[qpid-dispatch] branch master updated: DISPATCH-1418: use proper outcome for deliveries to unavailable addresses
This is an automated email from the ASF dual-hosted git repository.
kgiusti pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
The following commit(s) were added to refs/heads/master by this push:
new fc9c438 DISPATCH-1418: use proper outcome for deliveries to
unavailable addresses
fc9c438 is described below
commit fc9c4380d796656ad964e04bb389d3223d94b1c5
Author: Kenneth Giusti
AuthorDate: Wed Oct 2 15:06:23 2019 -0400
DISPATCH-1418: use proper outcome for deliveries to unavailable addresses
Use the configured address treatment if available. Otherwise use the
router default treatment.
This closes #579
---
src/router_core/transfer.c| 74 +++
tests/system_tests_router_mesh.py | 5 ++-
2 files changed, 45 insertions(+), 34 deletions(-)
diff --git a/src/router_core/transfer.c b/src/router_core/transfer.c
index 17067c4..6ee2624 100644
--- a/src/router_core/transfer.c
+++ b/src/router_core/transfer.c
@@ -477,43 +477,55 @@ static void qdr_link_forward_CT(qdr_core_t *core,
qdr_link_t *link, qdr_delivery
}
link->total_deliveries++;
-}
-//
-// There is no address that we can send this delivery to, which means the
addr was not found in our hash table. This
-// can be because there were no receivers or because the address was not
defined in the config file.
-//
-else if (core->qd->default_treatment == QD_TREATMENT_UNAVAILABLE) {
+} else {
//
-// If the treatment for these addresses is set to be unavailable, we
-// stop trying to forward it. If the link is a locally attached client
-// we reject the message if the link is not anonymous as per the
-// documentation of the router's defaultTreatment=unavailable. We
-// simply release it for other link types as the message did have a
-// destination at some point (it was forwarded to this router after
-// all) - the loss of the destination may be temporary.
+// There is no address that we can send this delivery to, which means
+// the addr was not found in our hash table. This can be because there
+// were no receivers or because the address was not defined in the
+// config file.
//
-if (link->link_type == QD_LINK_ENDPOINT) {
-dlv->error = qdr_error(QD_AMQP_COND_NOT_FOUND, "Deliveries cannot
be sent to an unavailable address");
-qdr_delivery_reject_CT(core, dlv);
-if (qdr_link_is_anonymous(link)) {
-qdr_link_issue_credit_CT(core, link, 1, false);
+
+qd_address_treatment_t trt = core->qd->default_treatment;
+if (dlv->to_addr) {
+qdr_address_config_t *ignore = 0;
+trt = qdr_treatment_for_address_hash_with_default_CT(core,
+ dlv->to_addr,
+ trt,
+ );
+}
+
+if (trt == QD_TREATMENT_UNAVAILABLE) {
+//
+// The treatment for these addresses is set to be unavailable, we
+// stop trying to forward it. If the link is a locally attached
client
+// we reject the message if the link is not anonymous as per the
+// documentation of the router's defaultTreatment=unavailable. We
+// simply release it for other link types as the message did have a
+// destination at some point (it was forwarded to this router after
+// all) - the loss of the destination may be temporary.
+//
+if (link->link_type == QD_LINK_ENDPOINT) {
+dlv->error = qdr_error(QD_AMQP_COND_NOT_FOUND, "Deliveries
cannot be sent to an unavailable address");
+qdr_delivery_reject_CT(core, dlv);
+if (qdr_link_is_anonymous(link)) {
+qdr_link_issue_credit_CT(core, link, 1, false);
+} else {
+// cannot forward on this targeted link. withhold credit
and drain
+qdr_link_issue_credit_CT(core, link, 0, true);
+}
} else {
-// cannot forward on this targeted link. withhold credit and
drain
-qdr_link_issue_credit_CT(core, link, 0, true);
+qdr_delivery_release_CT(core, dlv);
+qdr_link_issue_credit_CT(core, link, 1, false);
}
-} else {
-qdr_delivery_release_CT(core, dlv);
-qdr_link_issue_credit_CT(core, link, 1, false);
+//
+// We will not detach this link because this could be anonymous
sender. We don't know
+// which address the sender will be sending to next
+// If this was not an anonymous sender, the initial
[qpid-dispatch] branch master updated: DISPATCH-1431: fix system_tests_one_router multicast test client race
This is an automated email from the ASF dual-hosted git repository. kgiusti pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git The following commit(s) were added to refs/heads/master by this push: new ff971d4 DISPATCH-1431: fix system_tests_one_router multicast test client race ff971d4 is described below commit ff971d416bc20048f0576176b54c36ef7ebcea38 Author: Kenneth Giusti AuthorDate: Wed Oct 2 16:45:06 2019 -0400 DISPATCH-1431: fix system_tests_one_router multicast test client race --- tests/system_tests_one_router.py | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/system_tests_one_router.py b/tests/system_tests_one_router.py index ad1ac0d..c3dfa9a 100644 --- a/tests/system_tests_one_router.py +++ b/tests/system_tests_one_router.py @@ -686,6 +686,7 @@ class SemanticsMulticast(MessagingHandler): self.n_received_b = 0 self.n_received_c = 0 self.n_accepts = 0 +self.n_recv_ready = 0 self.timer = None self.conn_1 = None self.conn_2 = None @@ -698,7 +699,6 @@ class SemanticsMulticast(MessagingHandler): self.timer = event.reactor.schedule(TIMEOUT, Timeout(self)) self.conn_1 = event.container.connect(self.address) self.conn_2 = event.container.connect(self.address) -self.sender = event.container.create_sender(self.conn_1, self.dest) self.receiver_a = event.container.create_receiver(self.conn_2, self.dest, name="A") self.receiver_b = event.container.create_receiver(self.conn_1, self.dest, name="B") self.receiver_c = event.container.create_receiver(self.conn_2, self.dest, name="C") @@ -720,6 +720,12 @@ class SemanticsMulticast(MessagingHandler): self.conn_1.close() self.conn_2.close() +def on_link_opened(self, event): +if event.receiver: +self.n_recv_ready += 1 +if self.n_recv_ready == self.count: +self.sender = event.container.create_sender(self.conn_1, self.dest) + def on_sendable(self, event): if self.n_sent == 0: msg = Message(body="SemanticsMulticast-Test") - To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org
[qpid-broker-j] branch 7.1.x updated: QPID-8364: [Broker-J] Fix tests
This is an automated email from the ASF dual-hosted git repository.
orudyy pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
The following commit(s) were added to refs/heads/7.1.x by this push:
new 748ec68 QPID-8364: [Broker-J] Fix tests
748ec68 is described below
commit 748ec6880feb2f25242586332937e299aee0f485
Author: Alex Rudyy
AuthorDate: Wed Oct 2 18:35:54 2019 +0100
QPID-8364: [Broker-J] Fix tests
(cherry picked from commit 19ad881bf2297742ac5aff7a1538277464550df0)
---
.../security/auth/manager/KerberosAuthenticationManagerTest.java | 4 +++-
.../security/auth/manager/SimpleLDAPAuthenticationManagerTest.java| 4 +++-
.../qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java| 4 +++-
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git
a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java
b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java
index 4fb6293..e24d56c 100644
---
a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java
+++
b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java
@@ -19,6 +19,7 @@
package org.apache.qpid.server.security.auth.manager;
+import static org.apache.commons.codec.CharEncoding.UTF_8;
import static
org.apache.qpid.server.security.auth.manager.KerberosAuthenticationManager.GSSAPI_MECHANISM;
import static org.hamcrest.Matchers.not;
import static org.junit.Assert.assertEquals;
@@ -30,6 +31,7 @@ import static org.mockito.Mockito.when;
import java.io.File;
import java.net.URL;
+import java.net.URLDecoder;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Base64;
@@ -98,7 +100,7 @@ public class KerberosAuthenticationManagerTest extends
UnitTestBase
final URL resource =
KerberosAuthenticationManagerTest.class.getClassLoader().getResource(LOGIN_CONFIG);
LOGGER.debug("JAAS config:" + resource);
assertNotNull(resource);
-
SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config",
resource.getPath());
+
SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config",
URLDecoder.decode(resource.getPath(), UTF_8));
SYSTEM_PROPERTY_SETTER.setSystemProperty("javax.security.auth.useSubjectCredsOnly",
"false");
}
diff --git
a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
index b5dd2a1..590f076 100644
---
a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
+++
b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
@@ -32,6 +32,7 @@ import java.io.File;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.URL;
+import java.net.URLDecoder;
import java.nio.file.FileSystems;
