Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-6279

C++ Broker ACL connection management is incomplete

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 0.30
    • None
    • C++ Broker
    • None

    Description

      ACL has allow and deny rules for connections. Rules specified for user all are treated specially: they are processed ahead of rules specified for named uses or groups. The intent was to allow ACL to operate at the socket level. The all rules are applied immediately after the socket is accepted but before any AMQP traffic is read or written. These rules let the system deny connections from various addresses quickly and with a lower resource overhead.

      Currently the way the all rules are implemented is flawed: if an all rule is matched then it controls the connection decision. Consider these rules:

      acl allow-log all create connection host=$SOME_HOST
acl deny-log bob@QPID create connection host=all

      When bob tries to connect from $SOME_HOST then he is allowed. Using the current rule processing the simple logic of this example is almost impossible to achieve.

      I propose several changes to improve ACL connection control:

      • Socket-level rules are created explicitly with a new ACL object preconnection. User name all is no longer used for differentiating socket-level and user-level rules.
      • Preconnection rules must be specified for user all. User identities have not been negotiated yet and are unknown so specifying a user name here makes no sense. Only user all is allowed.
      • Preconnection rules may have a user all and host all mode specifier to control the connection action to take when no other socket-level rule matches.
      • Connection rules that specify user names are processed in addition to the preconnection rules. That is, just because a rule matches a preconnection rule and allows a connection, that does not bypass the second set of rule checks that determine whether an individual user may connect or not.
      • Connection rules may be specified with the all user and are processed after the user identity has been negotiated.

      The net result of this change is that there will be two sets of connection rules. The preconnection rules are processed in ACL-file-order to allow or deny the connection. If the connection is allowed then the AMQP protocol is allowed to start and negotiate AMQP version, encryption, and user identity. Then the connection rules are processed in ACL-file-order to further allow or deny the connection.

      Attachments

        Activity

          People

            chug Charles E. Rolke
            chug Charles E. Rolke
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: