than those of the wider system
Date Wed, 27 Sep 2017 12:29:00 GMT
Keith Wall created QPID-7928:
--------------------------------

             Summary: [Java Broker] [ACL] Authorisation decisions about the access control
provider itself consider its own local rules rather than those of the wider system
                 Key: QPID-7928
                 URL: https://issues.apache.org/jira/browse/QPID-7928
             Project: Qpid
          Issue Type: Bug
          Components: Java Broker
    Affects Versions: qpid-java-6.1
            Reporter: Keith Wall
            Priority: Minor
             Fix For: qpid-java-broker-7.0.0


When making an authorisation decision about an AccessControlProvider object, currently the
implementation considers only the rules provider by the provider itself, rather than delegating
the decision to the hierarchical  mechanism.   This can mean that an authorisation decision
that ought to be allowed is denied.  

For example, consider a Broker configured with the following {{RuleBased}} AccessControlProviders:

1) Broker rule-set {{ACL ALLOW admin ALL ALL}}
2) VirtualHost specific rule-set for user  {{ACL ALLOW messaging_user...}}

As {{admin}}, if I try to update the VirtualHost's {{AccessControlProvider}}, the defect means
that the decision is denied even through the rule at the Broker ought to allow it.

The defect is that {{AbstractConfiguredObject#getAccessControl}} has two, conflicting, roles.

# The method is used by {{AbstractConfiguredObject#authorise()}} method to get the in-force
AccessControl object that should be used to make an access decision for this configured object.
# In Broker and VirtualHost method #updateAccessControl relies the method to retrieve an {{AccessControl}}
object from the AccessControlProvider.  To allow for this, AccessControlProvider override
#getAccessControl to return the local rules.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message