import java.nio.file.Path;
import java.security.Principal;
@@ -48,6 +49,7 @@ import java.util.concurrent.atomic.AtomicBoolean;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
+import org.apache.commons.codec.CharEncoding;
import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms;
import org.apache.directory.api.ldap.model.entry.DefaultEntry;
import org.apache.directory.api.ldap.model.entry.Entry;
@@ -398,7 +400,7 @@ public class SimpleLDAPAuthenticationManagerTest extends
UnitTestBase
final URL resource =
SimpleLDAPAuthenticationManagerTest.class.getClassLoader().getResource(LOGIN_CONFIG);
LOGGER.debug("JAAS config:" + resource);
assertNotNull(resource);
-
SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config",
resource.getPath());
+
SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config",
URLDecoder.decode(resource.getPath(), CharEncoding.UTF_8));
SYSTEM_PROPERTY_SETTER.setSystemProperty("sun.security.krb5.debug",
"true");
}
diff --git
a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java
b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java
index 5b34736..d3f8342 100644
---
a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java
+++
b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java
@@ -19,6 +19,7 @@
package org.apache.qpid.server.security.auth.manager;
+import static org.apache.commons.codec.CharEncoding.UTF_8;
[qpid-broker-j] branch master updated: QPID-8364: [Broker-J] Fix tests
This is an automated email from the ASF dual-hosted git repository.
orudyy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
The following commit(s) were added to refs/heads/master by this push:
new 19ad881 QPID-8364: [Broker-J] Fix tests
19ad881 is described below
commit 19ad881bf2297742ac5aff7a1538277464550df0
Author: Alex Rudyy
AuthorDate: Wed Oct 2 18:35:54 2019 +0100
QPID-8364: [Broker-J] Fix tests
---
.../security/auth/manager/KerberosAuthenticationManagerTest.java | 4 +++-
.../security/auth/manager/SimpleLDAPAuthenticationManagerTest.java| 4 +++-
.../qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java| 4 +++-
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git
a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java
b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java
index 4fb6293..e24d56c 100644
---
a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java
+++
b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java
@@ -19,6 +19,7 @@
package org.apache.qpid.server.security.auth.manager;
+import static org.apache.commons.codec.CharEncoding.UTF_8;
import static
org.apache.qpid.server.security.auth.manager.KerberosAuthenticationManager.GSSAPI_MECHANISM;
import static org.hamcrest.Matchers.not;
import static org.junit.Assert.assertEquals;
@@ -30,6 +31,7 @@ import static org.mockito.Mockito.when;
import java.io.File;
import java.net.URL;
+import java.net.URLDecoder;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Base64;
@@ -98,7 +100,7 @@ public class KerberosAuthenticationManagerTest extends
UnitTestBase
final URL resource =
KerberosAuthenticationManagerTest.class.getClassLoader().getResource(LOGIN_CONFIG);
LOGGER.debug("JAAS config:" + resource);
assertNotNull(resource);
-
SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config",
resource.getPath());
+
SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config",
URLDecoder.decode(resource.getPath(), UTF_8));
SYSTEM_PROPERTY_SETTER.setSystemProperty("javax.security.auth.useSubjectCredsOnly",
"false");
}
diff --git
a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
index b5dd2a1..590f076 100644
---
a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
+++
b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
@@ -32,6 +32,7 @@ import java.io.File;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.URL;
+import java.net.URLDecoder;
import java.nio.file.FileSystems;
import java.nio.file.Path;
import java.security.Principal;
@@ -48,6 +49,7 @@ import java.util.concurrent.atomic.AtomicBoolean;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
+import org.apache.commons.codec.CharEncoding;
import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms;
import org.apache.directory.api.ldap.model.entry.DefaultEntry;
import org.apache.directory.api.ldap.model.entry.Entry;
@@ -398,7 +400,7 @@ public class SimpleLDAPAuthenticationManagerTest extends
UnitTestBase
final URL resource =
SimpleLDAPAuthenticationManagerTest.class.getClassLoader().getResource(LOGIN_CONFIG);
LOGGER.debug("JAAS config:" + resource);
assertNotNull(resource);
-
SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config",
resource.getPath());
+
SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config",
URLDecoder.decode(resource.getPath(), CharEncoding.UTF_8));
SYSTEM_PROPERTY_SETTER.setSystemProperty("sun.security.krb5.debug",
"true");
}
diff --git
a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java
b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java
index 5b34736..d3f8342 100644
---
a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java
+++
b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java
@@ -19,6 +19,7 @@
package org.apache.qpid.server.security.auth.manager;
+import static org.apache.commons.codec.CharEncoding.UTF_8;
import static org.hamcrest.Matchers.not;
import static
[qpid-dispatch] branch master updated: NO-JIRA - Added tests to make sure you can specify env: and literal: prefixes in the password file
This is an automated email from the ASF dual-hosted git repository.
gmurthy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
The following commit(s) were added to refs/heads/master by this push:
new 38c1ec6 NO-JIRA - Added tests to make sure you can specify env: and
literal: prefixes in the password file
38c1ec6 is described below
commit 38c1ec6d4b02964f02439aa46cda85f54aaec085
Author: Ganesh Murthy
AuthorDate: Wed Oct 2 13:29:01 2019 -0400
NO-JIRA - Added tests to make sure you can specify env: and literal:
prefixes in the password file
---
pom.xml | 2 ++
tests/ssl_certs/server-password-file-env.txt | 1 +
tests/ssl_certs/server-password-file-literal.txt | 1 +
tests/system_tests_user_id.py| 6 --
4 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/pom.xml b/pom.xml
index 74d7bf8..c5c74a6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -107,6 +107,8 @@
**/sasl-password-file.txt
**/server-password-file.txt
**/server-password-file-bad.txt
+ **/server-password-file-env.txt
+ **/server-password-file-literal.txt
**/client-password-file.txt
**/*.pkcs12
**/.idea/**
diff --git a/tests/ssl_certs/server-password-file-env.txt
b/tests/ssl_certs/server-password-file-env.txt
new file mode 100644
index 000..b2520d5
--- /dev/null
+++ b/tests/ssl_certs/server-password-file-env.txt
@@ -0,0 +1 @@
+env:TLS_SERVER_PASSWORD
diff --git a/tests/ssl_certs/server-password-file-literal.txt
b/tests/ssl_certs/server-password-file-literal.txt
new file mode 100644
index 000..9d40817
--- /dev/null
+++ b/tests/ssl_certs/server-password-file-literal.txt
@@ -0,0 +1 @@
+literal:server-password
diff --git a/tests/system_tests_user_id.py b/tests/system_tests_user_id.py
index 827cd0f..73a389c 100644
--- a/tests/system_tests_user_id.py
+++ b/tests/system_tests_user_id.py
@@ -38,6 +38,8 @@ class QdSSLUseridTest(TestCase):
def setUpClass(cls):
super(QdSSLUseridTest, cls).setUpClass()
+os.environ["TLS_SERVER_PASSWORD"] = "server-password"
+
ssl_profile1_json = os.path.join(DIR, 'displayname_files',
'profile_names1.json')
ssl_profile2_json = os.path.join(DIR, 'displayname_files',
'profile_names2.json')
@@ -123,7 +125,7 @@ class QdSSLUseridTest(TestCase):
'privateKeyFile':
cls.ssl_file('server-private-key.pem'),
'uidFormat': '1x',
'uidNameMappingFile': ssl_profile2_json,
- 'password': 'server-password'}),
+ 'passwordFile':
cls.ssl_file('server-password-file-literal.txt')}),
# All components in the uidFormat are unrecognized,
pn_get_transport_user will be returned
('sslProfile', {'name': 'server-ssl11',
@@ -131,7 +133,7 @@ class QdSSLUseridTest(TestCase):
'certFile':
cls.ssl_file('server-certificate.pem'),
'privateKeyFile':
cls.ssl_file('server-private-key.pem'),
'uidFormat': 'abxd',
- 'password': 'server-password'}),
+ 'passwordFile':
cls.ssl_file('server-password-file-env.txt')}),
('sslProfile', {'name': 'server-ssl12',
'caCertFile': cls.ssl_file('ca-certificate.pem'),
-
To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org
For additional commands, e-mail: commits-h...@qpid.apache.org
[qpid-broker-j] branch 7.1.x updated: QPID-8357: [Broker-J][AMQP 1.0][Sole connection] Broker should set open property 'sole-connection-eforcement-policy' when 'close-existing' eforcement policy is re
This is an automated email from the ASF dual-hosted git repository. orudyy pushed a commit to branch 7.1.x in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git The following commit(s) were added to refs/heads/7.1.x by this push: new 5589cd1 QPID-8357: [Broker-J][AMQP 1.0][Sole connection] Broker should set open property 'sole-connection-eforcement-policy' when 'close-existing' eforcement policy is requested 5589cd1 is described below commit 5589cd139515fbb1e3a73911c30e3ea235c7b3a6 Author: Alex Rudyy AuthorDate: Mon Aug 19 14:22:58 2019 +0100 QPID-8357: [Broker-J][AMQP 1.0][Sole connection] Broker should set open property 'sole-connection-eforcement-policy' when 'close-existing' eforcement policy is requested (cherry picked from commit c4fae61eb8d89c9b20122e75691307ce82a8aaeb) --- .../org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java | 5 + 1 file changed, 5 insertions(+) diff --git a/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java b/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java index bcb273d..0814382 100644 --- a/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java +++ b/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java @@ -1730,6 +1730,11 @@ public class AMQPConnection_1_0Impl extends AbstractAMQPConnection
[qpid-dispatch] branch master updated: DISPATCH-1434 - Added new attribute saslPasswordFile to the connector entity. saslPassword entity has been deprecated. This closes #578.
This is an automated email from the ASF dual-hosted git repository.
gmurthy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
The following commit(s) were added to refs/heads/master by this push:
new a97dea9 DISPATCH-1434 - Added new attribute saslPasswordFile to the
connector entity. saslPassword entity has been deprecated. This closes #578.
a97dea9 is described below
commit a97dea9aace6142d58f70caf66710386dc3e1156
Author: Ganesh Murthy
AuthorDate: Tue Oct 1 16:34:38 2019 -0400
DISPATCH-1434 - Added new attribute saslPasswordFile to the connector
entity. saslPassword entity has been deprecated. This closes #578.
---
docs/books/user-guide/configuration-reference.adoc | 2 +-
docs/books/user-guide/configuration-security.adoc | 4 +-
...ing-using-username-password-authentication.adoc | 2 +-
include/qpid/dispatch/server.h | 7 ++
pom.xml| 1 +
python/qpid_dispatch/management/qdrouter.json | 9 ++-
src/connection_manager.c | 75 ++
tests/sasl_password/sasl-password-file.txt | 1 +
tests/system_tests_sasl_plain.py | 11 +++-
9 files changed, 77 insertions(+), 35 deletions(-)
diff --git a/docs/books/user-guide/configuration-reference.adoc
b/docs/books/user-guide/configuration-reference.adoc
index c25cd2c..d3077cb 100644
--- a/docs/books/user-guide/configuration-reference.adoc
+++ b/docs/books/user-guide/configuration-reference.adoc
@@ -144,7 +144,7 @@ Establishes an outgoing connection from the router.
* *_linkCapacity_* (integer) : The capacity of links within this connection,
in terms of message deliveries. The capacity is the number of messages that can
be in-flight concurrently for each link.
* *_verifyHostname_* (boolean, default=True) : yes: Ensures that when
initiating a connection (as a client) the hostname in the URL to which this
connector connects to matches the hostname in the digital certificate that the
peer sends back as part of the SSL/TLS connection; no: Does not perform
hostname verification
* *_saslUsername_* (string) : The username that the connector is using to
connect to a peer.
-* *_saslPassword_* (string) : The password that the connector is using to
connect to a peer.
+* *_saslPasswordFile_* (string) : The absolute path to the file that contains
the password that the connector uses to connect to a peer.
* *_sslProfile_* (string) : The name of the _sslProfile_ entity to use in
order to have SSL/TLS configuration.
[id='router-configuration-file-log']
diff --git a/docs/books/user-guide/configuration-security.adoc
b/docs/books/user-guide/configuration-security.adoc
index d0e4018..b4c97a2 100644
--- a/docs/books/user-guide/configuration-security.adoc
+++ b/docs/books/user-guide/configuration-security.adoc
@@ -370,7 +370,7 @@ connector {
...
saslMechanisms: _MECHANISMS_
saslUsername: _USERNAME_
-saslPassword: _PASSWORD_
+saslPasswordFile: _ABSOLUTE PATH_
}
@@ -378,7 +378,7 @@ connector {
+
For a full list of supported Cyrus SASL authentication mechanisms, see
link:https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html[Authentication
Mechanisms^].
`saslUsername`:: If any of the SASL mechanisms uses username/password
authentication, then provide the username to connect to the external container.
-`saslPassword`:: If any of the SASL mechanisms uses username/password
authentication, then provide the password to connect to the external container.
+`saslPasswordFile`:: If any of the SASL mechanisms uses username/password
authentication, then provide the absolute path to the file that contains the
password to connect to the external container.
--
[id='integrating-with-kerberos']
diff --git
a/docs/books/user-guide/modules/connecting-using-username-password-authentication.adoc
b/docs/books/user-guide/modules/connecting-using-username-password-authentication.adoc
index cf3f254..f5b40a7 100644
---
a/docs/books/user-guide/modules/connecting-using-username-password-authentication.adoc
+++
b/docs/books/user-guide/modules/connecting-using-username-password-authentication.adoc
@@ -52,7 +52,7 @@ connector {
role: route-container
saslMechanisms: PLAIN
saslUsername: user
-saslPassword: password
+saslPasswordFile: /path/to/file/passwd.txt
}
--
diff --git a/include/qpid/dispatch/server.h b/include/qpid/dispatch/server.h
index 043baa5..992ded6 100644
--- a/include/qpid/dispatch/server.h
+++ b/include/qpid/dispatch/server.h
@@ -205,8 +205,15 @@ typedef struct qd_server_config_t {
char *sasl_username;
/**
+ * The full path of the file that contains the sasl password. Use this
instead of sasl_password.
+ */
+char *sasl_password_file;
+
+/**
* If appropriate for the mechanism, the password for authentication
* (connector only)
+ *
+ *
[qpid-broker-j] branch master updated: QPID-8361: [Broker-J] Update TOC
This is an automated email from the ASF dual-hosted git repository. orudyy pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git The following commit(s) were added to refs/heads/master by this push: new a5453d5 QPID-8361: [Broker-J] Update TOC a5453d5 is described below commit a5453d5b05a0c4fdb12da36410917145e518ef30 Author: Alex Rudyy AuthorDate: Wed Oct 2 17:12:00 2019 +0100 QPID-8361: [Broker-J] Update TOC --- doc/developer-guide/src/main/markdown/architecture.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/developer-guide/src/main/markdown/architecture.md b/doc/developer-guide/src/main/markdown/architecture.md index a71a5c7..b87a4be 100644 --- a/doc/developer-guide/src/main/markdown/architecture.md +++ b/doc/developer-guide/src/main/markdown/architecture.md @@ -34,6 +34,7 @@ This article provides a high level description of the architecture of Qpid Broke * [HTTP management](#http-management) - [Pluggable Architecture](#pluggable-architecture) - [Logging](#logging) +- [ACL](#acl) - To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org
[qpid-broker-j] branch master updated: QPID-8361: [Broker-J] Add description for ACL model
This is an automated email from the ASF dual-hosted git repository. orudyy pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git The following commit(s) were added to refs/heads/master by this push: new fb0d8b9 QPID-8361: [Broker-J] Add description for ACL model fb0d8b9 is described below commit fb0d8b9b7981a890d31e037e9f3157b11ef44c2f Author: Alex Rudyy AuthorDate: Wed Oct 2 16:59:37 2019 +0100 QPID-8361: [Broker-J] Add description for ACL model --- .../src/main/markdown/architecture.md | 56 + .../src/main/markdown/images/acl-legacy.gliffy | 1 + .../src/main/markdown/images/acl-legacy.png| Bin 0 -> 112592 bytes .../src/main/markdown/images/acl.gliffy| 1 + .../src/main/markdown/images/acl.png | Bin 0 -> 114058 bytes 5 files changed, 58 insertions(+) diff --git a/doc/developer-guide/src/main/markdown/architecture.md b/doc/developer-guide/src/main/markdown/architecture.md index 8c8f0db..a71a5c7 100644 --- a/doc/developer-guide/src/main/markdown/architecture.md +++ b/doc/developer-guide/src/main/markdown/architecture.md @@ -599,3 +599,59 @@ Both `Broker` and `VirtualHost` support the following inclusion rules container id and remote connection address All existing logback-based Logger implementations (for both `Broker` and `VirtualHost`) extend `AbstractLogger`. + +## ACL + +Authorization of operations performed by users is implemented in special `AccessControl` objects. +The authorization check for user operation can result in the following outcomes: + * `ALLOWED` + * `DENIED` + * `DEFERRED` + +The `DEFERRED` outcome means that `AccessControl` cannot `ALLOW` or `DENY` the operation and the check needs to be +delegated to another `AccessControl`. + +The authorization checks are implemented for the operations of following types + + * `CREATE` when any type of `ConfiguredObject` is created + * `UPDATE` when instance of `ConfiguredObject` is updated + * `DELETE` when instance of `ConfiguredObject` is deleted + * `READ` when attribute values of `ConfiguredObject` needs to be accessed + * `DISCOVER` when `ConfiguredObject` metadata (like `ConfiguredObject` hierarchy, supported attributes, +supported operations, etc) needs to be accessed + * `INVOKE_METHOD` when a method on `ConfiguredObject` needs to be executed + * `PERFORM_ACTION` used to check required permissions for the following actions: +* "connect" when new messaging connection is established +* "publish" when message is published +* "manage" when user access management interfaces + +The `AccessControl` objects lives on `Broker` or `VirtualHost` levels. The `VirtualHost` `AccessControl` can defer +authorization check to `Broker` `AccessControl`. + +The following methods are defined in `AccessControl` interface to perform the authorization checks + + * ``Result authorise(T token, Operation operation, PermissionedObject configuredObject)`` + * ``Result authorise(T token, Operation operation, PermissionedObject configuredObject, Map arguments)`` + +Special object of type `SecurityToken` can be passed into `authorize` methods. For example, "publish" +authorization check leverages `SecurityToken` for caching purposes. The results of "publish" authorization check are kept +in token and utilized on the following check for performance optimization. + +The class diagram below illustrates the authorization model. + + + + +The ACL rules can be defined by end-users in special `ConfiguredObjects` of type `AccessControlProvider`. +The rules are defined in terms of legacy `LegacyAccessControl` model. When authorization check is performed the entities +of new ACL models are converted into legacy ACL entities. + +The class diagram below illustrates legacy ACL model. + + + +The legacy ACL model defines a number of `LegacyOperations`, `ObjectTypes` and `Properties` . The ACL rules are written +using legacy ACL concepts. + +The User Documentation illustrates how those rules can be defined. The links to Qpid Broker-J documentation are available +under [Qpid Broker-J Component page](http://qpid.apache.org/components/broker-j/index.html) diff --git a/doc/developer-guide/src/main/markdown/images/acl-legacy.gliffy b/doc/developer-guide/src/main/markdown/images/acl-legacy.gliffy new file mode 100644 index 000..73075ec --- /dev/null +++ b/doc/developer-guide/src/main/markdown/images/acl-legacy.gliffy @@ -0,0 +1 @@
[qpid-broker-j] branch 7.1.x updated: QPID-8366: [Broker-J] Handle ConnectionScopeRuntimeException on execution of HouseKeepingTaks
This is an automated email from the ASF dual-hosted git repository.
orudyy pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
The following commit(s) were added to refs/heads/7.1.x by this push:
new c3d0590 QPID-8366: [Broker-J] Handle ConnectionScopeRuntimeException
on execution of HouseKeepingTaks
c3d0590 is described below
commit c3d0590b7687c19958da8ef963531104f801b904
Author: Alex Rudyy
AuthorDate: Tue Oct 1 21:51:33 2019 +0100
QPID-8366: [Broker-J] Handle ConnectionScopeRuntimeException on execution
of HouseKeepingTaks
(cherry picked from commit 98261ad92020c11784a3be2ab890cbabddec5fbc)
---
.../store/berkeleydb/AbstractBDBMessageStore.java | 27 +---
.../qpid/server/virtualhost/HouseKeepingTask.java | 14 +-
.../server/virtualhost/HouseKeepingTaskTest.java | 51 ++
.../protocol/v0_8/AMQPConnection_0_8Impl.java | 2 +-
4 files changed, 85 insertions(+), 9 deletions(-)
diff --git
a/bdbstore/src/main/java/org/apache/qpid/server/store/berkeleydb/AbstractBDBMessageStore.java
b/bdbstore/src/main/java/org/apache/qpid/server/store/berkeleydb/AbstractBDBMessageStore.java
index b48cd54..05733ad 100644
---
a/bdbstore/src/main/java/org/apache/qpid/server/store/berkeleydb/AbstractBDBMessageStore.java
+++
b/bdbstore/src/main/java/org/apache/qpid/server/store/berkeleydb/AbstractBDBMessageStore.java
@@ -382,7 +382,10 @@ public abstract class AbstractBDBMessageStore implements
MessageStore
}
catch (RuntimeException e)
{
-getLogger().error("Unexpected BDB exception", e);
+if (getLogger().isDebugEnabled())
+{
+getLogger().debug("Unexpected BDB exception", e);
+}
try
{
@@ -630,7 +633,10 @@ public abstract class AbstractBDBMessageStore implements
MessageStore
}
catch (RuntimeException e)
{
-getLogger().error("Failed to enqueue: {}", e.getMessage(), e);
+if (getLogger().isDebugEnabled())
+{
+getLogger().debug("Failed to enqueue: {}", e.getMessage(), e);
+}
throw getEnvironmentFacade().handleDatabaseException("Error
writing enqueued message with id "
+ messageId
+ " for queue
"
@@ -679,8 +685,10 @@ public abstract class AbstractBDBMessageStore implements
MessageStore
}
catch (RuntimeException e)
{
-
-getLogger().error("Failed to dequeue message " + messageId + " in
transaction " + tx, e);
+if (getLogger().isDebugEnabled())
+{
+getLogger().debug("Failed to dequeue message {} in transaction
{}", messageId, tx, e);
+}
throw getEnvironmentFacade().handleDatabaseException("Error
accessing database while dequeuing message: "
+
e.getMessage(), e);
@@ -718,7 +726,10 @@ public abstract class AbstractBDBMessageStore implements
MessageStore
}
catch (RuntimeException e)
{
-getLogger().error("Failed to write xid: " + e.getMessage(), e);
+if (getLogger().isDebugEnabled())
+{
+getLogger().debug("Failed to write xid: {}", e.getMessage(),
e);
+}
throw getEnvironmentFacade().handleDatabaseException("Error
writing xid to database", e);
}
}
@@ -749,8 +760,10 @@ public abstract class AbstractBDBMessageStore implements
MessageStore
}
catch (RuntimeException e)
{
-
-getLogger().error("Failed to remove xid in transaction " + txn, e);
+if (getLogger().isDebugEnabled())
+{
+getLogger().error("Failed to remove xid in transaction {}", e);
+}
throw getEnvironmentFacade().handleDatabaseException("Error
accessing database while removing xid: "
+
e.getMessage(), e);
diff --git
a/broker-core/src/main/java/org/apache/qpid/server/virtualhost/HouseKeepingTask.java
b/broker-core/src/main/java/org/apache/qpid/server/virtualhost/HouseKeepingTask.java
index 28ea3c7..f55404b 100644
---
a/broker-core/src/main/java/org/apache/qpid/server/virtualhost/HouseKeepingTask.java
+++
b/broker-core/src/main/java/org/apache/qpid/server/virtualhost/HouseKeepingTask.java
@@ -25,10 +25,15 @@ import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.concurrent.ScheduledFuture;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
import org.apache.qpid.server.model.VirtualHost;
+import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
public abstract class HouseKeepingTask
