[
https://issues.apache.org/jira/browse/QPID-3614?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13149613#comment-13149613
]
Gordon Sim commented on QPID-3614:
----------------------------------
Try adding an explicit SASL mechanism for the route:
qpid-route queue add -s federation/password@localhost:5000
federation/password@localhost:5001 amq.direct myqueue PLAIN
For me this works even with your original ACL. Without specifying PLAIN, the
connection from localhost:5001 to localhost:5000 authenticates as anonymous
(assuming that's enabled) and it is the anonymous user that is then checked for
permission to create the federation link.
> ACLs and federation links do not work
> -------------------------------------
>
> Key: QPID-3614
> URL: https://issues.apache.org/jira/browse/QPID-3614
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.12
> Environment: Built from source on ubuntu 10.04 x64
> Reporter: Brandon Pedersen
> Labels: acl, federation
>
> PROBLEM STATEMENT:
> I cannot get broker federation to work with ACLs enabled. I keep getting "ACL
> denied creating a federation link" even though my user has all permissions,
> on both brokers.
> STEPS TO REPRODUCE:
> - Create an acl file like the following:
> acl allow federation@QPID all all
> acl deny all all
> - Create the federation user in the sasl db
> - Using the following config:
> auth-realm=QPID
> log-enable=info+
> acl-file=/usr/local/etc/qpid/qpidd.acl
> sasl-config=/usr/local/etc/sasl2
> auth=yes
> - Start two brokers using the same config but different ports and data dirs
> (makes it easy to test the exact same authentication parameters for both
> brokers)
> - In my case I am create a queue push route, so create a queue and do:
> qpid-route queue add -s federation/password@localhost:5000
> federation/password@localhost:5001 amq.direct myqueue
> Note that the use of a push route does not matter, I tested push and pull and
> both fail, just want to point out that I am using a push route to ensure that
> gets tested as part of the fix for this.
> RESULTS:
> The connection fails to get created with an error: "ACL denied creating a
> federation link"
> In the debug log on the destination broker I see:
> 2011-11-11 15:50:20 debug ACL: Lookup for id: action:create objectType:link
> name: with params { }
> 2011-11-11 15:50:20 debug No successful match, defaulting to the decision
> mode deny
> It appear that the user ID is not getting sent across
> EXPECTED RESULTS:
> The federation link should work with proper ACLs in place
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
