Bug 1003661
Summary: | User ID is not passed to ACL when DIGEST-MD5 is used while creating link | ||
---|---|---|---|
Product: | Red Hat Enterprise MRG | Reporter: | Zdenek Kraus <zkraus> |
Component: | qpid-cpp | Assignee: | Pavel Moravec <pmoravec> |
Status: | CLOSED ERRATA | QA Contact: | Zdenek Kraus <zkraus> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.0 | CC: | crolke, freznice, fweimer, jross, pmoravec |
Target Milestone: | 3.1 | Keywords: | Patch, TestCaseProvided |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | qpid-cpp-0.30-2 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-04-14 13:47:01 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Zdenek Kraus
2013-09-02 15:08:21 UTC
It is not ACL module issue, but rather broker itself one. The root cause is because ACL for links is checked after getting connection.startOk AMQP method. While DIGEST-MD5 (and other auth.methods) provide userId later on - during connection.secureOk AMQP method. /me raised review request on https://reviews.apache.org/r/18968/ as I have minor questions about the patch there. FYI I saw the bug be valid also for CRAM-MD5 (and I guess also for GSSAPI and EXTERNAL/SSL) mechanisms. My reproducer: echo "acl allow guest@QPID all all acl deny all all" > /root/qpidd.acl killall qpidd rm -rf _5672 _10000 qpidd.*.log mkdir _5672 _10000 cp qpidd.sasldb _5672 cp qpidd.sasldb _10000 qpidd --port=5672 --acl-file=/root/qpidd.acl --auth=yes --log-to-file=qpidd.5672.log --trace --data-dir=_5672 --log-to-stdout=no --log-to-stderr=no --log-function=yes & qpidd --port=10000 --acl-file=/root/qpidd.acl --auth=yes --log-to-file=qpidd.10000.log --trace --data-dir=_10000 --log-to-stdout=no --log-to-stderr=no & sleep 2 qpid-route link add guest/guest@localhost:10000 guest/guest@localhost:5672 Committed revision 1576248. tested on RHEL 6.6 i686 and x86_64 with following packages: python-qpid-0.30-3 python-qpid-qmf-0.30-3 qpid-cpp-client-0.30-5 qpid-cpp-client-devel-0.30-5 qpid-cpp-client-rdma-0.30-5 qpid-cpp-debuginfo-0.30-5 qpid-cpp-server-0.30-5 qpid-cpp-server-devel-0.30-5 qpid-cpp-server-ha-0.30-5 qpid-cpp-server-linearstore-0.30-5 qpid-cpp-server-rdma-0.30-5 qpid-cpp-server-xml-0.30-5 qpid-java-client-0.30-3 qpid-java-common-0.30-3 qpid-java-example-0.30-3 qpid-jca-0.22-2 qpid-jca-xarecovery-0.22-2 qpid-proton-c-0.7-4 qpid-qmf-0.30-3 qpid-tools-0.30-3 fix works as expected. ->VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0805.html |