Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-5621

[C++ broker] userId is not passed to ACL when DIGEST-MD5 is used while creating link

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 0.24
    • 0.27
    • C++ Broker
    • None

    Description

      Description of problem:

      With authentication enabled and using a SASL method requiring challenge sent to the client (DIGEST-MD5 or so), when creating a federation link there is no username/id passed into the ACL module, thus the link rules with particular username are silently passed by with no match, only matching are the 'all' rules.

      Reproducer:

      ###QPIDD.CONF
      auth=yes
      #acl-file=/var/lib/qpidd/fed.acl
      acl-file=/etc/qpid/fed.acl
      #acl-file=/etc/qpid/qpidd.acl

      log-to-file=/var/lib/qpidd/qpidd.log
      log-enable=info+
      log-enable=debug+:Acl

      data-dir=/var/lib/qpidd

      ###FED.ACL
      acl allow root@QPID all all

      acl deny all all

          1. start 2 brokers with the above setting (one broker with different port and data-dir)

      ###Creating regular link from 10000->5672
      qpid-route link add root/root@localhost:10000 root/root@localhost:5672 DIGEST-MD5

      Logs:
      ###DESTINATION QPIDD LOG (10000)
      2013-08-13 10:33:38 [Broker] info The Broker::connect() method will be removed in a future release of QPID. Please use the Broker::create() method with type='link' instead.
      2013-08-13 10:33:38 [Broker] info The Broker::connect() method will be removed in a future release of QPID. Please use the Broker::create() method with type='link' instead.
      2013-08-13 10:33:38 [System] info Connecting: [::1]:5672
      2013-08-13 10:33:38 [System] info Connecting: [::1]:5672
      2013-08-13 10:33:38 [Broker] info Inter-broker link connecting to localhost:5672
      2013-08-13 10:33:38 [Broker] info Inter-broker link connecting to localhost:5672
      2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to localhost:5672
      2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to localhost:5672
      2013-08-13 10:33:38 [Broker] info Inter-broker link established to localhost:5672
      2013-08-13 10:33:38 [Broker] info Inter-broker link established to localhost:5672
      2013-08-13 10:33:38 [Broker] warning Client closed connection with 320: ACL denied creating a federation link (.. ConnectionHandler.cpp:205)
      2013-08-13 10:33:38 [Broker] warning Client closed connection with 320: ACL denied creating a federation link (.. ConnectionHandler.cpp:205)
      2013-08-13 10:33:38 [Broker] info Inter-broker link disconnected from localhost:5672 Closed by peer
      2013-08-13 10:33:38 [Broker] info Inter-broker link disconnected from localhost:5672 Closed by peer

      ###SOURCE QPID LOG (5672)
      2013-08-13 10:33:26 [Broker] notice Shut down
      2013-08-13 10:33:26 [Store] notice Journal "TplStore": Destroyed
      2013-08-13 10:33:26 [Broker] info Management enabled
      2013-08-13 10:33:26 [Management] info ManagementAgent restored broker ID: 1e1f0ae9-a2e3-435c-8f5e-366d93dd69bf
      2013-08-13 10:33:26 [Broker] info Loaded protocol AMQP 1.0
      2013-08-13 10:33:26 [Store] notice Journal "TplStore": Created
      2013-08-13 10:33:26 [Store] notice Store module initialized; store-dir=/var/lib/qpidd
      2013-08-13 10:33:26 [Store] info > Default files per journal: 8
      2013-08-13 10:33:26 [Store] info > Default journal file size: 24 (wpgs)
      2013-08-13 10:33:26 [Store] info > Default write cache page size: 32 (KiB)
      2013-08-13 10:33:26 [Store] info > Default number of write cache pages: 32
      2013-08-13 10:33:26 [Store] info > TPL files per journal: 8
      2013-08-13 10:33:26 [Store] info > TPL journal file size: 24 (wpgs)
      2013-08-13 10:33:26 [Store] info > TPL write cache page size: 4 (KiB)
      2013-08-13 10:33:26 [Store] info > TPL number of write cache pages: 64
      2013-08-13 10:33:26 [Security] notice SSL plugin not enabled, you must set --ssl-cert-db to enable it.
      2013-08-13 10:33:26 [Broker] info Registered xml exchange
      2013-08-13 10:33:26 [Store] info Most recent persistence id found: 0x0
      2013-08-13 10:33:26 [Store] info Recovered exchange "amq.direct"
      2013-08-13 10:33:26 [Store] info Recovered exchange "amq.topic"
      2013-08-13 10:33:26 [Store] info Recovered exchange "amq.fanout"
      2013-08-13 10:33:26 [Store] info Recovered exchange "amq.match"
      2013-08-13 10:33:26 [Security] info SASL: config path set to /etc/sasl2
      2013-08-13 10:33:26 [Broker] info SASL enabled
      2013-08-13 10:33:26 [Network] info Listening to: 0.0.0.0:5672
      2013-08-13 10:33:26 [Network] info Listening to: [::]:5672
      2013-08-13 10:33:26 [Network] notice Listening on TCP/TCP6 port 5672
      2013-08-13 10:33:26 [Security] notice ACL: Read file "/etc/qpid/fed.acl"
      2013-08-13 10:33:26 [Security] debug ACL: Group list: 0 groups found:
      2013-08-13 10:33:26 [Security] debug ACL: name list: 2 names found:
      2013-08-13 10:33:26 [Security] debug ACL: * root@QPID
      2013-08-13 10:33:26 [Security] debug ACL: Rule list: 2 ACL rules found:
      2013-08-13 10:33:26 [Security] debug ACL: 1 allow [root@QPID] * *
      2013-08-13 10:33:26 [Security] debug ACL: 2 deny [*] *
      2013-08-13 10:33:26 [Security] debug ACL: connections quota: 0 rules found:
      2013-08-13 10:33:26 [Security] debug ACL: queues quota: 0 rules found:
      2013-08-13 10:33:26 [Security] debug ACL: Load Rules
      2013-08-13 10:33:26 [Security] debug ACL: Processing 2 deny [*] *
      2013-08-13 10:33:26 [Security] debug ACL: FoundMode deny
      2013-08-13 10:33:26 [Security] debug ACL: Processing 1 allow [root@QPID] * *
      2013-08-13 10:33:26 [Security] debug ACL: Adding actions

      {consume,publish,create,access,bind,unbind,delete,purge,update}

      to objects

      {queue,exchange,broker,link,method}

      with props { } for users

      {root@QPID}

      2013-08-13 10:33:26 [Security] debug ACL: Transfer ACL is Enabled!
      2013-08-13 10:33:26 [Security] info ACL Plugin loaded
      2013-08-13 10:33:26 [Store] info Enabling management instrumentation for the store.
      2013-08-13 10:33:26 [System] info Rdma: Disabled: no rdma devices found
      2013-08-13 10:33:26 [Broker] notice Broker running
      2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to [::1]:49312
      2013-08-13 10:33:38 [Security] info SASL: Mechanism list: DIGEST-MD5 ANONYMOUS PLAIN
      2013-08-13 10:33:38 [Security] info SASL: Starting authentication with mechanism: DIGEST-MD5
      2013-08-13 10:33:38 [Security] debug ACL: Lookup for id: action:create objectType:link name: with params { }
      2013-08-13 10:33:38 [Security] debug ACL: No successful match, defaulting to the decision mode deny

      Actual results:
      link creation is denied because user id is not passed to ACL module

      Expected results:
      user id should be passed to let ACL module make the right decision

      Additional info:
      the reason is because ACL for links is checked after getting connection.startOk AMQP method. While DIGEST-MD5 (and other auth.methods) provide userId later on - during connection.secureOk AMQP method.

      Attachments

        Activity

          People

            pmoravec Pavel Moravec
            pmoravec Pavel Moravec
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: