[qpid-dispatch] branch master updated: DISPATCH-1418: use proper outcome for deliveries to unavailable addresses
This is an automated email from the ASF dual-hosted git repository. kgiusti pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git The following commit(s) were added to refs/heads/master by this push: new fc9c438 DISPATCH-1418: use proper outcome for deliveries to unavailable addresses fc9c438 is described below commit fc9c4380d796656ad964e04bb389d3223d94b1c5 Author: Kenneth Giusti AuthorDate: Wed Oct 2 15:06:23 2019 -0400 DISPATCH-1418: use proper outcome for deliveries to unavailable addresses Use the configured address treatment if available. Otherwise use the router default treatment. This closes #579 --- src/router_core/transfer.c| 74 +++ tests/system_tests_router_mesh.py | 5 ++- 2 files changed, 45 insertions(+), 34 deletions(-) diff --git a/src/router_core/transfer.c b/src/router_core/transfer.c index 17067c4..6ee2624 100644 --- a/src/router_core/transfer.c +++ b/src/router_core/transfer.c @@ -477,43 +477,55 @@ static void qdr_link_forward_CT(qdr_core_t *core, qdr_link_t *link, qdr_delivery } link->total_deliveries++; -} -// -// There is no address that we can send this delivery to, which means the addr was not found in our hash table. This -// can be because there were no receivers or because the address was not defined in the config file. -// -else if (core->qd->default_treatment == QD_TREATMENT_UNAVAILABLE) { +} else { // -// If the treatment for these addresses is set to be unavailable, we -// stop trying to forward it. If the link is a locally attached client -// we reject the message if the link is not anonymous as per the -// documentation of the router's defaultTreatment=unavailable. We -// simply release it for other link types as the message did have a -// destination at some point (it was forwarded to this router after -// all) - the loss of the destination may be temporary. +// There is no address that we can send this delivery to, which means +// the addr was not found in our hash table. This can be because there +// were no receivers or because the address was not defined in the +// config file. // -if (link->link_type == QD_LINK_ENDPOINT) { -dlv->error = qdr_error(QD_AMQP_COND_NOT_FOUND, "Deliveries cannot be sent to an unavailable address"); -qdr_delivery_reject_CT(core, dlv); -if (qdr_link_is_anonymous(link)) { -qdr_link_issue_credit_CT(core, link, 1, false); + +qd_address_treatment_t trt = core->qd->default_treatment; +if (dlv->to_addr) { +qdr_address_config_t *ignore = 0; +trt = qdr_treatment_for_address_hash_with_default_CT(core, + dlv->to_addr, + trt, + ); +} + +if (trt == QD_TREATMENT_UNAVAILABLE) { +// +// The treatment for these addresses is set to be unavailable, we +// stop trying to forward it. If the link is a locally attached client +// we reject the message if the link is not anonymous as per the +// documentation of the router's defaultTreatment=unavailable. We +// simply release it for other link types as the message did have a +// destination at some point (it was forwarded to this router after +// all) - the loss of the destination may be temporary. +// +if (link->link_type == QD_LINK_ENDPOINT) { +dlv->error = qdr_error(QD_AMQP_COND_NOT_FOUND, "Deliveries cannot be sent to an unavailable address"); +qdr_delivery_reject_CT(core, dlv); +if (qdr_link_is_anonymous(link)) { +qdr_link_issue_credit_CT(core, link, 1, false); +} else { +// cannot forward on this targeted link. withhold credit and drain +qdr_link_issue_credit_CT(core, link, 0, true); +} } else { -// cannot forward on this targeted link. withhold credit and drain -qdr_link_issue_credit_CT(core, link, 0, true); +qdr_delivery_release_CT(core, dlv); +qdr_link_issue_credit_CT(core, link, 1, false); } -} else { -qdr_delivery_release_CT(core, dlv); -qdr_link_issue_credit_CT(core, link, 1, false); +// +// We will not detach this link because this could be anonymous sender. We don't know +// which address the sender will be sending to next +// If this was not an anonymous sender, the initial
