Bug 1122499

Summary: qpid-route does not report ACL denial
Product: Red Hat Enterprise MRG Reporter: Leonid Zhaldybin <lzhaldyb>
Component: qpid-toolsAssignee: Ernie <eallen>
Status: CLOSED DUPLICATE QA Contact: MRG Quality Engineering <mrgqe-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: esammons, jross, pmoravec, smumford
Target Milestone: 3.2Keywords: Improvement
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-30 11:22:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Leonid Zhaldybin 2014-07-23 11:44:35 UTC
Description of problem:
In case that the link creation on the broker fails because of ACL denial, qpid-route tool does not return any error. Example:

There are two brokers running on two different machines. Their configuration files are the same:
[root@lzhaldyb-rhel65i ~]# cat /etc/qpid/qpidd.acl
acl deny all create link
acl allow all all

[root@lzhaldyb-rhel65i ~]# cat /etc/qpid/qpidd.conf
auth=yes
log-enable=info+
log-to-file=/var/lib/qpidd/qpidd.log
acl-file=/etc/qpid/qpidd.acl

The attempt to create queue route from the queue fed.q on the one broker to the fed.ex exchange on the second broker fails due to ACL denial, the destination broker says "[Broker] warning Client closed connection with 320: ACL denied  creating a federation link". The qpid-route, however, does not report any problem:
[root@lzhaldyb-rhel65x ~]# qpid-route queue add user/password@192.168.65.1:5672 user/password@192.168.65.3:5672 fed.ex fed.q
[root@lzhaldyb-rhel65x ~]# echo $?
0

Version-Release number of selected component (if applicable):
qpid-tools-0.22-13.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1. Configure ACL rule to deny link creation on destination broker.
2. Try to create a route to destination broker using qpid-route tool.
3.

Actual results:
Route is not created due to ACL denial, the tool does not return any error.

Expected results:
Route is not created, the tool reports the error.

Additional info:
In case that no ACL rules are provided on the destination broker (no "acl-file" directive in qpidd.conf), the warning in broker's log is different: "[Broker] warning Client closed connection with 320: User  federation connection denied. Systems with authentication enabled must specify ACL create link rules." But the result is the same - no route is created (which is what's supposed to happen under these conditions), and no error reported by qpid-route (which is wrong).

Comment 1 Pavel Moravec 2014-07-30 11:22:40 UTC

*** This bug has been marked as a duplicate of bug 797073 ***