[ https://issues.apache.org/jira/browse/QPID-5621?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pavel Moravec closed QPID-5621. ------------------------------- Resolution: Fixed Fix Version/s: 0.27 > [C++ broker] userId is not passed to ACL when DIGEST-MD5 is used while > creating link > ------------------------------------------------------------------------------------ > > Key: QPID-5621 > URL: https://issues.apache.org/jira/browse/QPID-5621 > Project: Qpid > Issue Type: Improvement > Components: C++ Broker > Affects Versions: 0.24 > Reporter: Pavel Moravec > Assignee: Pavel Moravec > Priority: Minor > Fix For: 0.27 > > > Description of problem: > With authentication enabled and using a SASL method requiring challenge sent > to the client (DIGEST-MD5 or so), when creating a federation link there is no > username/id passed into the ACL module, thus the link rules with particular > username are silently passed by with no match, only matching are the 'all' > rules. > Reproducer: > ###QPIDD.CONF > auth=yes > #acl-file=/var/lib/qpidd/fed.acl > acl-file=/etc/qpid/fed.acl > #acl-file=/etc/qpid/qpidd.acl > log-to-file=/var/lib/qpidd/qpidd.log > log-enable=info+ > log-enable=debug+:Acl > data-dir=/var/lib/qpidd > ###FED.ACL > acl allow root@QPID all all > acl deny all all > ### start 2 brokers with the above setting (one broker with different port > and data-dir) > ###Creating regular link from 10000->5672 > qpid-route link add root/root@localhost:10000 root/root@localhost:5672 > DIGEST-MD5 > Logs: > ###DESTINATION QPIDD LOG (10000) > 2013-08-13 10:33:38 [Broker] info The Broker::connect() method will be > removed in a future release of QPID. Please use the Broker::create() method > with type='link' instead. > 2013-08-13 10:33:38 [Broker] info The Broker::connect() method will be > removed in a future release of QPID. Please use the Broker::create() method > with type='link' instead. > 2013-08-13 10:33:38 [System] info Connecting: [::1]:5672 > 2013-08-13 10:33:38 [System] info Connecting: [::1]:5672 > 2013-08-13 10:33:38 [Broker] info Inter-broker link connecting to > localhost:5672 > 2013-08-13 10:33:38 [Broker] info Inter-broker link connecting to > localhost:5672 > 2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to > localhost:5672 > 2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to > localhost:5672 > 2013-08-13 10:33:38 [Broker] info Inter-broker link established to > localhost:5672 > 2013-08-13 10:33:38 [Broker] info Inter-broker link established to > localhost:5672 > 2013-08-13 10:33:38 [Broker] warning Client closed connection with 320: ACL > denied creating a federation link (.. ConnectionHandler.cpp:205) > 2013-08-13 10:33:38 [Broker] warning Client closed connection with 320: ACL > denied creating a federation link (.. ConnectionHandler.cpp:205) > 2013-08-13 10:33:38 [Broker] info Inter-broker link disconnected from > localhost:5672 Closed by peer > 2013-08-13 10:33:38 [Broker] info Inter-broker link disconnected from > localhost:5672 Closed by peer > ###SOURCE QPID LOG (5672) > 2013-08-13 10:33:26 [Broker] notice Shut down > 2013-08-13 10:33:26 [Store] notice Journal "TplStore": Destroyed > 2013-08-13 10:33:26 [Broker] info Management enabled > 2013-08-13 10:33:26 [Management] info ManagementAgent restored broker ID: > 1e1f0ae9-a2e3-435c-8f5e-366d93dd69bf > 2013-08-13 10:33:26 [Broker] info Loaded protocol AMQP 1.0 > 2013-08-13 10:33:26 [Store] notice Journal "TplStore": Created > 2013-08-13 10:33:26 [Store] notice Store module initialized; > store-dir=/var/lib/qpidd > 2013-08-13 10:33:26 [Store] info > Default files per journal: 8 > 2013-08-13 10:33:26 [Store] info > Default journal file size: 24 (wpgs) > 2013-08-13 10:33:26 [Store] info > Default write cache page size: 32 (KiB) > 2013-08-13 10:33:26 [Store] info > Default number of write cache pages: 32 > 2013-08-13 10:33:26 [Store] info > TPL files per journal: 8 > 2013-08-13 10:33:26 [Store] info > TPL journal file size: 24 (wpgs) > 2013-08-13 10:33:26 [Store] info > TPL write cache page size: 4 (KiB) > 2013-08-13 10:33:26 [Store] info > TPL number of write cache pages: 64 > 2013-08-13 10:33:26 [Security] notice SSL plugin not enabled, you must set > --ssl-cert-db to enable it. > 2013-08-13 10:33:26 [Broker] info Registered xml exchange > 2013-08-13 10:33:26 [Store] info Most recent persistence id found: 0x0 > 2013-08-13 10:33:26 [Store] info Recovered exchange "amq.direct" > 2013-08-13 10:33:26 [Store] info Recovered exchange "amq.topic" > 2013-08-13 10:33:26 [Store] info Recovered exchange "amq.fanout" > 2013-08-13 10:33:26 [Store] info Recovered exchange "amq.match" > 2013-08-13 10:33:26 [Security] info SASL: config path set to /etc/sasl2 > 2013-08-13 10:33:26 [Broker] info SASL enabled > 2013-08-13 10:33:26 [Network] info Listening to: 0.0.0.0:5672 > 2013-08-13 10:33:26 [Network] info Listening to: [::]:5672 > 2013-08-13 10:33:26 [Network] notice Listening on TCP/TCP6 port 5672 > 2013-08-13 10:33:26 [Security] notice ACL: Read file "/etc/qpid/fed.acl" > 2013-08-13 10:33:26 [Security] debug ACL: Group list: 0 groups found: > 2013-08-13 10:33:26 [Security] debug ACL: name list: 2 names found: > 2013-08-13 10:33:26 [Security] debug ACL: * root@QPID > 2013-08-13 10:33:26 [Security] debug ACL: Rule list: 2 ACL rules found: > 2013-08-13 10:33:26 [Security] debug ACL: 1 allow [root@QPID] * * > 2013-08-13 10:33:26 [Security] debug ACL: 2 deny [*] * > 2013-08-13 10:33:26 [Security] debug ACL: connections quota: 0 rules found: > 2013-08-13 10:33:26 [Security] debug ACL: queues quota: 0 rules found: > 2013-08-13 10:33:26 [Security] debug ACL: Load Rules > 2013-08-13 10:33:26 [Security] debug ACL: Processing 2 deny [*] * > 2013-08-13 10:33:26 [Security] debug ACL: FoundMode deny > 2013-08-13 10:33:26 [Security] debug ACL: Processing 1 allow [root@QPID] * * > 2013-08-13 10:33:26 [Security] debug ACL: Adding actions > {consume,publish,create,access,bind,unbind,delete,purge,update} to objects > {queue,exchange,broker,link,method} with props { } for users {root@QPID} > 2013-08-13 10:33:26 [Security] debug ACL: Transfer ACL is Enabled! > 2013-08-13 10:33:26 [Security] info ACL Plugin loaded > 2013-08-13 10:33:26 [Store] info Enabling management instrumentation for the > store. > 2013-08-13 10:33:26 [System] info Rdma: Disabled: no rdma devices found > 2013-08-13 10:33:26 [Broker] notice Broker running > 2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to > [::1]:49312 > 2013-08-13 10:33:38 [Security] info SASL: Mechanism list: DIGEST-MD5 > ANONYMOUS PLAIN > 2013-08-13 10:33:38 [Security] info SASL: Starting authentication with > mechanism: DIGEST-MD5 > 2013-08-13 10:33:38 [Security] debug ACL: Lookup for id: action:create > objectType:link name: with params { } > 2013-08-13 10:33:38 [Security] debug ACL: No successful match, defaulting to > the decision mode deny > Actual results: > link creation is denied because user id is not passed to ACL module > Expected results: > user id should be passed to let ACL module make the right decision > Additional info: > the reason is because ACL for links is checked after getting > connection.startOk AMQP method. While DIGEST-MD5 (and other auth.methods) > provide userId later on - during connection.secureOk AMQP method. -- This message was sent by Atlassian JIRA (v6.2#6252) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org