Bug 1049833

Summary: [RFE]: Allowing users to connect only from selected IP addresses
Product: Red Hat Enterprise MRG Reporter: Pavel Moravec <pmoravec>
Component: qpid-cppAssignee: Chuck Rolke <crolke>
Status: CLOSED ERRATA QA Contact: Michal Toth <mtoth>
Severity: medium Docs Contact:
Priority: high    
Version: 3.0CC: crolke, jross, mtoth, rrajasek, sauchter, zkraus
Target Milestone: 3.1Keywords: Documentation, FutureFeature, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qpid-cpp-0.30-2 Doc Type: Enhancement
Doc Text:
System administrators want to restrict the hosts from which users are allowed to connect. For example, an internal broker may be locked down so that engineering and finance users may only connect from hosts in the engineering and finance subnets respectively. ACL limits are added to allow or deny users from connecting from individual hosts as specified by IP address. Brokers can now prevent connections from any internet host. Brokers may improve performance, and will improve security by specifying which users can log in from which hosts. See "Connection Limits by Host Name" in http://qpid.apache.org/releases/qpid-0.30/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Security-Authorization
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-14 13:47:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 785156    

Comment 1 Justin Ross 2014-06-23 13:24:27 UTC 
*** Bug 964191 has been marked as a duplicate of this bug. ***
Comment 2 Chuck Rolke 2014-07-24 14:50:56 UTC 
This feature is committed upstream in various pieces as listed here. IP address connection control is mixed in with some other refactoring and three pieces probably need to go together.

QPID-4123 - ACL creates too many rules
QPID-4947 - ACL needs to control IP addresses (this bz)
QPID-5890 - ACL compiles static code dozens of times (needs refactor)

The commits of interest are:

commit   QPID QPID QPID Description
number   4123 4947 5890 
======== ==== ==== ==== ==========
1612874   XX   XX   XX  Use refactored PropertyDefs to qualify rules
                        Better document how ACL works
                        Improve startup logging
1611776        XX       Bugfix - strip IPv6 decoration on incoming connection
1611409        XX       Get rid of boost::make_shared RHEL5 failure
1611059        XX       Self test - detect if no IPv6 is present
1610992        XX       Self test fails if no IPv6. no-op the test
1610874        XX       Land QPID-4947 functionality
1610700             XX  Add missing properties, reorganize
1610697             XX  Add missing properties
1610681        XX   XX  Document keyword host=all
1610547        XX   XX  Update documentation
                        Adds CREATE CONNECTION description
1610195             XX  Remove old unused validationMap
1609900             XX  Improve Acl.cpp selftest
1609828             XX  Refactor
1609728             XX  Refactor - adds AclLexer
Comment 6 Chuck Rolke 2014-12-11 15:51:55 UTC 
See section 1.5.2.3. ACL Rule Matching in http://qpid.apache.org/releases/qpid-0.30/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Quotas

ACL rules are processed in order from the top of the file. The first matching rule controls the ACL decision even if there are subsequent rules that would render a different decision. In the given ACL file:

$ cat /etc/qpid/qpidd.acl
acl allow-log all create connection host=$IP_ALLOWED
acl deny-log UserC@QPID create connection host=all
# Default rule
acl allow all all
acl deny-log all create connection host=all

The first rule allows anyone to connect from host=$IP_ALLOWED, even UserC. To get the behavior you expect you must swap the first two rows of the ACL file so that UserC is denied in a rule processed before a rule in which UserC is allowed.

$ cat /etc/qpid/qpidd.acl
acl deny-log UserC@QPID create connection host=all
acl allow-log all create connection host=$IP_ALLOWED
acl deny-log all create connection host=all
# Default rule
acl allow all all

Also, default rules are supposed to be the last rule in the ACL file.
Comment 20 errata-xmlrpc 2015-04-14 13:47:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0805.html