[qpid-dispatch] branch master updated: DISPATCH-1431: fix system_tests_one_router multicast test client race
This is an automated email from the ASF dual-hosted git repository. kgiusti pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git The following commit(s) were added to refs/heads/master by this push: new ff971d4 DISPATCH-1431: fix system_tests_one_router multicast test client race ff971d4 is described below commit ff971d416bc20048f0576176b54c36ef7ebcea38 Author: Kenneth Giusti AuthorDate: Wed Oct 2 16:45:06 2019 -0400 DISPATCH-1431: fix system_tests_one_router multicast test client race --- tests/system_tests_one_router.py | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/system_tests_one_router.py b/tests/system_tests_one_router.py index ad1ac0d..c3dfa9a 100644 --- a/tests/system_tests_one_router.py +++ b/tests/system_tests_one_router.py @@ -686,6 +686,7 @@ class SemanticsMulticast(MessagingHandler): self.n_received_b = 0 self.n_received_c = 0 self.n_accepts = 0 +self.n_recv_ready = 0 self.timer = None self.conn_1 = None self.conn_2 = None @@ -698,7 +699,6 @@ class SemanticsMulticast(MessagingHandler): self.timer = event.reactor.schedule(TIMEOUT, Timeout(self)) self.conn_1 = event.container.connect(self.address) self.conn_2 = event.container.connect(self.address) -self.sender = event.container.create_sender(self.conn_1, self.dest) self.receiver_a = event.container.create_receiver(self.conn_2, self.dest, name="A") self.receiver_b = event.container.create_receiver(self.conn_1, self.dest, name="B") self.receiver_c = event.container.create_receiver(self.conn_2, self.dest, name="C") @@ -720,6 +720,12 @@ class SemanticsMulticast(MessagingHandler): self.conn_1.close() self.conn_2.close() +def on_link_opened(self, event): +if event.receiver: +self.n_recv_ready += 1 +if self.n_recv_ready == self.count: +self.sender = event.container.create_sender(self.conn_1, self.dest) + def on_sendable(self, event): if self.n_sent == 0: msg = Message(body="SemanticsMulticast-Test") - To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org
[qpid-broker-j] branch 7.1.x updated: QPID-8364: [Broker-J] Fix tests
This is an automated email from the ASF dual-hosted git repository. orudyy pushed a commit to branch 7.1.x in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git The following commit(s) were added to refs/heads/7.1.x by this push: new 748ec68 QPID-8364: [Broker-J] Fix tests 748ec68 is described below commit 748ec6880feb2f25242586332937e299aee0f485 Author: Alex Rudyy AuthorDate: Wed Oct 2 18:35:54 2019 +0100 QPID-8364: [Broker-J] Fix tests (cherry picked from commit 19ad881bf2297742ac5aff7a1538277464550df0) --- .../security/auth/manager/KerberosAuthenticationManagerTest.java | 4 +++- .../security/auth/manager/SimpleLDAPAuthenticationManagerTest.java| 4 +++- .../qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java| 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java index 4fb6293..e24d56c 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java +++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java @@ -19,6 +19,7 @@ package org.apache.qpid.server.security.auth.manager; +import static org.apache.commons.codec.CharEncoding.UTF_8; import static org.apache.qpid.server.security.auth.manager.KerberosAuthenticationManager.GSSAPI_MECHANISM; import static org.hamcrest.Matchers.not; import static org.junit.Assert.assertEquals; @@ -30,6 +31,7 @@ import static org.mockito.Mockito.when; import java.io.File; import java.net.URL; +import java.net.URLDecoder; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; import java.util.Base64; @@ -98,7 +100,7 @@ public class KerberosAuthenticationManagerTest extends UnitTestBase final URL resource = KerberosAuthenticationManagerTest.class.getClassLoader().getResource(LOGIN_CONFIG); LOGGER.debug("JAAS config:" + resource); assertNotNull(resource); - SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", resource.getPath()); + SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", URLDecoder.decode(resource.getPath(), UTF_8)); SYSTEM_PROPERTY_SETTER.setSystemProperty("javax.security.auth.useSubjectCredsOnly", "false"); } diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java index b5dd2a1..590f076 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java +++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java @@ -32,6 +32,7 @@ import java.io.File; import java.io.IOException; import java.net.InetSocketAddress; import java.net.URL; +import java.net.URLDecoder; import java.nio.file.FileSystems; import java.nio.file.Path; import java.security.Principal; @@ -48,6 +49,7 @@ import java.util.concurrent.atomic.AtomicBoolean; import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; +import org.apache.commons.codec.CharEncoding; import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms; import org.apache.directory.api.ldap.model.entry.DefaultEntry; import org.apache.directory.api.ldap.model.entry.Entry; @@ -398,7 +400,7 @@ public class SimpleLDAPAuthenticationManagerTest extends UnitTestBase final URL resource = SimpleLDAPAuthenticationManagerTest.class.getClassLoader().getResource(LOGIN_CONFIG); LOGGER.debug("JAAS config:" + resource); assertNotNull(resource); - SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", resource.getPath()); + SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", URLDecoder.decode(resource.getPath(), CharEncoding.UTF_8)); SYSTEM_PROPERTY_SETTER.setSystemProperty("sun.security.krb5.debug", "true"); } diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java index 5b34736..d3f8342 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java +++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java @@ -19,6 +19,7 @@ package org.apache.qpid.server.security.auth.manager; +import static org.apache.commons.codec.CharEncoding.UTF_8;
[qpid-broker-j] branch master updated: QPID-8364: [Broker-J] Fix tests
This is an automated email from the ASF dual-hosted git repository. orudyy pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git The following commit(s) were added to refs/heads/master by this push: new 19ad881 QPID-8364: [Broker-J] Fix tests 19ad881 is described below commit 19ad881bf2297742ac5aff7a1538277464550df0 Author: Alex Rudyy AuthorDate: Wed Oct 2 18:35:54 2019 +0100 QPID-8364: [Broker-J] Fix tests --- .../security/auth/manager/KerberosAuthenticationManagerTest.java | 4 +++- .../security/auth/manager/SimpleLDAPAuthenticationManagerTest.java| 4 +++- .../qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java| 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java index 4fb6293..e24d56c 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java +++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java @@ -19,6 +19,7 @@ package org.apache.qpid.server.security.auth.manager; +import static org.apache.commons.codec.CharEncoding.UTF_8; import static org.apache.qpid.server.security.auth.manager.KerberosAuthenticationManager.GSSAPI_MECHANISM; import static org.hamcrest.Matchers.not; import static org.junit.Assert.assertEquals; @@ -30,6 +31,7 @@ import static org.mockito.Mockito.when; import java.io.File; import java.net.URL; +import java.net.URLDecoder; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; import java.util.Base64; @@ -98,7 +100,7 @@ public class KerberosAuthenticationManagerTest extends UnitTestBase final URL resource = KerberosAuthenticationManagerTest.class.getClassLoader().getResource(LOGIN_CONFIG); LOGGER.debug("JAAS config:" + resource); assertNotNull(resource); - SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", resource.getPath()); + SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", URLDecoder.decode(resource.getPath(), UTF_8)); SYSTEM_PROPERTY_SETTER.setSystemProperty("javax.security.auth.useSubjectCredsOnly", "false"); } diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java index b5dd2a1..590f076 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java +++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java @@ -32,6 +32,7 @@ import java.io.File; import java.io.IOException; import java.net.InetSocketAddress; import java.net.URL; +import java.net.URLDecoder; import java.nio.file.FileSystems; import