[jira] [Updated] (QPID-7934) [Java Broker] [ACL] A recovered RuleBasedVirtualHostAccessControlProvider doesn’t tell the virtualhost about updates to its rule-state

Mon, 09 Oct 2017 06:51:21 -0700 

     [ 
https://issues.apache.org/jira/browse/QPID-7934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alex Rudyy updated QPID-7934:
-----------------------------
    Status: Open  (was: Reviewable)

The change introduced in {{AbstractVirtualHost#onRestart}} to call  
{{AbstractVirtualHost#updateAccessControl}} (line 2663) after successful open 
of every {{VirtualHost}}'s child looks superfluous to me as it would cause 
rebuilding of  {{AbstractVirtualHost}} access control list on open of every 
queue, exchange, etc. Taking that {{AbstractVirtualHost#onActivate}} is called 
after opening of all children in  {{AbstractVirtualHost#onRestart}},  which in 
turn calls {{AbstractVirtualHost#updateAccessControl}} to rebuild virtual host 
access controls, the call to {{AbstractVirtualHost#updateAccessControl}} can be 
safely removed from call to {{applyToChildren}} in 
{{AbstractVirtualHost#onRestart}}.

> [Java Broker] [ACL] A recovered RuleBasedVirtualHostAccessControlProvider 
> doesn’t tell the virtualhost about updates to its rule-state
> --------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-7934
>                 URL: https://issues.apache.org/jira/browse/QPID-7934
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker
>    Affects Versions: qpid-java-6.1, qpid-java-6.1.4
>            Reporter: Keith Wall
>            Assignee: Keith Wall
>            Priority: Minor
>             Fix For: qpid-java-broker-7.0.0
>
>
> A recovered {{RuleBasedVirtualHostAccessControlProvider}} doesn’t tell its 
> virtualhost about changes to itself, so the virtualhost doesn’t react to 
> changes in its state (i.e. the rule-set).  This issue exists on the normal 
> Broker start-up path.  It means that if the user attempts to change a 
> rule-set the changes are not applied.
> If a new RuleBasedVirtualHostAccessControlProvider is added, changes made to 
> it are reported properly to the VirtualHost.  (This is why 
> {{VirtualHostAccessControlProviderRestTest}} does not fail).
> The issue is that {{AbstractVirtualHost#postResolveChildren}} fails to add 
> state listeners to existing {{VirtualHostAccessControlProviders}}.  The same 
> issue applies on the virtualhost restart path (much like QPID-7933).
> There is a second problem that lies behind the first.  If you fix 
> #postResolveChildren to install the listener on the existing VHACP, you find 
> that the VH still fails to update its ACL controller state probably after 
> changes to the provider.  This problem is that 
> {{AbstractVirtualHost#updateAccessControl}} gets called (by the super call at 
> line AbstractCommonRuleBasedAccessControlProvider.java:70) before 
> {{AbstractLegacyAccessControlProvider#recreateAccessController}} on the 
> following line so the VH continues to stale a stale controller.  
> The user can work around the problem by restarting the Broker.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to