[jira] [Created] (QPID-5621) [C++ broker] userId is not passed to ACL when DIGEST-MD5 is used while creating link

Pavel Moravec (JIRA) Mon, 10 Mar 2014 07:08:09 -0700

Pavel Moravec created QPID-5621:
-----------------------------------

             Summary: [C++ broker] userId is not passed to ACL when DIGEST-MD5 
is used while creating link
                 Key: QPID-5621
                 URL: https://issues.apache.org/jira/browse/QPID-5621
             Project: Qpid
          Issue Type: Improvement
          Components: C++ Broker
    Affects Versions: 0.24
            Reporter: Pavel Moravec
            Assignee: Pavel Moravec
            Priority: Minor



Description of problem:

With authentication enabled and using a SASL method requiring challenge sent to 
the client (DIGEST-MD5 or so), when creating a federation link there is no 
username/id passed into the ACL module, thus the link rules with particular 
username are silently passed by with no match, only matching are the 'all' 
rules.

Reproducer:

###QPIDD.CONF
auth=yes
#acl-file=/var/lib/qpidd/fed.acl
acl-file=/etc/qpid/fed.acl
#acl-file=/etc/qpid/qpidd.acl

log-to-file=/var/lib/qpidd/qpidd.log
log-enable=info+
log-enable=debug+:Acl

data-dir=/var/lib/qpidd


###FED.ACL
acl allow root@QPID all all

acl deny all all


### start 2 brokers with the above setting (one broker with different port and 
data-dir)

###Creating regular link from 10000->5672
qpid-route link add root/root@localhost:10000 root/root@localhost:5672 
DIGEST-MD5



Logs:
###DESTINATION QPIDD LOG (10000)
2013-08-13 10:33:38 [Broker] info The Broker::connect() method will be removed 
in a future release of QPID. Please use the Broker::create() method with 
type='link' instead.
2013-08-13 10:33:38 [Broker] info The Broker::connect() method will be removed 
in a future release of QPID. Please use the Broker::create() method with 
type='link' instead.
2013-08-13 10:33:38 [System] info Connecting: [::1]:5672
2013-08-13 10:33:38 [System] info Connecting: [::1]:5672
2013-08-13 10:33:38 [Broker] info Inter-broker link connecting to localhost:5672
2013-08-13 10:33:38 [Broker] info Inter-broker link connecting to localhost:5672
2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to 
localhost:5672
2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to 
localhost:5672
2013-08-13 10:33:38 [Broker] info Inter-broker link established to 
localhost:5672
2013-08-13 10:33:38 [Broker] info Inter-broker link established to 
localhost:5672
2013-08-13 10:33:38 [Broker] warning Client closed connection with 320: ACL 
denied  creating a federation link (.. ConnectionHandler.cpp:205)
2013-08-13 10:33:38 [Broker] warning Client closed connection with 320: ACL 
denied  creating a federation link (.. ConnectionHandler.cpp:205)
2013-08-13 10:33:38 [Broker] info Inter-broker link disconnected from 
localhost:5672 Closed by peer
2013-08-13 10:33:38 [Broker] info Inter-broker link disconnected from 
localhost:5672 Closed by peer