java.nio.file.Path; import java.security.Principal; @@ -48,6 +49,7 @@ import java.util.concurrent.atomic.AtomicBoolean; import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; +import org.apache.commons.codec.CharEncoding; import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms; import org.apache.directory.api.ldap.model.entry.DefaultEntry; import org.apache.directory.api.ldap.model.entry.Entry; @@ -398,7 +400,7 @@ public class SimpleLDAPAuthenticationManagerTest extends UnitTestBase final URL resource = SimpleLDAPAuthenticationManagerTest.class.getClassLoader().getResource(LOGIN_CONFIG); LOGGER.debug("JAAS config:" + resource); assertNotNull(resource); - SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", resource.getPath()); + SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", URLDecoder.decode(resource.getPath(), CharEncoding.UTF_8)); SYSTEM_PROPERTY_SETTER.setSystemProperty("sun.security.krb5.debug", "true"); } diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java index 5b34736..d3f8342 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java +++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java @@ -19,6 +19,7 @@ package org.apache.qpid.server.security.auth.manager; +import static org.apache.commons.codec.CharEncoding.UTF_8; import static org.hamcrest.Matchers.not; import static
[qpid-dispatch] branch master updated: NO-JIRA - Added tests to make sure you can specify env: and literal: prefixes in the password file
This is an automated email from the ASF dual-hosted git repository. gmurthy pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git The following commit(s) were added to refs/heads/master by this push: new 38c1ec6 NO-JIRA - Added tests to make sure you can specify env: and literal: prefixes in the password file 38c1ec6 is described below commit 38c1ec6d4b02964f02439aa46cda85f54aaec085 Author: Ganesh Murthy AuthorDate: Wed Oct 2 13:29:01 2019 -0400 NO-JIRA - Added tests to make sure you can specify env: and literal: prefixes in the password file --- pom.xml | 2 ++ tests/ssl_certs/server-password-file-env.txt | 1 + tests/ssl_certs/server-password-file-literal.txt | 1 + tests/system_tests_user_id.py| 6 -- 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 74d7bf8..c5c74a6 100644 --- a/pom.xml +++ b/pom.xml @@ -107,6 +107,8 @@ **/sasl-password-file.txt **/server-password-file.txt **/server-password-file-bad.txt + **/server-password-file-env.txt + **/server-password-file-literal.txt **/client-password-file.txt **/*.pkcs12 **/.idea/** diff --git a/tests/ssl_certs/server-password-file-env.txt b/tests/ssl_certs/server-password-file-env.txt new file mode 100644 index 000..b2520d5 --- /dev/null +++ b/tests/ssl_certs/server-password-file-env.txt @@ -0,0 +1 @@ +env:TLS_SERVER_PASSWORD diff --git a/tests/ssl_certs/server-password-file-literal.txt b/tests/ssl_certs/server-password-file-literal.txt new file mode 100644 index 000..9d40817 --- /dev/null +++ b/tests/ssl_certs/server-password-file-literal.txt @@ -0,0 +1 @@ +literal:server-password diff --git a/tests/system_tests_user_id.py b/tests/system_tests_user_id.py index 827cd0f..73a389c 100644 --- a/tests/system_tests_user_id.py +++ b/tests/system_tests_user_id.py @@ -38,6 +38,8 @@ class QdSSLUseridTest(TestCase): def setUpClass(cls): super(QdSSLUseridTest, cls).setUpClass() +os.environ["TLS_SERVER_PASSWORD"] = "server-password" + ssl_profile1_json = os.path.join(DIR, 'displayname_files', 'profile_names1.json') ssl_profile2_json = os.path.join(DIR, 'displayname_files', 'profile_names2.json') @@ -123,7 +125,7 @@ class QdSSLUseridTest(TestCase): 'privateKeyFile': cls.ssl_file('server-private-key.pem'), 'uidFormat': '1x', 'uidNameMappingFile': ssl_profile2_json, - 'password': 'server-password'}), + 'passwordFile': cls.ssl_file('server-password-file-literal.txt')}), # All components in the uidFormat are unrecognized, pn_get_transport_user will be returned ('sslProfile', {'name': 'server-ssl11', @@ -131,7 +133,7 @@ class QdSSLUseridTest(TestCase): 'certFile': cls.ssl_file('server-certificate.pem'), 'privateKeyFile': cls.ssl_file('server-private-key.pem'), 'uidFormat': 'abxd', - 'password': 'server-password'}), + 'passwordFile': cls.ssl_file('server-password-file-env.txt')}), ('sslProfile', {'name': 'server-ssl12', 'caCertFile': cls.ssl_file('ca-certificate.pem'), - To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org
