qpid already has some support for QMF methods&queries authorization. Many (or maybe all?) QMF methods call: qpid/management/Manageable.cpp: bool Manageable::AuthorizeMethod(uint32_t, Args&, const std::string&) { return true; } I suppose this is required: - ensure the method is called by invoking any QMF method/query - call ACL stuff from the AuthorizeMethod - enhance ACLs according to QMF methods and its arguments
Created attachment 899491 [details] patch proposal (inital draft) Initial version of patch for the same. What misses there: - on ACL denial, provide better text than "Forbidden" (raise framing::UnauthorizedAccessException). - add some automated tests example acl file: acl deny all purge queue name=q acl deny all move queue name=q queuename=w acl deny all redirect queue name=q queuename=w acl deny all reroute queue name=q exchangename=amq.fanout acl deny all delete queue name=q acl allow all all Chuck, would you be ok with this proposal, including naming? Thanks.
The code looks good to me; the names are ok. The only thing it needs is a few tests added to qpid/cpp/src/tests/acl.py.
Created attachment 902128 [details] Patch proposal Patch proposal, including automated tests enhancement. Automated tests depend on QPID-5797 / commit https://svn.apache.org/r1599221 (trivial change in qpid-tools). Fix in broker does _not_ depend on QPID-5797. /me to post a patch for relevant 1101533 as well and send both to upstream for a review.
Upstream review request: https://reviews.apache.org/r/22606/
Committed as r1603364.
The QMF methods mentioned by Comment 8 was tested on RHEL6 i686 and x86_64 with following packages: qpid-java-client-0.30-3 qpid-cpp-client-devel-docs-0.30-4 qpid-cpp-client-devel-0.30-4 qpid-tools-0.30-3 qpid-cpp-server-linearstore-0.30-4 qpid-jca-0.22-2 qpid-jca-xarecovery-0.22-2 python-qpid-0.30-2 qpid-java-example-0.30-3 qpid-cpp-server-xml-0.30-4 qpid-proton-c-0.7-4 qpid-java-common-0.30-3 qpid-cpp-client-0.30-4 python-qpid-qmf-0.30-2 qpid-cpp-server-devel-0.30-4 qpid-cpp-debuginfo-0.30-4 qpid-qmf-0.30-2 qpid-cpp-server-0.30-4 ACL rules for above mentioned QMF methods works as expected, except following issues: Bug 1173534 Bug 1173543 ->VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0805.html