On Fri, Feb 20, 2009 at 7:35 PM, Mark Moseley <[email protected]> wrote: > I'll apologize in advance that I'm pretty new to QPid (and AMQP) in > general, so forgive the possibly n00b questions :) > > I've been playing around with federation and reading through the Qpid > docs as well as the Redhat MRG docs. I can only seem to get it working > if I completely open up the ACL on the destination side, i.e. acl has > "acl allow-log all all" > > When I send to the source broker, with a wide-open ACL, the message > gets dumped over to the dest broker just fine. Without "acl allow-log > all all" in my ACL, it gets denied. Looking at the logs on the dest > broker, there doesn't seem to be an 'id' associated with the publish, > even though it was authenticated on the source side. I'd have expected > that the 'id' showing up on the dest broker would either be the > authenticated sender ('mark' in this case) or the user used to create > the federation -- cleverly named 'router' in this case. I'm using the > same ACL file for both brokers and both 'mark' and 'router' have "acl > allow-log <username> all all", so they don't have any problem > performing actions on either broker (just a test bed). > > The federation was created with a static route: > # qpid-route route add router/rou...@localhost:5672 > router/rou...@localhost:5671 amq.direct mykey > > On the source broker: > 2009-feb-20 22:24:13 info ACL Allow id:m...@qpid action:publish > ObjectType:exchange Name:amq.direct > 2009-feb-20 22:24:13 debug Message 0x80cc400 enqueued on > bridge_queue_1_ba641f59-76ef-48c2-875c-d05e6c5d2132[0x80cb538] > > On the dest broker (with open ACL): > 2009-feb-20 22:24:05 info Inter-broker link established to localhost:5671 > 2009-feb-20 22:24:13 info ACL Allow id: action:publish > ObjectType:exchange Name:amq.direct > > On the dest broker (without a wide-open ACL): > 2009-feb-20 22:32:04 info Inter-broker link established to localhost:5671 > 2009-feb-20 22:32:20 info ACL Deny id: action:publish > ObjectType:exchange Name:amq.direct > 2009-feb-20 22:32:20 error Execution exception: not-allowed: cannot > publish to amq.direct with routing-key mykey > (qpid/broker/SemanticState.cpp:384) > > My question is: is that a normal consequence of federation, i.e. that > credentials aren't passed around and that neither the authenticated > sender nor the user used to create the static route is used as the > 'id' on the dest side? > > If not, is there some obvious configuration option I'm missing? > > Thanks! And again, sorry for the possibly RTFM! >
I probably ought to have mentioned that this is on the C++ broker, from the qpid-M4 distribution, with both brokers on localhost (one on port 5671, one on 5672). --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:[email protected]
