Qpid
  1. Qpid
  2. QPID-3544

ACL denials while replicating exclusive queues to a newly joined node

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.13
    • Fix Version/s: 0.13
    • Component/s: C++ Clustering
    • Labels:
      None

      Description

      (from https://bugzilla.redhat.com/show_bug.cgi?id=689408)
      Consider the following scenario:

      A user 'acluser' has access to:

      • create queues with name user.foo.*
      • bind to the exchange user.exchanges

      When one creates a receiver that logs in as acluser and creates an exclusive
      queue, any node that joins the existing broker in the cluster (and using the
      same acl file) will not be able to replicate the exclusive queue.

      The cluster-username is defined such that it has all privileges and is hence
      not limited by ACL.

      Version-Release number of selected component (if applicable):
      qpid-cpp-server-0.7.946106-28.el5

      How reproducible:
      Always

      Steps to Reproduce:
      1. Create ACL for a user as above
      2. Create exchange user.exchanges
      3. Create exclusive queue user.foo.me as acluser
      4. Start the second broker

      Actual results:
      Second broker fails to start. following error is seen in the logs:

      Feb 11 20:00:26 dell-pe1950-2 qpidd[1028]: 2011-02-11 20:00:26 info ACL Deny
      id:acluser@QPID action:bind ObjectType:exchange Name:qpid.cluster-update
      Feb 11 20:00:26 dell-pe1950-2 qpidd[1028]: 2011-02-11 20:00:26 error Execution
      exception: unauthorized-access: ACL denied exchange bind request from
      acluser@QPID (qpid/broker/SessionAdapter.cpp:182)

      Expected results:

      Replication should succeed.

      Additional info:

      It looks like the update for session scope objects like exclusive queues are
      being done with the session owning user and not with the cluster-username. This
      seems to be the problem, since the session owning user in this case does not
      have the right privileges to bind to qpid.cluster-update.

      One could simply write an ACL rule allowing all users access to
      qpid.cluster-update but that may not be the best way to fix this since only the
      replication process should have this kind of access.

        Activity

        Hide
        Alan Conway added a comment -

        Fixed on trunk r1182451 | QPID-3544: ACL denials while replicating exclusive queues to a newly joined node.

        Show
        Alan Conway added a comment - Fixed on trunk r1182451 | QPID-3544 : ACL denials while replicating exclusive queues to a newly joined node.

          People

          • Assignee:
            Alan Conway
            Reporter:
            Alan Conway
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development