Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 899491 Details for
Bug 883866
[RFE]: Access control for QMF functionality should be improved
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch proposal (inital draft)
bz883866.patch (text/plain), 14.99 KB, created by
Pavel Moravec
on 2014-05-27 12:11:41 UTC
(
hide
)
Description:
patch proposal (inital draft)
Filename:
MIME Type:
Creator:
Pavel Moravec
Created:
2014-05-27 12:11:41 UTC
Size:
14.99 KB
patch
obsolete
>Index: cpp/src/qpid/broker/Queue.cpp >=================================================================== >--- cpp/src/qpid/broker/Queue.cpp (revision 1597555) >+++ cpp/src/qpid/broker/Queue.cpp (working copy) >@@ -21,6 +21,7 @@ > > #include "qpid/broker/Queue.h" > #include "qpid/broker/Broker.h" >+#include "qpid/broker/Connection.h" > #include "qpid/broker/AclModule.h" > #include "qpid/broker/QueueCursor.h" > #include "qpid/broker/QueueDepth.h" >@@ -73,6 +74,7 @@ > using qpid::management::ManagementObject; > using qpid::management::Manageable; > using qpid::management::Args; >+using qpid::management::getCurrentPublisher; > using std::string; > using std::for_each; > using std::mem_fun; >@@ -1392,12 +1394,19 @@ > Manageable::status_t Queue::ManagementMethod (uint32_t methodId, Args& args, string& etext) > { > Manageable::status_t status = Manageable::STATUS_UNKNOWN_METHOD; >+ AclModule* acl = broker->getAcl(); >+ std::string _userId = (getCurrentPublisher()?getCurrentPublisher()->getUserId():""); > > QPID_LOG (debug, "Queue::ManagementMethod [id=" << methodId << "]"); > > switch (methodId) { > case _qmf::Queue::METHOD_PURGE : > { >+ if ((acl)&&(!(acl->authorise(_userId, acl::ACT_PURGE, acl::OBJ_QUEUE, name, NULL)))) { >+ status = Manageable::STATUS_FORBIDDEN; >+ etext = "User " + _userId + " not authorized to purge from queue " + name; >+ break; >+ } > _qmf::ArgsQueuePurge& purgeArgs = (_qmf::ArgsQueuePurge&) args; > purge(purgeArgs.i_request, boost::shared_ptr<Exchange>(), &purgeArgs.i_filter); > status = Manageable::STATUS_OK; >@@ -1425,6 +1434,16 @@ > } > } > >+ if (acl) { >+ std::map<acl::Property, std::string> params; >+ params.insert(make_pair(acl::PROP_EXCHANGENAME, dest->getName())); >+ if (!acl->authorise(_userId, acl::ACT_REROUTE, acl::OBJ_QUEUE, name, ¶ms)) { >+ status = Manageable::STATUS_FORBIDDEN; >+ etext = "User " + _userId + " not authorized to reroute from queue " + name + " to exchange " + dest->getName(); >+ break; >+ } >+ } >+ > purge(rerouteArgs.i_request, dest, &rerouteArgs.i_filter); > status = Manageable::STATUS_OK; > } >Index: cpp/src/qpid/broker/Broker.h >=================================================================== >--- cpp/src/qpid/broker/Broker.h (revision 1597555) >+++ cpp/src/qpid/broker/Broker.h (working copy) >@@ -169,7 +169,7 @@ > const Connection* context); > Manageable::status_t setTimestampConfig(const bool receive, > const Connection* context); >- Manageable::status_t queueRedirect(const std::string& srcQueue, const std::string& tgtQueue); >+ Manageable::status_t queueRedirect(const std::string& srcQueue, const std::string& tgtQueue, const Connection* context); > void queueRedirectDestroy(boost::shared_ptr<Queue> srcQ, boost::shared_ptr<Queue> tgtQ, bool moveMsgs); > boost::shared_ptr<sys::Poller> poller; > std::auto_ptr<sys::Timer> timer; >@@ -291,11 +291,12 @@ > Return -1 if one of