###SOURCE QPID LOG (5672)
2013-08-13 10:33:26 [Broker] notice Shut down
2013-08-13 10:33:26 [Store] notice Journal "TplStore": Destroyed
2013-08-13 10:33:26 [Broker] info Management enabled
2013-08-13 10:33:26 [Management] info ManagementAgent restored broker ID: 
1e1f0ae9-a2e3-435c-8f5e-366d93dd69bf
2013-08-13 10:33:26 [Broker] info Loaded protocol AMQP 1.0
2013-08-13 10:33:26 [Store] notice Journal "TplStore": Created
2013-08-13 10:33:26 [Store] notice Store module initialized; 
store-dir=/var/lib/qpidd
2013-08-13 10:33:26 [Store] info > Default files per journal: 8
2013-08-13 10:33:26 [Store] info > Default journal file size: 24 (wpgs)
2013-08-13 10:33:26 [Store] info > Default write cache page size: 32 (KiB)
2013-08-13 10:33:26 [Store] info > Default number of write cache pages: 32
2013-08-13 10:33:26 [Store] info > TPL files per journal: 8
2013-08-13 10:33:26 [Store] info > TPL journal file size: 24 (wpgs)
2013-08-13 10:33:26 [Store] info > TPL write cache page size: 4 (KiB)
2013-08-13 10:33:26 [Store] info > TPL number of write cache pages: 64
2013-08-13 10:33:26 [Security] notice SSL plugin not enabled, you must set 
--ssl-cert-db to enable it.
2013-08-13 10:33:26 [Broker] info Registered xml exchange
2013-08-13 10:33:26 [Store] info Most recent persistence id found: 0x0
2013-08-13 10:33:26 [Store] info Recovered exchange "amq.direct"
2013-08-13 10:33:26 [Store] info Recovered exchange "amq.topic"
2013-08-13 10:33:26 [Store] info Recovered exchange "amq.fanout"
2013-08-13 10:33:26 [Store] info Recovered exchange "amq.match"
2013-08-13 10:33:26 [Security] info SASL: config path set to /etc/sasl2
2013-08-13 10:33:26 [Broker] info SASL enabled
2013-08-13 10:33:26 [Network] info Listening to: 0.0.0.0:5672
2013-08-13 10:33:26 [Network] info Listening to: [::]:5672
2013-08-13 10:33:26 [Network] notice Listening on TCP/TCP6 port 5672
2013-08-13 10:33:26 [Security] notice ACL: Read file "/etc/qpid/fed.acl"
2013-08-13 10:33:26 [Security] debug ACL: Group list: 0 groups found:
2013-08-13 10:33:26 [Security] debug ACL: name list: 2 names found:
2013-08-13 10:33:26 [Security] debug ACL:  * root@QPID
2013-08-13 10:33:26 [Security] debug ACL: Rule list: 2 ACL rules found:
2013-08-13 10:33:26 [Security] debug ACL:    1 allow [root@QPID] * *
2013-08-13 10:33:26 [Security] debug ACL:    2 deny [*] *
2013-08-13 10:33:26 [Security] debug ACL: connections quota: 0 rules found:
2013-08-13 10:33:26 [Security] debug ACL: queues quota: 0 rules found:
2013-08-13 10:33:26 [Security] debug ACL: Load Rules
2013-08-13 10:33:26 [Security] debug ACL: Processing  2 deny [*] *
2013-08-13 10:33:26 [Security] debug ACL: FoundMode deny
2013-08-13 10:33:26 [Security] debug ACL: Processing  1 allow [root@QPID] * *
2013-08-13 10:33:26 [Security] debug ACL: Adding actions 
{consume,publish,create,access,bind,unbind,delete,purge,update} to objects 
{queue,exchange,broker,link,method} with props { } for users {root@QPID}
2013-08-13 10:33:26 [Security] debug ACL: Transfer ACL is Enabled!
2013-08-13 10:33:26 [Security] info ACL Plugin loaded
2013-08-13 10:33:26 [Store] info Enabling management instrumentation for the 
store.
2013-08-13 10:33:26 [System] info Rdma: Disabled: no rdma devices found
2013-08-13 10:33:26 [Broker] notice Broker running
2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to [::1]:49312
2013-08-13 10:33:38 [Security] info SASL: Mechanism list: DIGEST-MD5 ANONYMOUS 
PLAIN
2013-08-13 10:33:38 [Security] info SASL: Starting authentication with 
mechanism: DIGEST-MD5
2013-08-13 10:33:38 [Security] debug ACL: Lookup for id: action:create 
objectType:link name: with params { }
2013-08-13 10:33:38 [Security] debug ACL: No successful match, defaulting to 
the decision mode deny



Actual results:
link creation is denied because user id is not passed to ACL module


Expected results:
user id should be passed to let ACL module make the right decision


Additional info:
the reason is because ACL for links is checked after getting connection.startOk 
AMQP method. While DIGEST-MD5 (and other auth.methods) provide userId later on 
- during connection.secureOk AMQP method.




--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

[jira] [Created] (QPID-5621) [C++ broker] userId is not passed to ACL when DIGEST-MD5 is used while creating link

Reply via email to