[qpid-broker-j] branch 7.1.x updated: QPID-8357: [Broker-J][AMQP 1.0][Sole connection] Broker should set open property 'sole-connection-eforcement-policy' when 'close-existing' eforcement policy is re
This is an automated email from the ASF dual-hosted git repository. orudyy pushed a commit to branch 7.1.x in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git The following commit(s) were added to refs/heads/7.1.x by this push: new 5589cd1 QPID-8357: [Broker-J][AMQP 1.0][Sole connection] Broker should set open property 'sole-connection-eforcement-policy' when 'close-existing' eforcement policy is requested 5589cd1 is described below commit 5589cd139515fbb1e3a73911c30e3ea235c7b3a6 Author: Alex Rudyy AuthorDate: Mon Aug 19 14:22:58 2019 +0100 QPID-8357: [Broker-J][AMQP 1.0][Sole connection] Broker should set open property 'sole-connection-eforcement-policy' when 'close-existing' eforcement policy is requested (cherry picked from commit c4fae61eb8d89c9b20122e75691307ce82a8aaeb) --- .../org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java | 5 + 1 file changed, 5 insertions(+) diff --git a/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java b/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java index bcb273d..0814382 100644 --- a/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java +++ b/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java @@ -1730,6 +1730,11 @@ public class AMQPConnection_1_0Impl extends AbstractAMQPConnection
[qpid-dispatch] branch master updated: DISPATCH-1434 - Added new attribute saslPasswordFile to the connector entity. saslPassword entity has been deprecated. This closes #578.
This is an automated email from the ASF dual-hosted git repository. gmurthy pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git The following commit(s) were added to refs/heads/master by this push: new a97dea9 DISPATCH-1434 - Added new attribute saslPasswordFile to the connector entity. saslPassword entity has been deprecated. This closes #578. a97dea9 is described below commit a97dea9aace6142d58f70caf66710386dc3e1156 Author: Ganesh Murthy AuthorDate: Tue Oct 1 16:34:38 2019 -0400 DISPATCH-1434 - Added new attribute saslPasswordFile to the connector entity. saslPassword entity has been deprecated. This closes #578. --- docs/books/user-guide/configuration-reference.adoc | 2 +- docs/books/user-guide/configuration-security.adoc | 4 +- ...ing-using-username-password-authentication.adoc | 2 +- include/qpid/dispatch/server.h | 7 ++ pom.xml| 1 + python/qpid_dispatch/management/qdrouter.json | 9 ++- src/connection_manager.c | 75 ++ tests/sasl_password/sasl-password-file.txt | 1 + tests/system_tests_sasl_plain.py | 11 +++- 9 files changed, 77 insertions(+), 35 deletions(-) diff --git a/docs/books/user-guide/configuration-reference.adoc b/docs/books/user-guide/configuration-reference.adoc index c25cd2c..d3077cb 100644 --- a/docs/books/user-guide/configuration-reference.adoc +++ b/docs/books/user-guide/configuration-reference.adoc @@ -144,7 +144,7 @@ Establishes an outgoing connection from the router. * *_linkCapacity_* (integer) : The capacity of links within this connection, in terms of message deliveries. The capacity is the number of messages that can be in-flight concurrently for each link. * *_verifyHostname_* (boolean, default=True) : yes: Ensures that when initiating a connection (as a client) the hostname in the URL to which this connector connects to matches the hostname in the digital certificate that the peer sends back as part of the SSL/TLS connection; no: Does not perform hostname verification * *_saslUsername_* (string) : The username that the connector is using to connect to a peer. -* *_saslPassword_* (string) : The password that the connector is using to connect to a peer. +* *_saslPasswordFile_* (string) : The absolute path to the file that contains the password that the connector uses to connect to a peer. * *_sslProfile_* (string) : The name of the _sslProfile_ entity to use in order to have SSL/TLS configuration. [id='router-configuration-file-log'] diff --git a/docs/books/user-guide/configuration-security.adoc b/docs/books/user-guide/configuration-security.adoc index d0e4018..b4c97a2 100644 --- a/docs/books/user-guide/configuration-security.adoc +++ b/docs/books/user-guide/configuration-security.adoc @@ -370,7 +370,7 @@ connector { ... saslMechanisms: _MECHANISMS_ saslUsername: _USERNAME_ -saslPassword: _PASSWORD_ +saslPasswordFile: _ABSOLUTE PATH_ } @@ -378,7 +378,7 @@ connector { + For a full list of supported Cyrus SASL authentication mechanisms, see link:https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html[Authentication Mechanisms^]. `saslUsername`:: If any of the SASL mechanisms uses username/password authentication, then provide the username to connect to the external container. -`saslPassword`:: If any of the SASL mechanisms uses username/password authentication, then provide the password to connect to the external container. +`saslPasswordFile`:: If any of the SASL mechanisms uses username/password authentication, then provide the absolute path to the file that contains the password to connect to the external container. -- [id='integrating-with-kerberos'] diff --git a/docs/books/user-guide/modules/connecting-using-username-password-authentication.adoc b/docs/books/user-guide/modules/connecting-using-username-password-authentication.adoc index cf3f254..f5b40a7 100644 --- a/docs/books/user-guide/modules/connecting-using-username-password-authentication.adoc +++ b/docs/books/user-guide/modules/connecting-using-username-password-authentication.adoc @@ -52,7 +52,7 @@ connector { role: route-container saslMechanisms: PLAIN saslUsername: user -saslPassword: password +saslPasswordFile: /path/to/file/passwd.txt } -- diff --git a/include/qpid/dispatch/server.h b/include/qpid/dispatch/server.h index 043baa5..992ded6 100644 --- a/include/qpid/dispatch/server.h +++ b/include/qpid/dispatch/server.h @@ -205,8 +205,15 @@ typedef struct qd_server_config_t { char *sasl_username; /** + * The full path of the file that contains the sasl password. Use this instead of sasl_password. + */ +char *sasl_password_file; + +/** * If appropriate for the mechanism, the password for authentication * (connector only) + * + *
[qpid-broker-j] branch master updated: QPID-8361: [Broker-J] Update TOC
This is an automated email from the ASF dual-hosted git repository. orudyy pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git The following commit(s) were added to refs/heads/master by this push: new a5453d5 QPID-8361: [Broker-J] Update TOC a5453d5 is described below commit a5453d5b05a0c4fdb12da36410917145e518ef30 Author: Alex Rudyy AuthorDate: Wed Oct 2 17:12:00 2019 +0100 QPID-8361: [Broker-J] Update TOC --- doc/developer-guide/src/main/markdown/architecture.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/developer-guide/src/main/markdown/architecture.md b/doc/developer-guide/src/main/markdown/architecture.md index a71a5c7..b87a4be 100644 --- a/doc/developer-guide/src/main/markdown/architecture.md +++ b/doc/developer-guide/src/main/markdown/architecture.md @@ -34,6 +34,7 @@ This article provides a high level description of the architecture of Qpid Broke * [HTTP management](#http-management) - [Pluggable Architecture](#pluggable-architecture) - [Logging](#logging) +- [ACL](#acl) - To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org
[qpid-broker-j] branch master updated: QPID-8361: [Broker-J] Add description for ACL model
