Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-3931

x-qpid.cluster-update exchange existing but hidden

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.16
    • Fix Version/s: 0.17
    • Component/s: C++ Broker
    • Labels:
      None

      Description

      Description of problem:
      Having a broker in a cluster, it creates x-qpid.cluster-update fanout exchange
      via that it receives updates from an elder node. The problem is the exchange is
      still present after the update finishes, and moreover nothing lists the
      exchange (try qpid-config exchanges, qpid-tool, etc.).

      The exchange can be used for a regular message traffic - see reproducer for
      details.

      Note it is a security flaw also - having an exchange never listed, nowhere
      documented (BZ to be raised and linked), but able to be used. Constructing
      ACLs, one can easily miss it, e.g.

      Note that on qpid 0.10, the exchange is named qpid.cluster-update (without "x-"
      prefix).

      Version-Release number of selected component (if applicable):
      any (tried on qpid 0.12)

      How reproducible:
      100%

      Steps to Reproduce:
      1. Have 2 node cluster (brokers A and B)

      2. Start broker A, create a queue:
      qpid-config add queue testQueue

      3. Start broker B that will be updated from broker A

      4. Check in any way x-qpid.cluster-update exchange is not visible:
      qpid-config exchanges | grep x-qpid.cluster-update
      qpid-tool -> list exchange

      5. Create a binding from the exchange:
      qpid-config bind x-qpid.cluster-update testQueue

      6. Send some messages to the exchange:
      ./spout -c 10 x-qpid.cluster-update

      7. Check the queue gets the messages:
      qpid-stat -q

      Actual results:
      All steps succeed, step 7 shows the queue has 10 messages

      Expected results:
      Step 5 should fail with "no such exchange exists" error

        Attachments

          Activity

            People

            • Assignee:
              aconway Alan Conway
              Reporter:
              aconway Alan Conway
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: