[jira] [Created] (QPID-6544) [ACL] Python client demands unnecessary permission / performs unnecessary actions

Fri, 15 May 2015 08:19:37 -0700 

Ernest Allen created QPID-6544:
----------------------------------

             Summary:  [ACL] Python client demands unnecessary permission / 
performs unnecessary actions
                 Key: QPID-6544
                 URL: https://issues.apache.org/jira/browse/QPID-6544
             Project: Qpid
          Issue Type: Bug
          Components: Python Client
    Affects Versions: 0.22
            Reporter: Ernest Allen


Description of problem:
Python clients accesses both exchange and queue objects, even when the object 
types is specified. Thus demanding unnecessary ACL rules to be allowed.

Steps to Reproduce:
Scenario A (access)
1. create acl:
acl allow-log all access exchange
acl deny-log all all
2. send message to an amq.fanout
/usr/share/doc/python-qpid-0.22/examples/api/spout -c 1 -b 
UserA/UserA@localhost:5672 "amq.fanout;{node:{type:topic}}"
3. check qpidd log

Scenario B (create)
1. create acl:
acl allow-log all access all
acl allow-log all create queue
acl deny-log all all
2. create a queue using spout
/usr/share/doc/python-qpid-0.22/examples/api/spout -c 1 -b 
UserA/UserA@localhost:5672 "q;{create:always, node:{type:queue}}"
3. check qpidd log

Scenario A
Actual results:
2014-07-28 10:45:07 [Security] info ACL Allow id:UserA@QPID action:access 
ObjectType:exchange Name:amq.fanout
2014-07-28 10:45:07 [Security] info ACL Deny id:UserA@QPID action:access 
ObjectType:queue Name:amq.fanout

Expected results:
Scenario A: expected results should be just with "action:access" and no 
"action:publish", as publish is for queue object (and in our case, the message 
is discarded by the exchange due to no route/binding).

Scenario B
Actual results:
2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:access 
ObjectType:exchange Name:q
2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:access 
ObjectType:queue Name:q
2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:create 
ObjectType:queue Name:q

Expected results:
2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:create 
ObjectType:queue Name:q

Additional info:
[A] it behaves the same for node/type:queue, querying the exchanges then queue.
[B] when creating, client should request only 'create' action, same as C++




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to