[jira] [Updated] (QPID-4775) ACL delete action should not ignore object's properties other than name

Thu, 25 Apr 2013 00:08:19 -0700 

     [ 
https://issues.apache.org/jira/browse/QPID-4775?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pavel Moravec updated QPID-4775:
--------------------------------

    Attachment: bz955674.patch

Patch proposal (applicable to 0.18 broker but can differ from 0.20 in line 
positions only).
                
> ACL delete action should not ignore object's properties other than name
> -----------------------------------------------------------------------
>
>                 Key: QPID-4775
>                 URL: https://issues.apache.org/jira/browse/QPID-4775
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Broker
>    Affects Versions: 0.18, 0.20
>            Reporter: Pavel Moravec
>            Priority: Minor
>              Labels: patch, security
>         Attachments: bz955674.patch
>
>
> Description of problem:
> ACL rule like:
> acl allow all delete queue autodelete=true
> should allow deletion of autodelete queues _only_. While any queue can be 
> deleted. The same applies to any object's property other than queue's name 
> (see Broker::deleteQueue method and how acl->authorise is called).
> The same applies not only to queues but also to exchanges.
> Version-Release number of selected component (if applicable):
> any
> How reproducible:
> 100%
> Steps to Reproduce:
> 1. cat <acl-file>
> # simply allow all except for deleting non-durable queue
> acl allow-log all consume all
> acl allow-log all publish all
> acl allow-log all create all
> acl allow-log all access all
> acl allow-log all bind all
> acl allow-log all unbind all
> acl allow-log all purge all
> acl allow-log all update all
> acl allow-log all delete exchange
> acl allow-log all delete queue durable=true
> acl deny-log all all
> 2. Start broker with auth=yes and the ACL file
> 3. qpid-config -b admin/admin@localhost:5672 add queue TransientQueue
> 4. qpid-config -b admin/admin@localhost:5672 del queue TransientQueue
> Actual results:
> Steps 3 and 4 pass.
> Expected results:
> Deleting queue should fail, as the queue is not durable.
> In fact, even _creating_ the queue that way should raise an exception, as 
> deleting auxiliary queue named like 
> "4135cd9e-04b8-4cef-bcd0-5404444d7a04:0.0" (where the qpid-config gets 
> response) should fail.
> Additional info:
> Same scenarios are applicable for all other queue properties and/or exchange 
> properties. Just queue/exchange name is checked.
> Patch proposed.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to