On 08/22/2012 10:35 AM, holger wrote:
Hi everyone,
I am trying to understand what the QPID C++ broker (v0.14) and JMS client
are doing under the hood. I have a scenario where I connect to a queue
("BURL:Q") and read and write from it. I already noticed that the default
settings in this case are to create the queue and set it to durable.
Now I am trying to setup ACL rules that do give the user the appropriate
rights for this test case, but not for anything else.
To my surprise I require the permission to create an exchange ("acl allow
users create exchange"). After looking at the logging output, I realized
that the client is declaring an exchange, which throws the exception:
1008 DEBUG [main] org.apache.qpid.transport.Connection - SEND:
[conn:11e7c5cb] ch=0 id=1 ExchangeDeclare(exchange=amq.direct, type=direct,
passive=true)
...
1015 DEBUG [IoReceiver - gbl20004204.eu.hedani.net/166.12.91.155:5672]
org.apache.qpid.transport.Connection - RECV: [conn:11e7c5cb] ch=0
ExecutionException(errorCode=UNAUTHORIZED_ACCESS, commandId=1, classCode=7,
commandCode=1, fieldIndex=0, description=unauthorized-access: ACL denied
exchange create request from holger@QPID
(qpid/broker/SessionAdapter.cpp:87), errorInfo={})
My question is now. Why does it do that? Shouldn't it understand that
amq.direct is always there and that he doesn't need the permission to create
it?
This was a defect with the broker[1], fixed for 0.18.
The exchange is declared with the passive flag set (this is required for
all standard exchanges) meaning it should *not* be created. The broker's
ACL model incorrectly checked for a 'create' permission for all
declares, regardless of the passive flag.
However in the meantime you can workaround it be specifying a passive
property for the ACL rule with a value of true to distinguish between
permission to declare passively and permission to create if necessary.
From 0.18, all that will be required is 'access' permission for the
exchange.
[1] https://issues.apache.org/jira/browse/QPID-3964
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
