Author: chug
Date: Fri Mar 22 14:59:38 2013
New Revision: 1459822
URL: http://svn.apache.org/r1459822
Log:
QPID-4631: C++ Broker interbroker links protected by ACL
This patch has the Acl code to observe CREATE LINK rules and the new link
cration logic in the broker connection handler.
Several self tests are broken by this patch and only ha_test.py has been
repaired. The fix for these self tests are indicators of what customers must do
to deal with this new feature.
Modified:
qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/Acl.cpp
qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/Acl.h
qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp
qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclData.cpp
qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclData.h
qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclReader.cpp
qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/management-schema.xml
qpid/branches/qpid-4631/qpid/cpp/src/qpid/broker/AclModule.h
qpid/branches/qpid-4631/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
qpid/branches/qpid-4631/qpid/cpp/src/tests/ha_test.py
Modified: qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/Acl.cpp
URL:
http://svn.apache.org/viewvc/qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/Acl.cpp?rev=1459822&r1=1459821&r2=1459822&view=diff
==============================================================================
--- qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/Acl.cpp (original)
+++ qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/Acl.cpp Fri Mar 22 14:59:38
2013
@@ -53,7 +53,7 @@ using qpid::management::Manageable;
using qpid::management::Args;
namespace _qmf = qmf::org::apache::qpid::acl;
-Acl::Acl (AclValues& av, Broker& b): aclValues(av), broker(&b),
transferAcl(false),
+Acl::Acl (AclValues& av, Broker& b): aclValues(av), broker(&b),
transferAcl(false), createlinkAcl(false),
connectionCounter(new ConnectionCounter(*this,
aclValues.aclMaxConnectPerUser, aclValues.aclMaxConnectPerIp,
aclValues.aclMaxConnectTotal)),
resourceCounter(new ResourceCounter(*this, aclValues.aclMaxQueuesPerUser)){
@@ -254,12 +254,17 @@ bool Acl::readAclFile(std::string& aclFi
Mutex::ScopedLock locker(dataLock);
data = d;
}
- transferAcl = data->transferAcl; // any transfer ACL
+ transferAcl = data->transferAcl; // any PUBLISH EXCHANGE transfer ACL
+ createlinkAcl = data->createlinkAcl; // any CREATE LINK ACL
if (data->transferAcl){
QPID_LOG(debug,"ACL: Transfer ACL is Enabled!");
}
+ if (data->createlinkAcl){
+ QPID_LOG(debug,"ACL: CREATE LINK ACL is Enabled!");
+ }
+
if (data->enforcingConnectionQuotas()){
QPID_LOG(debug, "ACL: Connection quotas are Enabled.");
}
@@ -271,6 +276,7 @@ bool Acl::readAclFile(std::string& aclFi
data->aclSource = aclFile;
if (mgmtObject!=0){
mgmtObject->set_transferAcl(transferAcl?1:0);
+ mgmtObject->set_createLinkAcl(createlinkAcl?1:0);
mgmtObject->set_policyFile(aclFile);
sys::AbsTime now = sys::AbsTime::now();
int64_t ns = sys::Duration(sys::EPOCH, now);
Modified: qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/Acl.h
URL:
http://svn.apache.org/viewvc/qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/Acl.h?rev=1459822&r1=1459821&r2=1459822&view=diff
==============================================================================
--- qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/Acl.h (original)
+++ qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/Acl.h Fri Mar 22 14:59:38 2013
@@ -61,6 +61,7 @@ private:
acl::AclValues aclValues;
broker::Broker* broker;
bool transferAcl;
+ bool createlinkAcl;
boost::shared_ptr<AclData> data;
qmf::org::apache::qpid::acl::Acl::shared_ptr mgmtObject;
qpid::management::ManagementAgent* agent;
@@ -81,6 +82,10 @@ public:
return transferAcl;
};
+ inline virtual bool isCreatelinkAcl() {
+ return createlinkAcl;
+ };
+
inline virtual uint16_t getMaxConnectTotal() {
return aclValues.aclMaxConnectTotal;
};
Modified: qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp
URL:
http://svn.apache.org/viewvc/qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp?rev=1459822&r1=1459821&r2=1459822&view=diff
==============================================================================
--- qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp
(original)
+++ qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp Fri
Mar 22 14:59:38 2013
@@ -288,7 +288,7 @@ std::string ConnectionCounter::getClient
}
// no hyphen found - use whole string
- assert(false);
+ //assert(false);
return mgmtId;
}
Modified: qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclData.cpp
URL:
http://svn.apache.org/viewvc/qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclData.cpp?rev=1459822&r1=1459821&r2=1459822&view=diff
==============================================================================
--- qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclData.cpp (original)
+++ qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclData.cpp Fri Mar 22
14:59:38 2013
@@ -46,6 +46,7 @@ namespace acl {
AclData::AclData():
decisionMode(qpid::acl::DENY),
transferAcl(false),
+ createlinkAcl(false),
aclSource("UNKNOWN"),
connQuotaRulesExist(false),
connQuotaRuleSettings(new quotaRuleSet),
@@ -74,6 +75,7 @@ namespace acl {
delete[] actionList[cnt];
}
transferAcl = false;
+ createlinkAcl = false;
connQuotaRulesExist = false;
connQuotaRuleSettings->clear();
queueQuotaRulesExist = false;
Modified: qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclData.h
URL:
http://svn.apache.org/viewvc/qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclData.h?rev=1459822&r1=1459821&r2=1459822&view=diff
==============================================================================
--- qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclData.h (original)
+++ qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclData.h Fri Mar 22 14:59:38
2013
@@ -118,6 +118,7 @@ public:
aclAction* actionList[qpid::acl::ACTIONSIZE];
qpid::acl::AclResult decisionMode; // allow/deny[-log] if no matching
rule found
bool transferAcl;
+ bool createlinkAcl;
std::string aclSource;
AclResult lookup(
Modified: qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclReader.cpp
URL:
http://svn.apache.org/viewvc/qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclReader.cpp?rev=1459822&r1=1459821&r2=1459822&view=diff
==============================================================================
--- qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclReader.cpp (original)
+++ qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/AclReader.cpp Fri Mar 22
14:59:38 2013
@@ -160,6 +160,10 @@ namespace acl {
ocnt < acl::OBJECTSIZE;
(*i)->objStatus != aclRule::VALUE ? ocnt++ : ocnt =
acl::OBJECTSIZE) {
+ // Observe existance of CREATE LINK rules
+ if (acnt == acl::ACT_CREATE && ocnt == acl::OBJ_LINK)
+ d->createlinkAcl = true;
+
//find the Object, create if not exist
if (d->actionList[acnt][ocnt] == NULL)
d->actionList[acnt][ocnt] =
Modified: qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/management-schema.xml
URL:
http://svn.apache.org/viewvc/qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/management-schema.xml?rev=1459822&r1=1459821&r2=1459822&view=diff
==============================================================================
--- qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/management-schema.xml
(original)
+++ qpid/branches/qpid-4631/qpid/cpp/src/qpid/acl/management-schema.xml Fri Mar
22 14:59:38 2013
@@ -26,6 +26,7 @@
<property name="maxConnectionsPerIp" type="uint16" access="RO"
desc="Maximum allowed connections"/>
<property name="maxConnectionsPerUser" type="uint16" access="RO"
desc="Maximum allowed connections"/>
<property name="maxQueuesPerUser" type="uint16" access="RO"
desc="Maximum allowed queues"/>
+ <property name="createLinkAcl" type="bool" access="RO"
desc="Create Link ACL rules may allow link creation"/>
<statistic name="aclDenyCount" type="count64" unit="request"
desc="Number of ACL requests denied"/>
<statistic name="connectionDenyCount" type="count64" unit="connection"
desc="Number of connections denied"/>
<statistic name="queueQuotaDenyCount" type="count64" unit="queue"
desc="Number of queue creations denied"/>
Modified: qpid/branches/qpid-4631/qpid/cpp/src/qpid/broker/AclModule.h
URL:
http://svn.apache.org/viewvc/qpid/branches/qpid-4631/qpid/cpp/src/qpid/broker/AclModule.h?rev=1459822&r1=1459821&r2=1459822&view=diff
==============================================================================
--- qpid/branches/qpid-4631/qpid/cpp/src/qpid/broker/AclModule.h (original)
+++ qpid/branches/qpid-4631/qpid/cpp/src/qpid/broker/AclModule.h Fri Mar 22
14:59:38 2013
@@ -132,6 +132,11 @@ namespace broker {
// doTransferAcl pervents time consuming ACL calls on a per-message
basis.
virtual bool doTransferAcl()=0;
+ // Federation link creation is denied unless ACL module is loaded and
+ // at least one CREATE LINK rule is specified.
+ // This flag indicates that a CREATE LINK rule was processed.
+ virtual bool isCreatelinkAcl()=0;
+
virtual uint16_t getMaxConnectTotal()=0;
virtual bool authorise(
Modified: qpid/branches/qpid-4631/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
URL:
http://svn.apache.org/viewvc/qpid/branches/qpid-4631/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp?rev=1459822&r1=1459821&r2=1459822&view=diff
==============================================================================
--- qpid/branches/qpid-4631/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
(original)
+++ qpid/branches/qpid-4631/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp Fri
Mar 22 14:59:38 2013
@@ -201,11 +201,25 @@ void ConnectionHandler::Handler::startOk
if (connection.isFederationLink()) {
AclModule* acl = connection.getBroker().getAcl();
FieldTable properties;
- if (acl &&
!acl->authorise(connection.getUserId(),acl::ACT_CREATE,acl::OBJ_LINK,"")){
+ if (acl) {
+ if (acl->isCreatelinkAcl()) {
+ if
(!acl->authorise(connection.getUserId(),acl::ACT_CREATE,acl::OBJ_LINK,"")){
+
proxy.close(framing::connection::CLOSE_CODE_CONNECTION_FORCED,
+ QPID_MSG("ACL denied " <<
connection.getUserId()
+ << " creating a federation link"));
+ return;
+ }
+ } else {
+ proxy.close(framing::connection::CLOSE_CODE_CONNECTION_FORCED,
+ QPID_MSG("ACL denied " << connection.getUserId()
+ << ". Federation links require explicit CREATE
LINK ACL rules"));
+ return;
+ }
+ } else {
proxy.close(framing::connection::CLOSE_CODE_CONNECTION_FORCED,
QPID_MSG("ACL denied " << connection.getUserId()
- << " creating a federation link"));
- return;
+ << ". Federation links require ACL module and
explicit CREATE LINK ACL rules"));
+ return;
}
QPID_LOG(info, "Connection is a federation link");
}
Modified: qpid/branches/qpid-4631/qpid/cpp/src/tests/ha_test.py
URL:
http://svn.apache.org/viewvc/qpid/branches/qpid-4631/qpid/cpp/src/tests/ha_test.py?rev=1459822&r1=1459821&r2=1459822&view=diff
==============================================================================
--- qpid/branches/qpid-4631/qpid/cpp/src/tests/ha_test.py (original)
+++ qpid/branches/qpid-4631/qpid/cpp/src/tests/ha_test.py Fri Mar 22 14:59:38
2013
@@ -79,6 +79,17 @@ class HaBroker(Broker):
if ha_replicate is not None:
args += [ "--ha-replicate=%s"%ha_replicate ]
if brokers_url: args += [ "--ha-brokers-url", brokers_url ]
+ # Set up default ACL file to allow all create link
+ acl=os.path.join(os.getcwd(), "unrestricted.acl")
+ if not os.path.exists(acl):
+ aclf=file(acl,"w")
+ aclf.write("""
+acl allow all create link
+acl allow all all
+ """)
+ aclf.close()
+ if not "--acl-file" in args:
+ args += [ "--acl-file", acl, "--load-module", os.getenv("ACL_LIB")
]
Broker.__init__(self, test, args, **kwargs)
self.qpid_ha_path=os.path.join(os.getenv("PYTHON_COMMANDS"), "qpid-ha")
assert os.path.exists(self.qpid_ha_path)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