This is an automated email from the ASF dual-hosted git repository. orudyy pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git The following commit(s) were added to refs/heads/master by this push: new fb0d8b9 QPID-8361: [Broker-J] Add description for ACL model fb0d8b9 is described below commit fb0d8b9b7981a890d31e037e9f3157b11ef44c2f Author: Alex Rudyy AuthorDate: Wed Oct 2 16:59:37 2019 +0100 QPID-8361: [Broker-J] Add description for ACL model --- .../src/main/markdown/architecture.md | 56 + .../src/main/markdown/images/acl-legacy.gliffy | 1 + .../src/main/markdown/images/acl-legacy.png| Bin 0 -> 112592 bytes .../src/main/markdown/images/acl.gliffy| 1 + .../src/main/markdown/images/acl.png | Bin 0 -> 114058 bytes 5 files changed, 58 insertions(+) diff --git a/doc/developer-guide/src/main/markdown/architecture.md b/doc/developer-guide/src/main/markdown/architecture.md index 8c8f0db..a71a5c7 100644 --- a/doc/developer-guide/src/main/markdown/architecture.md +++ b/doc/developer-guide/src/main/markdown/architecture.md @@ -599,3 +599,59 @@ Both `Broker` and `VirtualHost` support the following inclusion rules container id and remote connection address All existing logback-based Logger implementations (for both `Broker` and `VirtualHost`) extend `AbstractLogger`. + +## ACL + +Authorization of operations performed by users is implemented in special `AccessControl` objects. +The authorization check for user operation can result in the following outcomes: + * `ALLOWED` + * `DENIED` + * `DEFERRED` + +The `DEFERRED` outcome means that `AccessControl` cannot `ALLOW` or `DENY` the operation and the check needs to be +delegated to another `AccessControl`. + +The authorization checks are implemented for the operations of following types + + * `CREATE` when any type of `ConfiguredObject` is created + * `UPDATE` when instance of `ConfiguredObject` is updated + * `DELETE` when instance of `ConfiguredObject` is deleted + * `READ` when attribute values of `ConfiguredObject` needs to be accessed + * `DISCOVER` when `ConfiguredObject` metadata (like `ConfiguredObject` hierarchy, supported attributes, +supported operations, etc) needs to be accessed + * `INVOKE_METHOD` when a method on `ConfiguredObject` needs to be executed + * `PERFORM_ACTION` used to check required permissions for the following actions: +* "connect" when new messaging connection is established +* "publish" when message is published +* "manage" when user access management interfaces + +The `AccessControl` objects lives on `Broker` or `VirtualHost` levels. The `VirtualHost` `AccessControl` can defer +authorization check to `Broker` `AccessControl`. + +The following methods are defined in `AccessControl` interface to perform the authorization checks + + * ``Result authorise(T token, Operation operation, PermissionedObject configuredObject)`` + * ``Result authorise(T token, Operation operation, PermissionedObject configuredObject, Map arguments)`` + +Special object of type `SecurityToken` can be passed into `authorize` methods. For example, "publish" +authorization check leverages `SecurityToken` for caching purposes. The results of "publish" authorization check are kept +in token and utilized on the following check for performance optimization. + +The class diagram below illustrates the authorization model. + +![ACL](images/acl.png) + + +The ACL rules can be defined by end-users in special `ConfiguredObjects` of type `AccessControlProvider`. +The rules are defined in terms of legacy `LegacyAccessControl` model. When authorization check is performed the entities +of new ACL models are converted into legacy ACL entities. + +The class diagram below illustrates legacy ACL model. + +![Legacy ACL](images/acl-legacy.png) + +The legacy ACL model defines a number of `LegacyOperations`, `ObjectTypes` and `Properties` . The ACL rules are written +using legacy ACL concepts. + +The User Documentation illustrates how those rules can be defined. The links to Qpid Broker-J documentation are available +under [Qpid Broker-J Component page](http://qpid.apache.org/components/broker-j/index.html) diff --git a/doc/developer-guide/src/main/markdown/images/acl-legacy.gliffy b/doc/developer-guide/src/main/markdown/images/acl-legacy.gliffy new file mode 100644 index 000..73075ec --- /dev/null +++ b/doc/developer-guide/src/main/markdown/images/acl-legacy.gliffy @@ -0,0 +1 @@
[qpid-broker-j] branch 7.1.x updated: QPID-8366: [Broker-J] Handle ConnectionScopeRuntimeException on execution of HouseKeepingTaks
This is an automated email from the ASF dual-hosted git repository. orudyy pushed a commit to branch 7.1.x in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git The following commit(s) were added to refs/heads/7.1.x by this push: new c3d0590 QPID-8366: [Broker-J] Handle ConnectionScopeRuntimeException on execution of HouseKeepingTaks c3d0590 is described below commit c3d0590b7687c19958da8ef963531104f801b904 Author: Alex Rudyy AuthorDate: Tue Oct 1 21:51:33 2019 +0100 QPID-8366: [Broker-J] Handle ConnectionScopeRuntimeException on execution of HouseKeepingTaks (cherry picked from commit 98261ad92020c11784a3be2ab890cbabddec5fbc) --- .../store/berkeleydb/AbstractBDBMessageStore.java | 27 +--- .../qpid/server/virtualhost/HouseKeepingTask.java | 14 +- .../server/virtualhost/HouseKeepingTaskTest.java | 51 ++ .../protocol/v0_8/AMQPConnection_0_8Impl.java | 2 +- 4 files changed, 85 insertions(+), 9 deletions(-) diff --git a/bdbstore/src/main/java/org/apache/qpid/server/store/berkeleydb/AbstractBDBMessageStore.java b/bdbstore/src/main/java/org/apache/qpid/server/store/berkeleydb/AbstractBDBMessageStore.java index b48cd54..05733ad 100644 --- a/bdbstore/src/main/java/org/apache/qpid/server/store/berkeleydb/AbstractBDBMessageStore.java +++ b/bdbstore/src/main/java/org/apache/qpid/server/store/berkeleydb/AbstractBDBMessageStore.java @@ -382,7 +382,10 @@ public abstract class AbstractBDBMessageStore implements MessageStore } catch (RuntimeException e) { -getLogger().error("Unexpected BDB exception", e); +if (getLogger().isDebugEnabled()) +{ +getLogger().debug("Unexpected BDB exception", e); +} try { @@ -630,7 +633,10 @@ public abstract class AbstractBDBMessageStore implements MessageStore } catch (RuntimeException e) { -getLogger().error("Failed to enqueue: {}", e.getMessage(), e); +if (getLogger().isDebugEnabled()) +{ +getLogger().debug("Failed to enqueue: {}", e.getMessage(), e); +} throw getEnvironmentFacade().handleDatabaseException("Error writing enqueued message with id " + messageId + " for queue " @@ -679,8 +685,10 @@ public abstract class AbstractBDBMessageStore implements MessageStore } catch (RuntimeException e) { - -getLogger().error("Failed to dequeue message " + messageId + " in transaction " + tx, e); +if (getLogger().isDebugEnabled()) +{ +getLogger().debug("Failed to dequeue message {} in transaction {}", messageId, tx, e); +} throw getEnvironmentFacade().handleDatabaseException("Error accessing database while dequeuing message: " + e.getMessage(), e); @@ -718,7 +726,10 @@ public abstract class AbstractBDBMessageStore implements MessageStore } catch (RuntimeException e) { -getLogger().error("Failed to write xid: " + e.getMessage(), e); +if (getLogger().isDebugEnabled()) +{ +getLogger().debug("Failed to write xid: {}", e.getMessage(), e); +} throw getEnvironmentFacade().handleDatabaseException("Error writing xid to database", e); } } @@ -749,8 +760,10 @@ public abstract class AbstractBDBMessageStore implements MessageStore } catch (RuntimeException e) { - -getLogger().error("Failed to remove xid in transaction " + txn, e); +if (getLogger().isDebugEnabled()) +{ +getLogger().error("Failed to remove xid in transaction {}", e); +} throw getEnvironmentFacade().handleDatabaseException("Error accessing database while removing xid: " + e.getMessage(), e); diff --git a/broker-core/src/main/java/org/apache/qpid/server/virtualhost/HouseKeepingTask.java b/broker-core/src/main/java/org/apache/qpid/server/virtualhost/HouseKeepingTask.java index 28ea3c7..f55404b 100644 --- a/broker-core/src/main/java/org/apache/qpid/server/virtualhost/HouseKeepingTask.java +++ b/broker-core/src/main/java/org/apache/qpid/server/virtualhost/HouseKeepingTask.java @@ -25,10 +25,15 @@ import java.security.AccessController; import java.security.PrivilegedAction; import java.util.concurrent.ScheduledFuture; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import org.apache.qpid.server.model.VirtualHost; +import org.apache.qpid.server.util.ConnectionScopedRuntimeException; public abstract class HouseKeepingTask