[jira] [Assigned] (QPID-7928) [Java Broker] [ACL] Authorisation decisions about the access control provider itself considers its own local rules rather than those of the wider system

Wed, 27 Sep 2017 06:14:48 -0700 

     [ 
https://issues.apache.org/jira/browse/QPID-7928?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Keith Wall reassigned QPID-7928:
--------------------------------

    Assignee: Keith Wall

> [Java Broker] [ACL] Authorisation decisions about the access control provider 
> itself considers its own local rules rather than those of the wider system
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-7928
>                 URL: https://issues.apache.org/jira/browse/QPID-7928
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker
>    Affects Versions: qpid-java-6.1
>            Reporter: Keith Wall
>            Assignee: Keith Wall
>            Priority: Minor
>             Fix For: qpid-java-broker-7.0.0
>
>
> When making an authorisation decision about an AccessControlProvider object, 
> currently the implementation considers only the rules provider by the 
> provider itself, rather than delegating the decision to the hierarchical  
> mechanism.   This can mean that an authorisation decision that ought to be 
> allowed is denied.  
> For example, consider a Broker configured with the following {{RuleBased}} 
> AccessControlProviders:
> 1) Broker rule-set {{ACL ALLOW admin ALL ALL}}
> 2) VirtualHost specific rule-set for user  {{ACL ALLOW messaging_user...}}
> As {{admin}}, if I try to update the VirtualHost's {{AccessControlProvider}}, 
> the defect means that the decision is denied even through the rule at the 
> Broker ought to allow it.
> The defect is that {{AbstractConfiguredObject#getAccessControl}} has two, 
> conflicting, roles.
> # The method is used by {{AbstractConfiguredObject#authorise()}} method to 
> get the in-force AccessControl object that should be used to make an access 
> decision for this configured object.
> # In Broker and VirtualHost method #updateAccessControl relies the method to 
> retrieve an {{AccessControl}} object from the AccessControlProvider.  To 
> allow for this, AccessControlProvider override #getAccessControl to return 
> the local rules.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to