Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
0.31
-
None
Description
Description of problem:
Python clients accesses both exchange and queue objects, even when the object types is specified. Thus demanding unnecessary ACL rules to be allowed.
Version-Release number of selected component (if applicable):
python-qpid-0.22-15
How reproducible:
100%
Steps to Reproduce:
Scenario A (access)
1. create acl:
acl allow-log all access exchange
acl deny-log all all
2. send message to an amq.fanout
/usr/share/doc/python-qpid-0.22/examples/api/spout -c 1 -b UserA/UserA@localhost:5672 "amq.fanout;{node:{type:topic}}"
3. check qpidd log
Scenario B (create)
1. create acl:
acl allow-log access all
acl allow-log create queue
acl deny-log all all
2. create a queue using spout
/usr/share/doc/python-qpid-0.22/examples/api/spout -c 1 -b UserA/UserA@localhost:5672 "q;{create:always, node:{type:queue}}"
3. check qpidd log
Scenario A
Actual results:
2014-07-28 10:45:07 [Security] info ACL Allow id:UserA@QPID action:access ObjectType:exchange Name:amq.fanout
2014-07-28 10:45:07 [Security] info ACL Deny id:UserA@QPID action:access ObjectType:queue Name:amq.fanout
Expected results:
2014-07-28 10:45:07 [Security] info ACL Allow id:UserA@QPID action:access ObjectType:exchange Name:amq.fanout
2014-07-28 10:45:07 [Security] info ACL Deny id:UserA@QPID action:publish ObjectType:exchange Name:amq.fanout
Scenario B
Actual results:
2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:access ObjectType:exchange Name:q
2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:access ObjectType:queue Name:q
2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:create ObjectType:queue Name:q
Expected results:
2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:create ObjectType:queue Name:q
Additional info:
[A] it behaves the same for node/type:queue, querying the exchanges then queue.
[B] when creating, client should request only 'create' action, same as C++