Keith Wall created QPID-7928:
--------------------------------
Summary: [Java Broker] [ACL] Authorisation decisions about the
access control provider itself consider its own local rules rather than those
of the wider system
Key: QPID-7928
URL: https://issues.apache.org/jira/browse/QPID-7928
Project: Qpid
Issue Type: Bug
Components: Java Broker
Affects Versions: qpid-java-6.1
Reporter: Keith Wall
Priority: Minor
Fix For: qpid-java-broker-7.0.0
When making an authorisation decision about an AccessControlProvider object,
currently the implementation considers only the rules provider by the provider
itself, rather than delegating the decision to the hierarchical mechanism.
This can mean that an authorisation decision that ought to be allowed is
denied.
For example, consider a Broker configured with the following {{RuleBased}}
AccessControlProviders:
1) Broker rule-set {{ACL ALLOW admin ALL ALL}}
2) VirtualHost specific rule-set for user {{ACL ALLOW messaging_user...}}
As {{admin}}, if I try to update the VirtualHost's {{AccessControlProvider}},
the defect means that the decision is denied even through the rule at the
Broker ought to allow it.
The defect is that {{AbstractConfiguredObject#getAccessControl}} has two,
conflicting, roles.
# The method is used by {{AbstractConfiguredObject#authorise()}} method to get
the in-force AccessControl object that should be used to make an access
decision for this configured object.
# In Broker and VirtualHost method #updateAccessControl relies the method to
retrieve an {{AccessControl}} object from the AccessControlProvider. To allow
for this, AccessControlProvider override #getAccessControl to return the local
rules.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
