Qpid
  1. Qpid
  2. QPID-2600

ACL policy doesn't permit certain characters in usernames added to groups

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 0.6
    • Fix Version/s: 0.7
    • Component/s: C++ Broker
    • Labels:
      None

      Description

      Description of problem:
      Unable to add a host principle to a group, the acl policy file fails to load and prevents qpidd from running.
      I guess this is partly due to us not figuring out what is exactly allowed for group and usernames.

      How reproducible:
      Fails every time.

      Steps to Reproduce:
      1. Add a host or service principle to a group in the acl file. Something like
      this will suffice:
      group somegroup host/somemachine.example.com@EXAMPLE.COM

      Actual results:
      Failure to start. Error message is:
      Daemon startup failed: Could not read ACL file ACL format error:
      /etc/qpid/policy.acl:25: Name "host/somemachine.example.com@EXAMPLE.COM"
      contains illegal characters.

      Expected results:
      Should load and parse the group cleanly.

        Activity

        Hide
        Andrew Kennedy added a comment -

        I have also based the Java group entity parsing on the C++ parser and the website documentation.

        Should this be changed, with the @ and / swapped, to:

        <name> [ /<domain> [ @<realm> ] ]

        Show
        Andrew Kennedy added a comment - I have also based the Java group entity parsing on the C++ parser and the website documentation. Should this be changed, with the @ and / swapped, to: <name> [ /<domain> [ @<realm> ] ]
        Hide
        Rajith Attapattu added a comment -

        Thx good catch !

        "user = username[@domain[/realm]]" should be changed to user = <name> [ /<domain> [ @<realm> ] ]

        However currently the c++ broker doesn't treat the '@' as optional as we do have the concept of a domain.
        I know the Java broker doesn't, as it doesn't support GSSAPI etc..
        I could probably default to the default-broker-realm if nothing is specified, rather than flag it as an error.

        The website documentation needs a bit of work for sure

        We are moving the ACL documentation from the wiki to the new doc book format kept in svn.
        So going forward we can keep them in sync a bit more easily.

        Show
        Rajith Attapattu added a comment - Thx good catch ! "user = username[@domain [/realm] ]" should be changed to user = <name> [ /<domain> [ @<realm> ] ] However currently the c++ broker doesn't treat the '@' as optional as we do have the concept of a domain. I know the Java broker doesn't, as it doesn't support GSSAPI etc.. I could probably default to the default-broker-realm if nothing is specified, rather than flag it as an error. The website documentation needs a bit of work for sure We are moving the ACL documentation from the wiki to the new doc book format kept in svn. So going forward we can keep them in sync a bit more easily.
        Hide
        Rajith Attapattu added a comment -

        "However currently the c++ broker doesn't treat the '@' as optional as we do have the concept of a domain. " should be changed as
        However currently the c++ broker doesn't treat the '@' as optional as we do have the concept of a realm.

        Show
        Rajith Attapattu added a comment - "However currently the c++ broker doesn't treat the '@' as optional as we do have the concept of a domain. " should be changed as However currently the c++ broker doesn't treat the '@' as optional as we do have the concept of a realm.
        Hide
        Rajith Attapattu added a comment -

        The c++ acl module now allows all characters as specified in the acl proposal here http://qpid.apache.org/acl.html
        I have also added a test case to cover the issue highlighted in the JIRA.

        Show
        Rajith Attapattu added a comment - The c++ acl module now allows all characters as specified in the acl proposal here http://qpid.apache.org/acl.html I have also added a test case to cover the issue highlighted in the JIRA.

          People

          • Assignee:
            Rajith Attapattu
            Reporter:
            Rajith Attapattu
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development