the queues does not exist, otherwise > the number of messages moved. > */ >- QPID_BROKER_EXTERN int32_t queueMoveMessages( >+ QPID_BROKER_EXTERN uint32_t queueMoveMessages( > const std::string& srcQueue, > const std::string& destQueue, > uint32_t qty, >- const qpid::types::Variant::Map& filter); >+ const qpid::types::Variant::Map& filter, >+ const Connection* context); > > QPID_BROKER_EXTERN const TransportInfo& getTransportInfo( > const std::string& name = TCP_TRANSPORT) const; >Index: cpp/src/qpid/broker/Broker.cpp >=================================================================== >--- cpp/src/qpid/broker/Broker.cpp (revision 1597555) >+++ cpp/src/qpid/broker/Broker.cpp (working copy) >@@ -544,10 +544,7 @@ > _qmf::ArgsBrokerQueueMoveMessages& moveArgs= > dynamic_cast<_qmf::ArgsBrokerQueueMoveMessages&>(args); > QPID_LOG (debug, "Broker::queueMoveMessages()"); >- if (queueMoveMessages(moveArgs.i_srcQueue, moveArgs.i_destQueue, moveArgs.i_qty, moveArgs.i_filter) >= 0) >- status = Manageable::STATUS_OK; >- else >- return Manageable::STATUS_PARAMETER_INVALID; >+ status = queueMoveMessages(moveArgs.i_srcQueue, moveArgs.i_destQueue, moveArgs.i_qty, moveArgs.i_filter, getCurrentPublisher()); > break; > } > case _qmf::Broker::METHOD_SETLOGLEVEL : >@@ -612,7 +609,7 @@ > string srcQueue(dynamic_cast<_qmf::ArgsBrokerQueueRedirect&>(args).i_sourceQueue); > string tgtQueue(dynamic_cast<_qmf::ArgsBrokerQueueRedirect&>(args).i_targetQueue); > QPID_LOG (debug, "Broker::queueRedirect source queue:" << srcQueue << " to target queue " << tgtQueue); >- status = queueRedirect(srcQueue, tgtQueue); >+ status = queueRedirect(srcQueue, tgtQueue, getCurrentPublisher()); > break; > } > default: >@@ -1088,7 +1085,8 @@ > > > Manageable::status_t Broker::queueRedirect(const std::string& srcQueue, >- const std::string& tgtQueue) >+ const std::string& tgtQueue, >+ const Connection* context) > { > Queue::shared_ptr srcQ(queues.find(srcQueue)); > if (!srcQ) { >@@ -1136,6 +1134,12 @@ > return Manageable::STATUS_USER; > } > >+ if (acl) { >+ std::map<acl::Property, std::string> params; >+ params.insert(make_pair(acl::PROP_QUEUENAME, tgtQ->getName())); >+ if (!acl->authorise((context)?context->getUserId():"", acl::ACT_REDIRECT, acl::OBJ_QUEUE, srcQ->getName(), ¶ms)) >+ return Manageable::STATUS_FORBIDDEN; >+ } > // Start the backup overflow partnership > srcQ->setRedirectPeer(tgtQ, true); > tgtQ->setRedirectPeer(srcQ, false); >@@ -1167,6 +1171,13 @@ > return Manageable::STATUS_USER; > } > >+ if (acl) { >+ std::map<acl::Property, std::string> params; >+ params.insert(make_pair(acl::PROP_QUEUENAME, tgtQ->getName())); >+ if (!acl->authorise((context)?context->getUserId():"", acl::ACT_REDIRECT, acl::OBJ_QUEUE, srcQ->getName(), ¶ms)) >+ return Manageable::STATUS_FORBIDDEN; >+ } >+ > queueRedirectDestroy(srcQ, tgtQ, true); > > return Manageable::STATUS_OK; >@@ -1260,20 +1271,29 @@ > else throw NoSuchTransportException(QPID_MSG("Unsupported transport type: " << transport)); > } > >-int32_t Broker::queueMoveMessages( >+uint32_t Broker::queueMoveMessages( > const std::string& srcQueue, > const std::string& destQueue, > uint32_t qty, >- const Variant::Map& filter) >+ const Variant::Map& filter, >+ const Connection* context) > { > Queue::shared_ptr src_queue = queues.find(srcQueue); > if (!src_queue) >- return -1; >+ return