Qpid
  1. Qpid
  2. QPID-3614

ACLs and federation links do not work

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Not A Problem
    • Affects Version/s: 0.12
    • Fix Version/s: None
    • Component/s: C++ Broker
    • Labels:
    • Environment:

      Built from source on ubuntu 10.04 x64

      Description

      PROBLEM STATEMENT:
      I cannot get broker federation to work with ACLs enabled. I keep getting "ACL denied creating a federation link" even though my user has all permissions, on both brokers.

      STEPS TO REPRODUCE:

      • Create an acl file like the following:
        acl allow federation@QPID all all
        acl deny all all
      • Create the federation user in the sasl db
      • Using the following config:
        auth-realm=QPID
        log-enable=info+
        acl-file=/usr/local/etc/qpid/qpidd.acl
        sasl-config=/usr/local/etc/sasl2
        auth=yes
      • Start two brokers using the same config but different ports and data dirs (makes it easy to test the exact same authentication parameters for both brokers)
      • In my case I am create a queue push route, so create a queue and do:
        qpid-route queue add -s federation/password@localhost:5000 federation/password@localhost:5001 amq.direct myqueue

      Note that the use of a push route does not matter, I tested push and pull and both fail, just want to point out that I am using a push route to ensure that gets tested as part of the fix for this.

      RESULTS:
      The connection fails to get created with an error: "ACL denied creating a federation link"
      In the debug log on the destination broker I see:
      2011-11-11 15:50:20 debug ACL: Lookup for id: action:create objectType:link name: with params { }
      2011-11-11 15:50:20 debug No successful match, defaulting to the decision mode deny

      It appear that the user ID is not getting sent across

      EXPECTED RESULTS:
      The federation link should work with proper ACLs in place

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Unassigned
            Reporter:
            Brandon Pedersen
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development