Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
0.16
-
None
Description
Description of problem:
Having a broker in a cluster, it creates x-qpid.cluster-update fanout exchange
via that it receives updates from an elder node. The problem is the exchange is
still present after the update finishes, and moreover nothing lists the
exchange (try qpid-config exchanges, qpid-tool, etc.).
The exchange can be used for a regular message traffic - see reproducer for
details.
Note it is a security flaw also - having an exchange never listed, nowhere
documented (BZ to be raised and linked), but able to be used. Constructing
ACLs, one can easily miss it, e.g.
Note that on qpid 0.10, the exchange is named qpid.cluster-update (without "x-"
prefix).
Version-Release number of selected component (if applicable):
any (tried on qpid 0.12)
How reproducible:
100%
Steps to Reproduce:
1. Have 2 node cluster (brokers A and B)
2. Start broker A, create a queue:
qpid-config add queue testQueue
3. Start broker B that will be updated from broker A
4. Check in any way x-qpid.cluster-update exchange is not visible:
qpid-config exchanges | grep x-qpid.cluster-update
qpid-tool -> list exchange
5. Create a binding from the exchange:
qpid-config bind x-qpid.cluster-update testQueue
6. Send some messages to the exchange:
./spout -c 10 x-qpid.cluster-update
7. Check the queue gets the messages:
qpid-stat -q
Actual results:
All steps succeed, step 7 shows the queue has 10 messages
Expected results:
Step 5 should fail with "no such exchange exists" error