Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-6544

[ACL] Python client demands unnecessary permission / performs unnecessary actions

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 0.22
    • Fix Version/s: None
    • Component/s: Python Client
    • Labels:
      None

      Description

      Description of problem:
      Python clients accesses both exchange and queue objects, even when the object types is specified. Thus demanding unnecessary ACL rules to be allowed.

      Steps to Reproduce:
      Scenario A (access)
      1. create acl:
      acl allow-log all access exchange
      acl deny-log all all
      2. send message to an amq.fanout
      /usr/share/doc/python-qpid-0.22/examples/api/spout -c 1 -b UserA/UserA@localhost:5672 "amq.fanout;{node:{type:topic}}"
      3. check qpidd log

      Scenario B (create)
      1. create acl:
      acl allow-log all access all
      acl allow-log all create queue
      acl deny-log all all
      2. create a queue using spout
      /usr/share/doc/python-qpid-0.22/examples/api/spout -c 1 -b UserA/UserA@localhost:5672 "q;{create:always, node:{type:queue}}"
      3. check qpidd log

      Scenario A
      Actual results:
      2014-07-28 10:45:07 [Security] info ACL Allow id:UserA@QPID action:access ObjectType:exchange Name:amq.fanout
      2014-07-28 10:45:07 [Security] info ACL Deny id:UserA@QPID action:access ObjectType:queue Name:amq.fanout

      Expected results:
      Scenario A: expected results should be just with "action:access" and no "action:publish", as publish is for queue object (and in our case, the message is discarded by the exchange due to no route/binding).

      Scenario B
      Actual results:
      2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:access ObjectType:exchange Name:q
      2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:access ObjectType:queue Name:q
      2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:create ObjectType:queue Name:q

      Expected results:
      2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:create ObjectType:queue Name:q

      Additional info:
      [A] it behaves the same for node/type:queue, querying the exchanges then queue.
      [B] when creating, client should request only 'create' action, same as C++

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              eallen Ernest Allen
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: