*** Bug 964191 has been marked as a duplicate of this bug. ***
This feature is committed upstream in various pieces as listed here. IP address connection control is mixed in with some other refactoring and three pieces probably need to go together. QPID-4123 - ACL creates too many rules QPID-4947 - ACL needs to control IP addresses (this bz) QPID-5890 - ACL compiles static code dozens of times (needs refactor) The commits of interest are: commit QPID QPID QPID Description number 4123 4947 5890 ======== ==== ==== ==== ========== 1612874 XX XX XX Use refactored PropertyDefs to qualify rules Better document how ACL works Improve startup logging 1611776 XX Bugfix - strip IPv6 decoration on incoming connection 1611409 XX Get rid of boost::make_shared RHEL5 failure 1611059 XX Self test - detect if no IPv6 is present 1610992 XX Self test fails if no IPv6. no-op the test 1610874 XX Land QPID-4947 functionality 1610700 XX Add missing properties, reorganize 1610697 XX Add missing properties 1610681 XX XX Document keyword host=all 1610547 XX XX Update documentation Adds CREATE CONNECTION description 1610195 XX Remove old unused validationMap 1609900 XX Improve Acl.cpp selftest 1609828 XX Refactor 1609728 XX Refactor - adds AclLexer
See section 1.5.2.3. ACL Rule Matching in http://qpid.apache.org/releases/qpid-0.30/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Quotas ACL rules are processed in order from the top of the file. The first matching rule controls the ACL decision even if there are subsequent rules that would render a different decision. In the given ACL file: $ cat /etc/qpid/qpidd.acl acl allow-log all create connection host=$IP_ALLOWED acl deny-log UserC@QPID create connection host=all # Default rule acl allow all all acl deny-log all create connection host=all The first rule allows anyone to connect from host=$IP_ALLOWED, even UserC. To get the behavior you expect you must swap the first two rows of the ACL file so that UserC is denied in a rule processed before a rule in which UserC is allowed. $ cat /etc/qpid/qpidd.acl acl deny-log UserC@QPID create connection host=all acl allow-log all create connection host=$IP_ALLOWED acl deny-log all create connection host=all # Default rule acl allow all all Also, default rules are supposed to be the last rule in the ACL file.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0805.html