Bug 1003661

Summary: User ID is not passed to ACL when DIGEST-MD5 is used while creating link
Product: Red Hat Enterprise MRG Reporter: Zdenek Kraus <zkraus>
Component: qpid-cppAssignee: Pavel Moravec <pmoravec>
Status: CLOSED ERRATA QA Contact: Zdenek Kraus <zkraus>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: crolke, freznice, fweimer, jross, pmoravec
Target Milestone: 3.1Keywords: Patch, TestCaseProvided
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qpid-cpp-0.30-2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-14 13:47:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zdenek Kraus 2013-09-02 15:08:21 UTC 
Description of problem:

With authentication enabled, when creating a federation link there is no username/id passed into the ACL module, thus the link rules with particular username are silently passed by with no match, only matching are the 'all' rules.

#two brokers, second on port 10000 only as the originator of the link
qpidd --data-dir=/tmp/qpidd-$$-$RANDOM --port=10000 --log-to-file=/tmp/originator_qpid.log 

###QPIDD.CONF
auth=yes
#acl-file=/var/lib/qpidd/fed.acl
acl-file=/etc/qpid/fed.acl
#acl-file=/etc/qpid/qpidd.acl

log-to-file=/var/lib/qpidd/qpidd.log
log-enable=info+
log-enable=debug+:Acl

data-dir=/var/lib/qpidd


###FED.ACL
acl allow root@QPID all all

acl deny all all


##Creating regular link from 10000->5672
qpid-route link add root/root@localhost:10000 root/root@localhost:5672


###DESTINATION QPIDD LOG (10000)
2013-08-13 10:33:38 [Broker] info The Broker::connect() method will be removed in a future release of QPID. Please use the Broker::create() method with type='link' instead.
2013-08-13 10:33:38 [Broker] info The Broker::connect() method will be removed in a future release of QPID. Please use the Broker::create() method with type='link' instead.
2013-08-13 10:33:38 [System] info Connecting: [::1]:5672
2013-08-13 10:33:38 [System] info Connecting: [::1]:5672
2013-08-13 10:33:38 [Broker] info Inter-broker link connecting to localhost:5672
2013-08-13 10:33:38 [Broker] info Inter-broker link connecting to localhost:5672
2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to localhost:5672
2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to localhost:5672
2013-08-13 10:33:38 [Broker] info Inter-broker link established to localhost:5672
2013-08-13 10:33:38 [Broker] info Inter-broker link established to localhost:5672
2013-08-13 10:33:38 [Broker] warning Client closed connection with 320: ACL denied  creating a federation link (/builddir/build/BUILD/qpid-0.22/cpp/src/qpid/broker/ConnectionHandler.cpp:205)
2013-08-13 10:33:38 [Broker] warning Client closed connection with 320: ACL denied  creating a federation link (/builddir/build/BUILD/qpid-0.22/cpp/src/qpid/broker/ConnectionHandler.cpp:205)
2013-08-13 10:33:38 [Broker] info Inter-broker link disconnected from localhost:5672 Closed by peer
2013-08-13 10:33:38 [Broker] info Inter-broker link disconnected from localhost:5672 Closed by peer


###SOURCE QPID LOG (5672)
2013-08-13 10:33:26 [Broker] notice Shut down
2013-08-13 10:33:26 [Store] notice Journal "TplStore": Destroyed
2013-08-13 10:33:26 [Broker] info Management enabled
2013-08-13 10:33:26 [Management] info ManagementAgent restored broker ID: 1e1f0ae9-a2e3-435c-8f5e-366d93dd69bf
2013-08-13 10:33:26 [Broker] info Loaded protocol AMQP 1.0
2013-08-13 10:33:26 [Store] notice Journal "TplStore": Created
2013-08-13 10:33:26 [Store] notice Store module initialized; store-dir=/var/lib/qpidd
2013-08-13 10:33:26 [Store] info > Default files per journal: 8
2013-08-13 10:33:26 [Store] info > Default journal file size: 24 (wpgs)
2013-08-13 10:33:26 [Store] info > Default write cache page size: 32 (KiB)
2013-08-13 10:33:26 [Store] info > Default number of write cache pages: 32
2013-08-13 10:33:26 [Store] info > TPL files per journal: 8
2013-08-13 10:33:26 [Store] info > TPL journal file size: 24 (wpgs)
2013-08-13 10:33:26 [Store] info > TPL write cache page size: 4 (KiB)
2013-08-13 10:33:26 [Store] info > TPL number of write cache pages: 64
2013-08-13 10:33:26 [Security] notice SSL plugin not enabled, you must set --ssl-cert-db to enable it.
2013-08-13 10:33:26 [Broker] info Registered xml exchange
2013-08-13 10:33:26 [Store] info Most recent persistence id found: 0x0
2013-08-13 10:33:26 [Store] info Recovered exchange "amq.direct"
2013-08-13 10:33:26 [Store] info Recovered exchange "amq.topic"
2013-08-13 10:33:26 [Store] info Recovered exchange "amq.fanout"
2013-08-13 10:33:26 [Store] info Recovered exchange "amq.match"
2013-08-13 10:33:26 [Security] info SASL: config path set to /etc/sasl2
2013-08-13 10:33:26 [Broker] info SASL enabled
2013-08-13 10:33:26 [Network] info Listening to: 0.0.0.0:5672
2013-08-13 10:33:26 [Network] info Listening to: [::]:5672
2013-08-13 10:33:26 [Network] notice Listening on TCP/TCP6 port 5672
2013-08-13 10:33:26 [Security] notice ACL: Read file "/etc/qpid/fed.acl"
2013-08-13 10:33:26 [Security] debug ACL: Group list: 0 groups found:
2013-08-13 10:33:26 [Security] debug ACL: name list: 2 names found:
2013-08-13 10:33:26 [Security] debug ACL:  * root@QPID
2013-08-13 10:33:26 [Security] debug ACL: Rule list: 2 ACL rules found:
2013-08-13 10:33:26 [Security] debug ACL:    1 allow [root@QPID] * *
2013-08-13 10:33:26 [Security] debug ACL:    2 deny [*] *
2013-08-13 10:33:26 [Security] debug ACL: connections quota: 0 rules found:
2013-08-13 10:33:26 [Security] debug ACL: queues quota: 0 rules found:
2013-08-13 10:33:26 [Security] debug ACL: Load Rules
2013-08-13 10:33:26 [Security] debug ACL: Processing  2 deny [*] *
2013-08-13 10:33:26 [Security] debug ACL: FoundMode deny
2013-08-13 10:33:26 [Security] debug ACL: Processing  1 allow [root@QPID] * *
2013-08-13 10:33:26 [Security] debug ACL: Adding actions {consume,publish,create,access,bind,unbind,delete,purge,update} to objects {queue,exchange,broker,link,method} with props { } for users {root@QPID}
2013-08-13 10:33:26 [Security] debug ACL: Transfer ACL is Enabled!
2013-08-13 10:33:26 [Security] info ACL Plugin loaded
2013-08-13 10:33:26 [Store] info Enabling management instrumentation for the store.
2013-08-13 10:33:26 [System] info Rdma: Disabled: no rdma devices found
2013-08-13 10:33:26 [Broker] notice Broker running
2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to [::1]:49312
2013-08-13 10:33:38 [Security] info SASL: Mechanism list: DIGEST-MD5 ANONYMOUS PLAIN
2013-08-13 10:33:38 [Security] info SASL: Starting authentication with mechanism: DIGEST-MD5
2013-08-13 10:33:38 [Security] debug ACL: Lookup for id: action:create objectType:link name: with params { }
2013-08-13 10:33:38 [Security] debug ACL: No successful match, defaulting to the decision mode deny

Works just fine with other auth methods.


Version-Release number of selected component (if applicable):
qpid-cpp-0.22-10
qpid-cpp-0.22-7


How reproducible:
100%

Steps to Reproduce:
1. ACL
acl allow root@QPID all all

acl deny all all

2. start 2 brokers

3. create regular authenticated link between them using digest-md5
qpid-route link add root/root@localhost:10000 root/root@localhost:5672 DIGEST-MD5

Actual results:
link creation is denied because user id is not passed to ACL module

Expected results:
user id should be passed to let ACL module make the right decision

Additional info:
Comment 1 Pavel Moravec 2014-03-10 14:21:48 UTC 
It is not ACL module issue, but rather broker itself one. 

The root cause is because ACL for links is checked after getting connection.startOk AMQP method. While DIGEST-MD5 (and other auth.methods) provide userId later on - during connection.secureOk AMQP method.

/me raised review request on https://reviews.apache.org/r/18968/ as I have minor questions about the patch there.
Comment 2 Pavel Moravec 2014-03-10 14:32:34 UTC 
FYI I saw the bug be valid also for CRAM-MD5 (and I guess also for GSSAPI and EXTERNAL/SSL) mechanisms.


My reproducer:


echo "acl allow guest@QPID all all

acl deny all all" > /root/qpidd.acl


killall qpidd
rm -rf _5672 _10000 qpidd.*.log
mkdir _5672 _10000
cp qpidd.sasldb _5672
cp qpidd.sasldb _10000
qpidd --port=5672 --acl-file=/root/qpidd.acl --auth=yes --log-to-file=qpidd.5672.log --trace --data-dir=_5672 --log-to-stdout=no --log-to-stderr=no --log-function=yes &
qpidd --port=10000 --acl-file=/root/qpidd.acl --auth=yes --log-to-file=qpidd.10000.log --trace --data-dir=_10000 --log-to-stdout=no --log-to-stderr=no &

sleep 2
qpid-route link add guest/guest@localhost:10000 guest/guest@localhost:5672
Comment 3 Pavel Moravec 2014-03-11 09:41:40 UTC 
Committed revision 1576248.
Comment 5 Zdenek Kraus 2015-01-12 11:50:05 UTC 
tested on RHEL 6.6 i686 and x86_64 with following packages:
python-qpid-0.30-3
python-qpid-qmf-0.30-3
qpid-cpp-client-0.30-5
qpid-cpp-client-devel-0.30-5
qpid-cpp-client-rdma-0.30-5
qpid-cpp-debuginfo-0.30-5
qpid-cpp-server-0.30-5
qpid-cpp-server-devel-0.30-5
qpid-cpp-server-ha-0.30-5
qpid-cpp-server-linearstore-0.30-5
qpid-cpp-server-rdma-0.30-5
qpid-cpp-server-xml-0.30-5
qpid-java-client-0.30-3
qpid-java-common-0.30-3
qpid-java-example-0.30-3
qpid-jca-0.22-2
qpid-jca-xarecovery-0.22-2
qpid-proton-c-0.7-4
qpid-qmf-0.30-3
qpid-tools-0.30-3

fix works as expected.
->VERIFIED
Comment 7 errata-xmlrpc 2015-04-14 13:47:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0805.html