Manageable::STATUS_PARAMETER_INVALID; >+ > Queue::shared_ptr dest_queue = queues.find(destQueue); > if (!dest_queue) >- return -1; >+ return Manageable::STATUS_PARAMETER_INVALID; > >- return (int32_t) src_queue->move(dest_queue, qty, &filter); >+ if (acl) { >+ std::map<acl::Property, std::string> params; >+ params.insert(make_pair(acl::PROP_QUEUENAME, dest_queue->getName())); >+ if (!acl->authorise((context)?context->getUserId():"", acl::ACT_MOVE, acl::OBJ_QUEUE, src_queue->getName(), ¶ms)) >+ return Manageable::STATUS_FORBIDDEN; >+ } >+ src_queue->move(dest_queue, qty, &filter); >+ return Manageable::STATUS_OK; > } > > >Index: cpp/src/qpid/broker/AclModule.h >=================================================================== >--- cpp/src/qpid/broker/AclModule.h (revision 1597555) >+++ cpp/src/qpid/broker/AclModule.h (working copy) >@@ -61,6 +61,9 @@ > ACT_DELETE, > ACT_PURGE, > ACT_UPDATE, >+ ACT_MOVE, >+ ACT_REDIRECT, >+ ACT_REROUTE, > ACTIONSIZE }; // ACTIONSIZE must be last in list > > // Property used in ACL authorize interface >@@ -74,6 +77,7 @@ > PROP_TYPE, > PROP_ALTERNATE, > PROP_QUEUENAME, >+ PROP_EXCHANGENAME, > PROP_SCHEMAPACKAGE, > PROP_SCHEMACLASS, > PROP_POLICYTYPE, >@@ -100,6 +104,7 @@ > SPECPROP_TYPE = PROP_TYPE, > SPECPROP_ALTERNATE = PROP_ALTERNATE, > SPECPROP_QUEUENAME = PROP_QUEUENAME, >+ SPECPROP_EXCHANGENAME = PROP_EXCHANGENAME, > SPECPROP_SCHEMAPACKAGE = PROP_SCHEMAPACKAGE, > SPECPROP_SCHEMACLASS = PROP_SCHEMACLASS, > SPECPROP_POLICYTYPE = PROP_POLICYTYPE, >@@ -200,28 +205,34 @@ > return ""; > } > static inline Action getAction(const std::string& str) { >- if (str.compare("consume") == 0) return ACT_CONSUME; >- if (str.compare("publish") == 0) return ACT_PUBLISH; >- if (str.compare("create") == 0) return ACT_CREATE; >- if (str.compare("access") == 0) return ACT_ACCESS; >- if (str.compare("bind") == 0) return ACT_BIND; >- if (str.compare("unbind") == 0) return ACT_UNBIND; >- if (str.compare("delete") == 0) return ACT_DELETE; >- if (str.compare("purge") == 0) return ACT_PURGE; >- if (str.compare("update") == 0) return ACT_UPDATE; >+ if (str.compare("consume") == 0) return ACT_CONSUME; >+ if (str.compare("publish") == 0) return ACT_PUBLISH; >+ if (str.compare("create") == 0) return ACT_CREATE; >+ if (str.compare("access") == 0) return ACT_ACCESS; >+ if (str.compare("bind") == 0) return ACT_BIND; >+ if (str.compare("unbind") == 0) return ACT_UNBIND; >+ if (str.compare("delete") == 0) return ACT_DELETE; >+ if (str.compare("purge") == 0) return ACT_PURGE; >+ if (str.compare("update") == 0) return ACT_UPDATE; >+ if (str.compare("move") == 0) return ACT_MOVE; >+ if (str.compare("redirect") == 0) return ACT_REDIRECT; >+ if (str.compare("reroute") == 0) return ACT_REROUTE; > throw qpid::Exception(str); > } > static inline std::string getActionStr(const Action a) { > switch (a) { >- case ACT_CONSUME: return "consume"; >- case ACT_PUBLISH: return "publish"; >- case ACT_CREATE: return "create"; >- case ACT_ACCESS: return "access"; >- case ACT_BIND: return "bind"; >- case ACT_UNBIND: return "unbind"; >- case ACT_DELETE: return "delete"; >- case ACT_PURGE: return "purge"; >- case ACT_UPDATE: return "update"; >+ case ACT_CONSUME: return "consume"; >+ case ACT_PUBLISH: return "publish"; >+ case ACT_CREATE: return "create"; >+ case ACT_ACCESS: return "access"; >+ case ACT_BIND: return "bind"; >+ case ACT_UNBIND: return "unbind"; >+ case ACT_DELETE: return "delete"; >+ case ACT_PURGE: return "purge"; >+ case ACT_UPDATE: return "update"; >+ case ACT_MOVE: return "move"; >+ case ACT_REDIRECT: return "redirect"; >+ case ACT_REROUTE: return "reroute"; > default: assert(false); // should never get here > } > return ""; >@@ -236,6 +247,7 @@ > if (str.compare("type") == 0) return PROP_TYPE; > if (str.compare("alternate") == 0) return PROP_ALTERNATE; > if (str.compare("queuename") == 0) return PROP_QUEUENAME; >+ if (str.compare("exchangename") == 0) return PROP_EXCHANGENAME; > if (str.compare("schemapackage") == 0) return PROP_SCHEMAPACKAGE; > if (str.compare("schemaclass") == 0) return PROP_SCHEMACLASS; > if (str.compare("policytype") == 0) return PROP_POLICYTYPE; >@@ -259,6 +271,7 @@ > case PROP_TYPE: return "type"; > case PROP_ALTERNATE: return "alternate"; > case PROP_QUEUENAME: return "queuename"; >+ case PROP_EXCHANGENAME: return "exchangename"; > case PROP_SCHEMAPACKAGE: return "schemapackage"; > case PROP_SCHEMACLASS: return "schemaclass"; > case PROP_POLICYTYPE: return "policytype"; >@@ -283,6 +296,7 @@ > if (str.compare("type") == 0) return SPECPROP_TYPE; > if (str.compare("alternate") == 0) return SPECPROP_ALTERNATE; > if (str.compare("queuename") == 0) return SPECPROP_QUEUENAME; >+ if (str.compare("exchangename") == 0) return SPECPROP_EXCHANGENAME; > if (str.compare("schemapackage") == 0) return SPECPROP_SCHEMAPACKAGE; > if (str.compare("schemaclass") == 0) return SPECPROP_SCHEMACLASS; > if (str.compare("policytype") == 0) return SPECPROP_POLICYTYPE; >@@ -315,6 +329,7 @@ > case SPECPROP_TYPE: return "type"; > case SPECPROP_ALTERNATE: return "alternate"; > case SPECPROP_QUEUENAME: return "queuename"; >+ case SPECPROP_EXCHANGENAME: return "exchangename"; > case SPECPROP_SCHEMAPACKAGE: return "schemapackage"; > case SPECPROP_SCHEMACLASS: return "schemaclass"; > case SPECPROP_POLICYTYPE: return "policytype"; >@@ -413,12 +428,22 @@ > p4->insert(PROP_MAXQUEUESIZE); > p4->insert(PROP_MAXQUEUECOUNT); > >+ propSetPtr p5(new propSet); >+ p5->insert(PROP_QUEUENAME); >+ >+ propSetPtr p6(new propSet); >+ p6->insert(PROP_EXCHANGENAME); >+ >+ > actionMapPtr a1(new actionMap); >- a1->insert(actionPair(ACT_ACCESS, p0)); >- a1->insert(actionPair(ACT_CREATE, p4)); >- a1->insert(actionPair(ACT_PURGE, p0)); >- a1->insert(actionPair(ACT_DELETE, p0)); >- a1->insert(actionPair(ACT_CONSUME, p0)); >+ a1->insert(actionPair(ACT_ACCESS, p0)); >+ a1->insert(actionPair(ACT_CREATE, p4)); >+ a1->insert(actionPair(ACT_PURGE, p0)); >+ a1->insert(actionPair(ACT_DELETE, p0)); >+ a1->insert(actionPair(ACT_CONSUME, p0)); >+ a1->insert(actionPair(ACT_MOVE, p5)); >+ a1->insert(actionPair(ACT_REDIRECT, p5)); >+ a1->insert(actionPair(ACT_REROUTE, p6)); > > map->insert(objectPair(OBJ_QUEUE, a1)); > >@@ -431,12 +456,12 @@ > > // == Method == > >- propSetPtr p5(new propSet); >- p5->insert(PROP_SCHEMAPACKAGE); >- p5->insert(PROP_SCHEMACLASS); >+ propSetPtr p7(new propSet); >+ p7->insert(PROP_SCHEMAPACKAGE); >+ p7->insert(PROP_SCHEMACLASS); > > actionMapPtr a4(new actionMap); >- a4->insert(actionPair(ACT_ACCESS, p5)); >+ a4->insert(actionPair(ACT_ACCESS, p7)); > > map->insert(objectPair(OBJ_METHOD, a4)); > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=899491">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 883866
:
899491
|
902128