1049833 – [RFE]: Allowing users to connect only from selected IP addresses

Bug 1049833 - [RFE]: Allowing users to connect only from selected IP addresses

Summary: [RFE]: Allowing users to connect only from selected IP addresses

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	qpid-cpp
Sub Component:
Version:	3.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	3.1
Target Release:	---
Assignee:	Chuck Rolke
QA Contact:	Michal Toth
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	964191 (view as bug list)
Depends On:
Blocks:	785156
TreeView+	depends on / blocked

Reported:	2014-01-08 10:28 UTC by Pavel Moravec
Modified:	2019-07-11 07:50 UTC (History)
CC List:	6 users (show)
Fixed In Version:	qpid-cpp-0.30-2
Doc Type:	Enhancement
Doc Text:	System administrators want to restrict the hosts from which users are allowed to connect. For example, an internal broker may be locked down so that engineering and finance users may only connect from hosts in the engineering and finance subnets respectively. ACL limits are added to allow or deny users from connecting from individual hosts as specified by IP address. Brokers can now prevent connections from any internet host. Brokers may improve performance, and will improve security by specifying which users can log in from which hosts. See "Connection Limits by Host Name" in http://qpid.apache.org/releases/qpid-0.30/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Security-Authorization
Clone Of:
Environment:
Last Closed:	2015-04-14 13:47:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Apache JIRA	QPID-4947	None	None	None	Never
Red Hat Knowledge Base (Solution)	1194913	None	None	None	Never
Red Hat Product Errata	RHEA-2015:0805	normal	SHIPPED_LIVE	Red Hat Enterprise MRG Messaging 3.1 Release	2015-04-14 17:45:54 UTC

Comment 1 Justin Ross 2014-06-23 13:24:27 UTC

*** Bug 964191 has been marked as a duplicate of this bug. ***

Comment 2 Chuck Rolke 2014-07-24 14:50:56 UTC

This feature is committed upstream in various pieces as listed here. IP address connection control is mixed in with some other refactoring and three pieces probably need to go together.

QPID-4123 - ACL creates too many rules
QPID-4947 - ACL needs to control IP addresses (this bz)
QPID-5890 - ACL compiles static code dozens of times (needs refactor)

The commits of interest are:

commit   QPID QPID QPID Description
number   4123 4947 5890 
======== ==== ==== ==== ==========
1612874   XX   XX   XX  Use refactored PropertyDefs to qualify rules
                        Better document how ACL works
                        Improve startup logging
1611776        XX       Bugfix - strip IPv6 decoration on incoming connection
1611409        XX       Get rid of boost::make_shared RHEL5 failure
1611059        XX       Self test - detect if no IPv6 is present
1610992        XX       Self test fails if no IPv6. no-op the test
1610874        XX       Land QPID-4947 functionality
1610700             XX  Add missing properties, reorganize
1610697             XX  Add missing properties
1610681        XX   XX  Document keyword host=all
1610547        XX   XX  Update documentation
                        Adds CREATE CONNECTION description
1610195             XX  Remove old unused validationMap
1609900             XX  Improve Acl.cpp selftest
1609828             XX  Refactor
1609728             XX  Refactor - adds AclLexer

Comment 6 Chuck Rolke 2014-12-11 15:51:55 UTC

See section 1.5.2.3. ACL Rule Matching in http://qpid.apache.org/releases/qpid-0.30/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Quotas

ACL rules are processed in order from the top of the file. The first matching rule controls the ACL decision even if there are subsequent rules that would render a different decision. In the given ACL file:

$ cat /etc/qpid/qpidd.acl
acl allow-log all create connection host=$IP_ALLOWED
acl deny-log UserC@QPID create connection host=all
# Default rule
acl allow all all
acl deny-log all create connection host=all

The first rule allows anyone to connect from host=$IP_ALLOWED, even UserC. To get the behavior you expect you must swap the first two rows of the ACL file so that UserC is denied in a rule processed before a rule in which UserC is allowed.

$ cat /etc/qpid/qpidd.acl
acl deny-log UserC@QPID create connection host=all
acl allow-log all create connection host=$IP_ALLOWED
acl deny-log all create connection host=all
# Default rule
acl allow all all

Also, default rules are supposed to be the last rule in the ACL file.

Comment 20 errata-xmlrpc 2015-04-14 13:47:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0805.html

Note You need to log in before you can comment on or make changes to this bug.