Uploaded image for project: 'Qpid Dispatch'
  1. Qpid Dispatch
  2. DISPATCH-330

Access control policy should return more suitable errors

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 0.6.0
    • 0.8.0
    • Policy Engine
    • None

    Description

      Currently, if some action is denied by the access control policy, it always returns amqp:resource-limit-exceeded error. This is fine when the deny was issues because of a limit (e.g.number of connections, sessions etc.).

      But when the action is denied for different reasons - e.g. because of unallowed target / source, amqp:unauthorized-access would be much more suitable than amqp:resource-limit-exceeded. As an example, see the situation below.

      Mon May 9 09:12:47 2016 SERVER (trace) [4]:0 <- @attach(18) [name="request.ABCFR_ABCFRALMMACC1_113876ee-c7a3-4760-8e97-32d66e8ff0f1", handle=0, role=false, snd-settle-mode=2, rcv-settle-mode=0, source=@source(40) [address="request.ABCFR_ABCFRALMMACC1", durable=0, timeout=0, dynamic=false], target=@target(41) [address="request.ABCFR_ABCFRALMMACC1", durable=0, timeout=0, dynamic=false, capabili
      ties=:topic], initial-delivery-count=0]
      Mon May 9 09:12:47 2016 POLICY (info) DENY AMQP Attach sender link 'request.ABCFR_ABCFRALMMACC1' for user 'admin@QPID', host '127.0.0.1', app '(null)' based on link target name
      Mon May 9 09:12:47 2016 SERVER (trace) [4]:0 -> @attach(18) [name="request.ABCFR_ABCFRALMMACC1_113876ee-c7a3-4760-8e97-32d66e8ff0f1", handle=0, role=true, snd-settle-mode=2, rcv-settle-mode=0, source=@source(40) [durable=0, timeout=0, dynamic=false], target=@target(41) [durable=0, timeout=0, dynamic=false], initial-delivery-count=0]
      Mon May 9 09:12:47 2016 SERVER (trace) [4]:RAW: "\x00\x00\x00\x8f\x02\x00\x00\x00\x00S\x12\xd0\x00\x00\x00\x7f\x00\x00\x00\x0a\xa1@request.ABCFR_ABCFRALMMACC1_113876ee-c7a3-4760-8e97-32d66e8ff0f1R\x00AP\x02P\x00\x00S(\xd0\x00\x00\x00\x11\x00\x00\x00\x0b@R\x00@R\x00B@@@@@@\x00S)\xd0\x00\x00\x00\x0d\x00\x00\x00\x07@R\x00@R\x00B@@@@R\x00"
      Mon May 9 09:12:47 2016 SERVER (trace) [4]:0 -> @detach(22) [handle=0, closed=true, error=@error(29) [condition=:"amqp:resource-limit-exceeded", description="link disallowed by local policy"]]
      Mon May 9 09:12:47 2016 SERVER (trace) [4]:RAW: "\x00\x00\x00c\x02\x00\x00\x00\x00S\x16\xd0\x00\x00\x00S\x00\x00\x00\x03R\x00A\x00S\x1d\xd0\x00\x00\x00D\x00\x00\x00\x03\xa3\x1camqp:resource-limit-exceeded\xa1\x1flink disallowed by local policy@"

      Attachments

        Activity

          People

            chug Charles E. Rolke
            scholzj Jakub Scholz
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: