Qpid
  1. Qpid
  2. QPID-3799

ACL processing by C++ broker produces unexpected results

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.14
    • Fix Version/s: 0.15
    • Component/s: C++ Broker
    • Labels:
      None
    • Environment:

      C++ Broker

      Description

      There are several instances of C++ ACL-processing code that produce results that do not match what would be expected after reading the Developer Pages, ACL site page. Clean up of both the site page and the code in a few cases requires an agreement on the actual desired behaviour.

      Some of the rule sets below are contrived and not something that a normal person would write. However, rule sets may be machine generated or they may be in a confused state due to cut and paste errors. Rule processing must be predictable regardless of how the rule sets came to be.

      1. Conflicting permissions rules. Given the following rule set[1]:
      acl allow bob@QPID create queue
      acl deny bob@QPID create queue
      acl allow all all

      What happens when bob tries to create a queue? The site page suggests that the rules are processed in order and the first rule that matches defines the action to take. By that reading bob should be allowed to create a queue. In the C++ broker, however, the first 'acl allow' rule is discarded. Then the first rule to match is the deny rule.

      Q1: What is the correct behaviour for the conflicting rules in rule set 1?

      2. ACL lines greater that 1000 characters are silently truncated. ACL processing should stop and emit an error if lines are too long.

      3. The C++ broker handles some numeric limits on queue creation but these limits are not documented in the wiki page.

      We have the following rule set[2]:
      1. acl allow bob create queue maxqueuesize=1000
      2. acl deny bob all all

      Line 1 allows bob to create queues as long as the qpid.max_size
      argument in the queue_declare request is<= 1000.
      Line 2 prevents bob from doing anything else.

      We have another rule set[3]:
      1. acl allow bob create queue maxqueuesize=1000
      2. acl allow bob create queue maxqueuesize=10000
      3. acl deny bob all all

      What happens when ACL processing gets to Line 1 when bob tries to create a queue with max_size = 2000? Line 1 disallows the creation but Line 2 allows it.

      • If code treats the numeric tests as another "comparison criteria" then Line 1 will not match. This allows processing to move to Line 2 where the action will be allowed.
      • If the code treats the numeric tests as a "deny subclause" then Line 1 will be a match and bob will be denied.

      Q3: What should happen when bob tries to create a queue with max_size = 2000 using rule set [3]?

      4. Numeric limits should work differently on deny rules[4].

      1. acl deny bob create queue maxqueuesize=1000
      2. acl allow bob all all

      I suggest that when the numeric tests specifying max values are used as "comparison criteria" then:

      • In an allow rule the match is true when the user's value is "less than or equal to" the ACL max limit.
      • In a deny rule the match is true when the user's value is "greater than" the ACL max limit.

      Q4: How should numeric limits be applied in deny rules?

      I'm interested to know what folks think is the "correct" behaviour for these rules and/or how the Java broker would handle them.

        Activity

        Hide
        Rajith Attapattu added a comment -

        A few quick thoughts/comments on the issues raised by Chuck

        Conflicting Rules
        -------------------
        IMO the ACL system should highlight conflicting rules. At least the c++ module is quite weak in validation and there is a lot more room for improvement there.

        "ACL lines greater that 1000 characters are silently truncated. ACL processing should stop and emit an error if lines are too long."
        This is a bug IMO, we should file a JIRA for this.

        Limits
        --------
        As for limits, I think there is a lot of room to improve. We really need to rethink how we handle limits and their effectiveness.
        Some of the improvements we can make,
        1. The ability to express rules in a more intuitive way like maxqueuesize <= 1000
        2. Ensure that limits can be enforced more meaningfully.
        For example trying to limit users with queuesize is not good enough. If somebody wants to really mess up then they can still create a million queues (all within the max queue size limit). So IMO the max-queue-size is only meaningful if we also limit the number of live queues the user can create.

        In general I think we need to look at the some improvements to the ACL module.
        Some of the drawbacks I see in the current design/model/code are,
        1. Does not work within a cluster
        2. Being tied to the AMQP 0-10 model
        3. Rules cannot be provisioned dynamically
        4. Handling of limits is ugly etc..
        5. Not being able to integrate with 3rd party security models.

        Rajith

        Show
        Rajith Attapattu added a comment - A few quick thoughts/comments on the issues raised by Chuck Conflicting Rules ------------------- IMO the ACL system should highlight conflicting rules. At least the c++ module is quite weak in validation and there is a lot more room for improvement there. "ACL lines greater that 1000 characters are silently truncated. ACL processing should stop and emit an error if lines are too long." This is a bug IMO, we should file a JIRA for this. Limits -------- As for limits, I think there is a lot of room to improve. We really need to rethink how we handle limits and their effectiveness. Some of the improvements we can make, 1. The ability to express rules in a more intuitive way like maxqueuesize <= 1000 2. Ensure that limits can be enforced more meaningfully. For example trying to limit users with queuesize is not good enough. If somebody wants to really mess up then they can still create a million queues (all within the max queue size limit). So IMO the max-queue-size is only meaningful if we also limit the number of live queues the user can create. In general I think we need to look at the some improvements to the ACL module. Some of the drawbacks I see in the current design/model/code are, 1. Does not work within a cluster 2. Being tied to the AMQP 0-10 model 3. Rules cannot be provisioned dynamically 4. Handling of limits is ugly etc.. 5. Not being able to integrate with 3rd party security models. Rajith
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/4063/
        -----------------------------------------------------------

        Review request for qpid, Gordon Sim, Ted Ross, and rajith attapattu.

        Summary
        -------

        This is a diff between branch branches/QPID-3799-acl and trunk.

        With it the code implements:
        1. New rule logic where rules are never deleted. All rules in the ACL file are processed top to bottom.
        2. New limit logic.

        • ACL parameters maxqueuesize and maxqueuecount are renamed to MAXQUEUESIZEUPPERLIMIT and MAXQUEUECOUNTUPPERLIMIT.
        • UPPERLIMIT conditions are not part of 'rule match' criteria. Rather, if the remaining conditions match the rule then the violation of UPPERLIMIT conditions cause allow rules to be denied. In deny rules the UPPERLIMIT conditions have no effect.
        • MAXQUEUESIZELOWERLIMIT and MAXQUEUECOUNTLOWERLIMIT are like their UPPERLIMIT counterparts but are enforced as lower bounds on qpid.max_size queue options.
        • New enumeration so that name strings specified by files are separate from named objects specified by run-time code.
          3. Logging changes: Logs start with "ACL:". New log entries added to aid in debugging ACL processing.
          4. New features tested in acl.py.
          5. Whitespace and general line width shortening.

        On approval this is ready to be merged back into trunk.

        This addresses bug QPID-3799.
        https://issues.apache.org/jira/browse/QPID-3799

        Diffs


        trunk/qpid/cpp/src/qpid/acl/Acl.h 1294348
        trunk/qpid/cpp/src/qpid/acl/Acl.cpp 1294348
        trunk/qpid/cpp/src/qpid/acl/AclData.h 1294348
        trunk/qpid/cpp/src/qpid/acl/AclData.cpp 1294348
        trunk/qpid/cpp/src/qpid/acl/AclReader.h 1294348
        trunk/qpid/cpp/src/qpid/acl/AclReader.cpp 1294348
        trunk/qpid/cpp/src/qpid/acl/AclValidator.h 1294348
        trunk/qpid/cpp/src/qpid/acl/AclValidator.cpp 1294348
        trunk/qpid/cpp/src/qpid/broker/AclModule.h 1294348
        trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h 1294348
        trunk/qpid/cpp/src/qpid/broker/SemanticState.h 1294348
        trunk/qpid/cpp/src/tests/acl.py 1294348

        Diff: https://reviews.apache.org/r/4063/diff

        Testing
        -------

        Tests added and passed.

        Thanks,

        Chug

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/4063/ ----------------------------------------------------------- Review request for qpid, Gordon Sim, Ted Ross, and rajith attapattu. Summary ------- This is a diff between branch branches/ QPID-3799 -acl and trunk. With it the code implements: 1. New rule logic where rules are never deleted. All rules in the ACL file are processed top to bottom. 2. New limit logic. ACL parameters maxqueuesize and maxqueuecount are renamed to MAXQUEUESIZEUPPERLIMIT and MAXQUEUECOUNTUPPERLIMIT. UPPERLIMIT conditions are not part of 'rule match' criteria. Rather, if the remaining conditions match the rule then the violation of UPPERLIMIT conditions cause allow rules to be denied. In deny rules the UPPERLIMIT conditions have no effect. MAXQUEUESIZELOWERLIMIT and MAXQUEUECOUNTLOWERLIMIT are like their UPPERLIMIT counterparts but are enforced as lower bounds on qpid.max_size queue options. New enumeration so that name strings specified by files are separate from named objects specified by run-time code. 3. Logging changes: Logs start with "ACL:". New log entries added to aid in debugging ACL processing. 4. New features tested in acl.py. 5. Whitespace and general line width shortening. On approval this is ready to be merged back into trunk. This addresses bug QPID-3799 . https://issues.apache.org/jira/browse/QPID-3799 Diffs trunk/qpid/cpp/src/qpid/acl/Acl.h 1294348 trunk/qpid/cpp/src/qpid/acl/Acl.cpp 1294348 trunk/qpid/cpp/src/qpid/acl/AclData.h 1294348 trunk/qpid/cpp/src/qpid/acl/AclData.cpp 1294348 trunk/qpid/cpp/src/qpid/acl/AclReader.h 1294348 trunk/qpid/cpp/src/qpid/acl/AclReader.cpp 1294348 trunk/qpid/cpp/src/qpid/acl/AclValidator.h 1294348 trunk/qpid/cpp/src/qpid/acl/AclValidator.cpp 1294348 trunk/qpid/cpp/src/qpid/broker/AclModule.h 1294348 trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h 1294348 trunk/qpid/cpp/src/qpid/broker/SemanticState.h 1294348 trunk/qpid/cpp/src/tests/acl.py 1294348 Diff: https://reviews.apache.org/r/4063/diff Testing ------- Tests added and passed. Thanks, Chug
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/4063/#review5447
        -----------------------------------------------------------

        Ship it!

        • Gordon

        On 2012-02-27 22:26:16, Chug Rolke wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/4063/

        -----------------------------------------------------------

        (Updated 2012-02-27 22:26:16)

        Review request for qpid, Gordon Sim, Ted Ross, and rajith attapattu.

        Summary

        -------

        This is a diff between branch branches/QPID-3799-acl and trunk.

        With it the code implements:

        1. New rule logic where rules are never deleted. All rules in the ACL file are processed top to bottom.

        2. New limit logic.

        * ACL parameters maxqueuesize and maxqueuecount are renamed to MAXQUEUESIZEUPPERLIMIT and MAXQUEUECOUNTUPPERLIMIT.

        * UPPERLIMIT conditions are not part of 'rule match' criteria. Rather, if the remaining conditions match the rule then the violation of UPPERLIMIT conditions cause allow rules to be denied. In deny rules the UPPERLIMIT conditions have no effect.

        * MAXQUEUESIZELOWERLIMIT and MAXQUEUECOUNTLOWERLIMIT are like their UPPERLIMIT counterparts but are enforced as lower bounds on qpid.max_size queue options.

        * New enumeration so that name strings specified by files are separate from named objects specified by run-time code.

        3. Logging changes: Logs start with "ACL:". New log entries added to aid in debugging ACL processing.

        4. New features tested in acl.py.

        5. Whitespace and general line width shortening.

        On approval this is ready to be merged back into trunk.

        This addresses bug QPID-3799.

        https://issues.apache.org/jira/browse/QPID-3799

        Diffs

        -----

        trunk/qpid/cpp/src/qpid/acl/Acl.h 1294348

        trunk/qpid/cpp/src/qpid/acl/Acl.cpp 1294348

        trunk/qpid/cpp/src/qpid/acl/AclData.h 1294348

        trunk/qpid/cpp/src/qpid/acl/AclData.cpp 1294348

        trunk/qpid/cpp/src/qpid/acl/AclReader.h 1294348

        trunk/qpid/cpp/src/qpid/acl/AclReader.cpp 1294348

        trunk/qpid/cpp/src/qpid/acl/AclValidator.h 1294348

        trunk/qpid/cpp/src/qpid/acl/AclValidator.cpp 1294348

        trunk/qpid/cpp/src/qpid/broker/AclModule.h 1294348

        trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h 1294348

        trunk/qpid/cpp/src/qpid/broker/SemanticState.h 1294348

        trunk/qpid/cpp/src/tests/acl.py 1294348

        Diff: https://reviews.apache.org/r/4063/diff

        Testing

        -------

        Tests added and passed.

        Thanks,

        Chug

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/4063/#review5447 ----------------------------------------------------------- Ship it! Gordon On 2012-02-27 22:26:16, Chug Rolke wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/4063/ ----------------------------------------------------------- (Updated 2012-02-27 22:26:16) Review request for qpid, Gordon Sim, Ted Ross, and rajith attapattu. Summary ------- This is a diff between branch branches/ QPID-3799 -acl and trunk. With it the code implements: 1. New rule logic where rules are never deleted. All rules in the ACL file are processed top to bottom. 2. New limit logic. * ACL parameters maxqueuesize and maxqueuecount are renamed to MAXQUEUESIZEUPPERLIMIT and MAXQUEUECOUNTUPPERLIMIT. * UPPERLIMIT conditions are not part of 'rule match' criteria. Rather, if the remaining conditions match the rule then the violation of UPPERLIMIT conditions cause allow rules to be denied. In deny rules the UPPERLIMIT conditions have no effect. * MAXQUEUESIZELOWERLIMIT and MAXQUEUECOUNTLOWERLIMIT are like their UPPERLIMIT counterparts but are enforced as lower bounds on qpid.max_size queue options. * New enumeration so that name strings specified by files are separate from named objects specified by run-time code. 3. Logging changes: Logs start with "ACL:". New log entries added to aid in debugging ACL processing. 4. New features tested in acl.py. 5. Whitespace and general line width shortening. On approval this is ready to be merged back into trunk. This addresses bug QPID-3799 . https://issues.apache.org/jira/browse/QPID-3799 Diffs ----- trunk/qpid/cpp/src/qpid/acl/Acl.h 1294348 trunk/qpid/cpp/src/qpid/acl/Acl.cpp 1294348 trunk/qpid/cpp/src/qpid/acl/AclData.h 1294348 trunk/qpid/cpp/src/qpid/acl/AclData.cpp 1294348 trunk/qpid/cpp/src/qpid/acl/AclReader.h 1294348 trunk/qpid/cpp/src/qpid/acl/AclReader.cpp 1294348 trunk/qpid/cpp/src/qpid/acl/AclValidator.h 1294348 trunk/qpid/cpp/src/qpid/acl/AclValidator.cpp 1294348 trunk/qpid/cpp/src/qpid/broker/AclModule.h 1294348 trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h 1294348 trunk/qpid/cpp/src/qpid/broker/SemanticState.h 1294348 trunk/qpid/cpp/src/tests/acl.py 1294348 Diff: https://reviews.apache.org/r/4063/diff Testing ------- Tests added and passed. Thanks, Chug
        Hide
        Chuck Rolke added a comment -

        Here is a demonstration of how this update has changed ACL logging.
        This note shows:
        1. The ACL file.
        2. The test case.
        3. The old log output.
        4. The new log output.

        The log outputs are trimmed/formatted to be readable. The logs show
        the preprocessing phase of how the ACL file is processed into a set of
        rules and the lookup phase of how the rules are processed when a given
        test case is presented to the ACL engine for approval.

        Differences to note:

        • In the old processing phase the rules are shown numbered 0..6
          but then are processed numbered 7..1. This is confusing.
          In the new processsing the rules are numbered 1..7 and processed 7..1.
        • In the old lookup phase the rule being processed is identified with
          a [ log=0, logonly=0 ...]. Those are artifacts of internal structures
          and don't help users know which rules are being processed. The new
          lookup phase shows the same rule numbers as in the processing phase.
        • In the old lookup phase the rules are processed from the bottom of
          the ACL file towards the top. In the new lookup phase the rules are
          processed from the top of the ACL file towards the bottom.
        • In the old ACL logs each line may or may not begin with ACL:. In the
          new ACL logs every line begins with ACL:.

        1. The ACL file (from selftests acl.py):

        acl deny bob@QPID create queue name=q1 durable=true passive=true
        acl deny bob@QPID create queue name=q2 exclusive=true policytype=ring
        acl deny bob@QPID access queue name=q3
        acl deny bob@QPID purge queue name=q3
        acl deny bob@QPID delete queue name=q4
        acl deny bob@QPID create queue name=q5 maxqueuesize=1000 maxqueuecount=100
        acl allow all all

        2. A test case:

        queue_options = {}
        queue_options["qpid.max_count"] = 200
        queue_options["qpid.max_size"] = 500
        session.queue_declare(queue="q5", exclusive=True, arguments=queue_options)
        self.fail("ACL should deny queue create request with
        name=q2, qpid.max_size=500 and qpid.max_count=200");

        3. Old log output.

        3a. Old log processing phase
        notice Read ACL file "/home/chug/svn/qpid/cpp/src/tests/data_dir/policy.acl"
        debug Group list: 0 groups found:
        debug Name list: 2 names found:
        debug * bob@QPID
        debug Rule list: 7 ACL rules found:
        debug 0 deny [bob@QPID] create queue name=q1 durable=true passive=true
        debug 1 deny [bob@QPID] create queue name=q2 exclusive=true policytype=ring
        debug 2 deny [bob@QPID] access queue name=q3
        debug 3 deny [bob@QPID] purge queue name=q3
        debug 4 deny [bob@QPID] delete queue name=q4
        debug 5 deny [bob@QPID] create queue name=q5 maxqueuesize=1000 maxqueuecount=100
        debug 6 allow [*] *
        debug ACL Load Rules
        debug ACL Processing 7 allow [*] *
        debug ACL FoundMode allow
        debug ACL Processing 6 deny [bob@QPID] create queue name=q5 maxqueuesize=1000 maxqueuecount=100
        debug ACL: Adding actions

        {create}
        to objects {queue}
        with props { name=q5 maxqueuesize=1000 maxqueuecount=100 }
        for users {bob@QPID}
        debug ACL Processing 5 deny [bob@QPID] delete queue name=q4
        debug ACL: Adding actions {delete}
        to objects {queue}
        with props { name=q4 }
        for users {bob@QPID}
        debug ACL Processing 4 deny [bob@QPID] purge queue name=q3
        debug ACL: Adding actions {purge}
        to objects {queue}
        with props { name=q3 }
        for users {bob@QPID}
        debug ACL Processing 3 deny [bob@QPID] access queue name=q3
        debug ACL: Adding actions {access}
        to objects {queue}
        with props { name=q3 }
        for users {bob@QPID}
        debug ACL Processing 2 deny [bob@QPID] create queue name=q2 exclusive=true policytype=ring
        debug ACL: Adding actions {create}


        to objects

        {queue}
        with props { name=q2 exclusive=true policytype=ring }
        for users {bob@QPID}
        debug ACL Processing 1 deny [bob@QPID] create queue name=q1 durable=true passive=true
        debug ACL: Adding actions {create}
        to objects {queue}


        with props

        { name=q1 durable=true passive=true }
        for users {bob@QPID}
        debug Found validator for property values should be between 0 and 9223372036854775807
        debug Found validator for property values should be between 0 and 9223372036854775807
        debug Found validator for property possible values are one of { 'ring' 'ring_strict' 'flow_to_disk' 'reject' }

        3a. Old log lookup phase
        debug ACL: Lookup for id:bob@QPID
        action:create
        objectType:queue
        name:q5
        with params { durable=false passive=false autodelete=false exclusive=true alternate= policytype= maxqueuesize=500 maxqueuecount=200 }
        debug ACL: checking the following rules for : bob@QPID
        debug ACL: checking rule [log=0, logOnly=0 props{ name=q5 maxqueuesize=1000 maxqueuecount=100 }]
        debug ACL: name 'q5' matched with name 'q5' given in the rule
        debug ACL: Numeric comparison for property maxqueuesize (value given in lookup = 500, value give in rule = 1000 )
        debug ACL: Numeric comparison for property maxqueuecount (value given in lookup = 200, value give in rule = 100 )
        debug ACL: Limit exceeded and match=true as decision mode is allow
        debug Successful match, the decision is:deny


        4. New log output.

        4a. New log processing phase.

        notice ACL: Read file "/home/chug/svn/qpid/cpp/src/tests/data_dir/policy.acl"
        debug ACL: Group list: 0 groups found:
        debug ACL: name list: 2 names found:
        debug ACL: * bob@QPID
        debug ACL: Rule list: 7 ACL rules found:
        debug ACL: 1 deny [bob@QPID] create queue name=q1 durable=true passive=true
        debug ACL: 2 deny [bob@QPID] create queue name=q2 exclusive=true policytype=ring
        debug ACL: 3 deny [bob@QPID] access queue name=q3
        debug ACL: 4 deny [bob@QPID] purge queue name=q3
        debug ACL: 5 deny [bob@QPID] delete queue name=q4
        debug ACL: 6 deny [bob@QPID] create queue name=q5 queuemaxsizeupperlimit=1000 queuemaxcountupperlimit=100
        debug ACL: 7 allow [*] *
        debug ACL: Load Rules
        debug ACL: Processing 7 allow [*] *
        debug ACL: FoundMode allow
        debug ACL: Processing 6 deny [bob@QPID] create queue name=q5 queuemaxsizeupperlimit=1000 queuemaxcountupperlimit=100
        debug ACL: Adding actions {create}
        to objects {queue}
        with props { name=q5 queuemaxsizeupperlimit=1000 queuemaxcountupperlimit=100 }
        for users {bob@QPID}
        debug ACL: Processing 5 deny [bob@QPID] delete queue name=q4
        debug ACL: Adding actions {delete}
        to objects {queue}
        with props { name=q4 }
        for users {bob@QPID}
        debug ACL: Processing 4 deny [bob@QPID] purge queue name=q3
        debug ACL: Adding actions {purge}
        to objects {queue}
        with props { name=q3 }
        for users {bob@QPID}
        debug ACL: Processing 3 deny [bob@QPID] access queue name=q3
        debug ACL: Adding actions {access}
        to objects {queue}
        with props { name=q3 }
        for users {bob@QPID}
        debug ACL: Processing 2 deny [bob@QPID] create queue name=q2 exclusive=true policytype=ring
        debug ACL: Adding actions {create}
        to objects {queue}
        with props { name=q2 exclusive=true policytype=ring }
        for users {bob@QPID}
        debug ACL: Processing 1 deny [bob@QPID] create queue name=q1 durable=true passive=true
        debug ACL: Adding actions {create}
        to objects {queue}
        with props { name=q1 durable=true passive=true }


        for users

        {bob@QPID}

        debug ACL: Found validator for property 'queuemaxsizeupperlimit'. values should be between 0 and 9223372036854775807
        debug ACL: Found validator for property 'queuemaxcountupperlimit'. values should be between 0 and 9223372036854775807
        debug ACL: Found validator for property 'policytype'. possible values are one of

        { 'ring' 'ring_strict' 'flow_to_disk' 'reject' }

        4b. New log lookup phase.

        debug ACL: Lookup for id:bob@QPID
        action:create
        objectType:queue
        name:q5
        with params

        { durable=false passive=false autodelete=false exclusive=true alternate= policytype= maxqueuesize=500 maxqueuecount=200 }

        debug ACL: checking rule [rule 1 ruleMode = deny props

        { name=q1 durable=true passive=true }

        ]
        debug ACL: lookup name 'q5' didn't match with rule name 'q1'
        debug ACL: checking rule [rule 2 ruleMode = deny props

        { name=q2 exclusive=true policytype=ring }

        ]
        debug ACL: lookup name 'q5' didn't match with rule name 'q2'
        debug ACL: checking rule [rule 6 ruleMode = deny props

        { name=q5 queuemaxsizeupperlimit=1000 queuemaxcountupperlimit=100 }

        ]
        debug ACL: lookup name 'q5' matched with rule name 'q5'
        debug ACL: Numeric greater-than comparison for property queuemaxsizeupperlimit (value given in lookup = 500, value give in rule = 1000 )
        debug ACL: Numeric greater-than comparison for property queuemaxcountupperlimit (value given in lookup = 200, value give in rule = 100 )
        debug ACL: Max limit exceeded for property 'queuemaxcountupperlimit'
        debug ACL: Successful match, the decision is:deny

        Show
        Chuck Rolke added a comment - Here is a demonstration of how this update has changed ACL logging. This note shows: 1. The ACL file. 2. The test case. 3. The old log output. 4. The new log output. The log outputs are trimmed/formatted to be readable. The logs show the preprocessing phase of how the ACL file is processed into a set of rules and the lookup phase of how the rules are processed when a given test case is presented to the ACL engine for approval. Differences to note: In the old processing phase the rules are shown numbered 0..6 but then are processed numbered 7..1. This is confusing. In the new processsing the rules are numbered 1..7 and processed 7..1. In the old lookup phase the rule being processed is identified with a [ log=0, logonly=0 ...]. Those are artifacts of internal structures and don't help users know which rules are being processed. The new lookup phase shows the same rule numbers as in the processing phase. In the old lookup phase the rules are processed from the bottom of the ACL file towards the top. In the new lookup phase the rules are processed from the top of the ACL file towards the bottom. In the old ACL logs each line may or may not begin with ACL:. In the new ACL logs every line begins with ACL:. 1. The ACL file (from selftests acl.py): acl deny bob@QPID create queue name=q1 durable=true passive=true acl deny bob@QPID create queue name=q2 exclusive=true policytype=ring acl deny bob@QPID access queue name=q3 acl deny bob@QPID purge queue name=q3 acl deny bob@QPID delete queue name=q4 acl deny bob@QPID create queue name=q5 maxqueuesize=1000 maxqueuecount=100 acl allow all all 2. A test case: queue_options = {} queue_options ["qpid.max_count"] = 200 queue_options ["qpid.max_size"] = 500 session.queue_declare(queue="q5", exclusive=True, arguments=queue_options) self.fail("ACL should deny queue create request with name=q2, qpid.max_size=500 and qpid.max_count=200"); 3. Old log output. 3a. Old log processing phase notice Read ACL file "/home/chug/svn/qpid/cpp/src/tests/data_dir/policy.acl" debug Group list: 0 groups found: debug Name list: 2 names found: debug * bob@QPID debug Rule list: 7 ACL rules found: debug 0 deny [bob@QPID] create queue name=q1 durable=true passive=true debug 1 deny [bob@QPID] create queue name=q2 exclusive=true policytype=ring debug 2 deny [bob@QPID] access queue name=q3 debug 3 deny [bob@QPID] purge queue name=q3 debug 4 deny [bob@QPID] delete queue name=q4 debug 5 deny [bob@QPID] create queue name=q5 maxqueuesize=1000 maxqueuecount=100 debug 6 allow [*] * debug ACL Load Rules debug ACL Processing 7 allow [*] * debug ACL FoundMode allow debug ACL Processing 6 deny [bob@QPID] create queue name=q5 maxqueuesize=1000 maxqueuecount=100 debug ACL: Adding actions {create} to objects {queue} with props { name=q5 maxqueuesize=1000 maxqueuecount=100 } for users {bob@QPID} debug ACL Processing 5 deny [bob@QPID] delete queue name=q4 debug ACL: Adding actions {delete} to objects {queue} with props { name=q4 } for users {bob@QPID} debug ACL Processing 4 deny [bob@QPID] purge queue name=q3 debug ACL: Adding actions {purge} to objects {queue} with props { name=q3 } for users {bob@QPID} debug ACL Processing 3 deny [bob@QPID] access queue name=q3 debug ACL: Adding actions {access} to objects {queue} with props { name=q3 } for users {bob@QPID} debug ACL Processing 2 deny [bob@QPID] create queue name=q2 exclusive=true policytype=ring debug ACL: Adding actions {create} to objects {queue} with props { name=q2 exclusive=true policytype=ring } for users {bob@QPID} debug ACL Processing 1 deny [bob@QPID] create queue name=q1 durable=true passive=true debug ACL: Adding actions {create} to objects {queue} with props { name=q1 durable=true passive=true } for users {bob@QPID} debug Found validator for property values should be between 0 and 9223372036854775807 debug Found validator for property values should be between 0 and 9223372036854775807 debug Found validator for property possible values are one of { 'ring' 'ring_strict' 'flow_to_disk' 'reject' } 3a. Old log lookup phase debug ACL: Lookup for id:bob@QPID action:create objectType:queue name:q5 with params { durable=false passive=false autodelete=false exclusive=true alternate= policytype= maxqueuesize=500 maxqueuecount=200 } debug ACL: checking the following rules for : bob@QPID debug ACL: checking rule [log=0, logOnly=0 props{ name=q5 maxqueuesize=1000 maxqueuecount=100 }] debug ACL: name 'q5' matched with name 'q5' given in the rule debug ACL: Numeric comparison for property maxqueuesize (value given in lookup = 500, value give in rule = 1000 ) debug ACL: Numeric comparison for property maxqueuecount (value given in lookup = 200, value give in rule = 100 ) debug ACL: Limit exceeded and match=true as decision mode is allow debug Successful match, the decision is:deny 4. New log output. 4a. New log processing phase. notice ACL: Read file "/home/chug/svn/qpid/cpp/src/tests/data_dir/policy.acl" debug ACL: Group list: 0 groups found: debug ACL: name list: 2 names found: debug ACL: * bob@QPID debug ACL: Rule list: 7 ACL rules found: debug ACL: 1 deny [bob@QPID] create queue name=q1 durable=true passive=true debug ACL: 2 deny [bob@QPID] create queue name=q2 exclusive=true policytype=ring debug ACL: 3 deny [bob@QPID] access queue name=q3 debug ACL: 4 deny [bob@QPID] purge queue name=q3 debug ACL: 5 deny [bob@QPID] delete queue name=q4 debug ACL: 6 deny [bob@QPID] create queue name=q5 queuemaxsizeupperlimit=1000 queuemaxcountupperlimit=100 debug ACL: 7 allow [*] * debug ACL: Load Rules debug ACL: Processing 7 allow [*] * debug ACL: FoundMode allow debug ACL: Processing 6 deny [bob@QPID] create queue name=q5 queuemaxsizeupperlimit=1000 queuemaxcountupperlimit=100 debug ACL: Adding actions {create} to objects {queue} with props { name=q5 queuemaxsizeupperlimit=1000 queuemaxcountupperlimit=100 } for users {bob@QPID} debug ACL: Processing 5 deny [bob@QPID] delete queue name=q4 debug ACL: Adding actions {delete} to objects {queue} with props { name=q4 } for users {bob@QPID} debug ACL: Processing 4 deny [bob@QPID] purge queue name=q3 debug ACL: Adding actions {purge} to objects {queue} with props { name=q3 } for users {bob@QPID} debug ACL: Processing 3 deny [bob@QPID] access queue name=q3 debug ACL: Adding actions {access} to objects {queue} with props { name=q3 } for users {bob@QPID} debug ACL: Processing 2 deny [bob@QPID] create queue name=q2 exclusive=true policytype=ring debug ACL: Adding actions {create} to objects {queue} with props { name=q2 exclusive=true policytype=ring } for users {bob@QPID} debug ACL: Processing 1 deny [bob@QPID] create queue name=q1 durable=true passive=true debug ACL: Adding actions {create} to objects {queue} with props { name=q1 durable=true passive=true } for users {bob@QPID} debug ACL: Found validator for property 'queuemaxsizeupperlimit'. values should be between 0 and 9223372036854775807 debug ACL: Found validator for property 'queuemaxcountupperlimit'. values should be between 0 and 9223372036854775807 debug ACL: Found validator for property 'policytype'. possible values are one of { 'ring' 'ring_strict' 'flow_to_disk' 'reject' } 4b. New log lookup phase. debug ACL: Lookup for id:bob@QPID action:create objectType:queue name:q5 with params { durable=false passive=false autodelete=false exclusive=true alternate= policytype= maxqueuesize=500 maxqueuecount=200 } debug ACL: checking rule [rule 1 ruleMode = deny props { name=q1 durable=true passive=true } ] debug ACL: lookup name 'q5' didn't match with rule name 'q1' debug ACL: checking rule [rule 2 ruleMode = deny props { name=q2 exclusive=true policytype=ring } ] debug ACL: lookup name 'q5' didn't match with rule name 'q2' debug ACL: checking rule [rule 6 ruleMode = deny props { name=q5 queuemaxsizeupperlimit=1000 queuemaxcountupperlimit=100 } ] debug ACL: lookup name 'q5' matched with rule name 'q5' debug ACL: Numeric greater-than comparison for property queuemaxsizeupperlimit (value given in lookup = 500, value give in rule = 1000 ) debug ACL: Numeric greater-than comparison for property queuemaxcountupperlimit (value given in lookup = 200, value give in rule = 100 ) debug ACL: Max limit exceeded for property 'queuemaxcountupperlimit' debug ACL: Successful match, the decision is:deny
        Hide
        Chuck Rolke added a comment -

        Fixed with r1295730

        Show
        Chuck Rolke added a comment - Fixed with r1295730

          People

          • Assignee:
            Chuck Rolke
            Reporter:
            Chuck Rolke
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development