qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gordon Sim (Issue Comment Edited) (JIRA)" <j...@apache.org>
Subject [jira] [Issue Comment Edited] (QPID-3614) ACLs and federation links do not work
Date Tue, 15 Nov 2011 12:55:51 GMT

    [ https://issues.apache.org/jira/browse/QPID-3614?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13149856#comment-13149856
] 

Gordon Sim edited comment on QPID-3614 at 11/15/11 12:55 PM:
-------------------------------------------------------------

I don't believe it does use the specified user to publish messages, the connection underlying
the link was authenticated as anonymous (in my tests anyway). Looking through the source code,
it appears that transfers are *not* subject to authorisation unless there are specific, explicit
rules about it (comments indicate this is due to concerns around performance otherwise).

Sadly I don't think this is documented, though the mechanism is listed as an option in the
usage statement for qpid-route.
                
      was (Author: gsim):
    I don't believe it does use the specified user to publish messages, the connection underlying
the link was authenticated as anonymous (in my tests anyway). Looking through the source code,
it appears that transfers are subject to authorisation unless there are specific, explicit
rules about it (comments indicate this is due to concerns around performance otherwise).

Sadly I don't think this is documented, though the mechanism is listed as an option in the
usage statement for qpid-route.
                  
> ACLs and federation links do not work
> -------------------------------------
>
>                 Key: QPID-3614
>                 URL: https://issues.apache.org/jira/browse/QPID-3614
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.12
>         Environment: Built from source on ubuntu 10.04 x64
>            Reporter: Brandon Pedersen
>              Labels: acl, federation
>
> PROBLEM STATEMENT:
> I cannot get broker federation to work with ACLs enabled. I keep getting "ACL denied
creating a federation link" even though my user has all permissions, on both brokers.
> STEPS TO REPRODUCE:
> - Create an acl file like the following:
> acl allow federation@QPID all all
> acl deny all all
> - Create the federation user in the sasl db
> - Using the following config:
> auth-realm=QPID
> log-enable=info+
> acl-file=/usr/local/etc/qpid/qpidd.acl
> sasl-config=/usr/local/etc/sasl2
> auth=yes
> - Start two brokers using the same config but different ports and data dirs (makes it
easy to test the exact same authentication parameters for both brokers)
> - In my case I am create a queue push route, so create a queue and do:
>  qpid-route queue add -s federation/password@localhost:5000 federation/password@localhost:5001
amq.direct myqueue
> Note that the use of a push route does not matter, I tested push and pull and both fail,
just want to point out that I am using a push route to ensure that gets tested as part of
the fix for this.
> RESULTS:
> The connection fails to get created with an error: "ACL denied creating a federation
link"
> In the debug log on the destination broker I see: 
> 2011-11-11 15:50:20 debug ACL: Lookup for id: action:create objectType:link name: with
params { }
> 2011-11-11 15:50:20 debug No successful match, defaulting to the decision mode deny
> It appear that the user ID is not getting sent across
> EXPECTED RESULTS:
> The federation link should work with proper ACLs in place

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org


Mime
View raw message