Bug 1716900

Summary: The ACL /var/lib/qpidd/.qpidd/qpid_acls.acl gets removed with certain procedures
Product: Red Hat Satellite Reporter: Kenny Tordeurs <ktordeur>
Component: QpidAssignee: Mike Cressman <mcressma>
Status: CLOSED ERRATA QA Contact: Radovan Drazny <rdrazny>
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: egolov, ekohlvan, rdrazny
Target Milestone: 6.6.0Keywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: foreman-installer-1.22.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-22 12:47:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kenny Tordeurs 2019-06-04 11:16:00 UTC 
Description of problem:
The ACL /var/lib/qpidd/.qpidd/qpid_acls.acl gets removed with certain procedures


~~~
qpidd.conf:acl-file=qpid_acls.acl
~~~

Results in failure to start the qpidd service:
~~~
Redirecting to /bin/systemctl status qpidd.service
● qpidd.service - An AMQP message broker daemon.
   Loaded: loaded (/usr/lib/systemd/system/qpidd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2019-06-04 12:07:27 CEST; 36s ago
     Docs: man:qpidd(1)
           http://qpid.apache.org/
  Process: 9002 ExecStart=/usr/sbin/qpidd --config /etc/qpid/qpidd.conf (code=exited, status=1/FAILURE)
 Main PID: 9002 (code=exited, status=1/FAILURE)

Jun 04 12:07:27 provisioning.sysmgmt.lan systemd[1]: Started An AMQP message broker daemon..
Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Security] error Unable to open ACL file "/var/lib/qpidd/.qpidd/qpid_acls.acl": eof=F; fail=T; bad=F
Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Security] error Unable to open ACL file "/var/lib/qpidd/.qpidd/qpid_acls.acl": eof=F; fail=T; bad=F
Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Broker] critical Broker (pid=9002) start-up failed: Could not read ACL file Unable to open ACL file "/var/lib/qpidd/.qpi...fail=T; bad=F
Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Broker] critical Broker (pid=9002) start-up failed: Could not read ACL file Unable to open ACL file "/var/lib/qpidd/.qpi...fail=T; bad=F
Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Broker] critical Unexpected error: Could not read ACL file Unable to open ACL file "/var/lib/qpidd/.qpidd/qpid_acls.acl"...fail=T; bad=F
Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Broker] critical Unexpected error: Could not read ACL file Unable to open ACL file "/var/lib/qpidd/.qpidd/qpid_acls.acl"...fail=T; bad=F
Jun 04 12:07:27 provisioning.sysmgmt.lan systemd[1]: qpidd.service: main process exited, code=exited, status=1/FAILURE
Jun 04 12:07:27 provisioning.sysmgmt.lan systemd[1]: Unit qpidd.service entered failed state.
Jun 04 12:07:27 provisioning.sysmgmt.lan systemd[1]: qpidd.service failed.
~~~

Example of running https://access.redhat.com/solutions/3157651 will result in the ACL file being removed

Version-Release number of selected component (if applicable):
# rpm -qa | grep qpid
~~~
provisioning.sysmgmt.lan-qpid-router-client-1.0-1.noarch
qpid-cpp-client-1.36.0-19.el7.x86_64
qpid-dispatch-router-0.8.0-19.el7.x86_64
tfm-rubygem-qpid_messaging-1.36.0-8.el7sat.x86_64
qpid-java-common-0.30-3.el7.noarch
qpid-cpp-client-devel-1.36.0-19.el7.x86_64
python-qpid-1.35.0-5.el7.noarch
python-gofer-qpid-2.12.3-1.el7.noarch
qpid-cpp-server-linearstore-1.36.0-19.el7.x86_64
provisioning.sysmgmt.lan-qpid-broker-1.0-2.noarch
provisioning.sysmgmt.lan-qpid-router-server-1.0-1.noarch
qpid-cpp-debuginfo-1.36.0-19.el7.x86_64
qpid-proton-c-0.16.0-13.el7sat.x86_64
python-qpid-proton-0.16.0-13.el7sat.x86_64
qpid-tools-1.36.0-19.el7.noarch
provisioning.sysmgmt.lan-qpid-client-cert-1.0-1.noarch
qpid-cpp-server-1.36.0-19.el7.x86_64
qpid-dispatch-tools-0.8.0-19.el7.x86_64
qpid-qmf-1.36.0-19.el7.x86_64
qpid-java-client-0.30-3.el7.noarch
qpid-proton-debuginfo-0.16.0-13.el7sat.x86_64
python-qpid-qmf-1.36.0-19.el7.x86_64
~~~

How reproducible:
100%

Steps to Reproduce:
1. Run the steps from KCS 3157651 with same qpid version as mentioned above
2. qpidd service will fail to start as ACL file is gone
3.

Actual results:
qpid service fails to start

Expected results:
No failure

Additional info:
I would recommend to move the acl file to /etc/qpid/ instead of keeping it in /var/lib/qpidd/.qpidd/


Workaround is to create the acl manually:

# cat /var/lib/qpidd/.qpidd/qpid_acls.acl
~~~
# allow the actions needed by katello_agent
acl allow katello_agent@QPID create queue
acl allow katello_agent@QPID consume queue
acl allow katello_agent@QPID access exchange
acl allow katello_agent@QPID access queue
acl allow katello_agent@QPID publish exchange routingkey=pulp.task
acl allow katello_agent@QPID publish exchange name=qmf.default.direct
acl allow katello_agent@QPID access method name=create

acl deny-log katello_agent@QPID access method name=*
acl deny-log katello_agent@QPID all all

# allow anything else
acl allow all all
~~~

With correct permissions:

# ls -lZ /var/lib/qpidd/.qpidd/qpid_acls.acl
~~~
-rw-------. qpidd qpidd system_u:object_r:qpidd_var_lib_t:s0 /var/lib/qpidd/.qpidd/qpid_acls.acl
~~~
Comment 3 Kenny Tordeurs 2019-06-04 11:18:54 UTC 
Moving the acl to /etc/qpid/ worked fine for me and would avoid the file from being deleted when any actions are taken for the journal file.

# grep acl qpidd.conf
~~~
acl-file=/etc/qpid/qpid_acls.acl
~~~
Comment 9 Radovan Drazny 2019-08-30 10:15:06 UTC 
Checked on Satellite 6.6 Snap 17 using steps provided by Jan in comment #4.

root@sat66 ~]# grep acl /etc/qpid/qpidd.conf 
acl-file=/etc/qpid/qpid.acl
[root@sat66 ~]# cat /etc/qpid/qpid.acl
# allow the actions needed by katello_agent
acl allow katello_agent@QPID create queue
acl allow katello_agent@QPID consume queue
acl allow katello_agent@QPID access exchange
acl allow katello_agent@QPID access queue
acl allow katello_agent@QPID publish exchange routingkey=pulp.task
acl allow katello_agent@QPID publish exchange name=qmf.default.direct
acl allow katello_agent@QPID access method name=create

acl deny-log katello_agent@QPID access method name=*
acl deny-log katello_agent@QPID all all

# allow anything else
acl allow all all

The location of acl file in the config is changed to /etc/qpid/qpid.acl, the file is present and contains required info.

VERIFIED
Comment 11 errata-xmlrpc 2019-10-22 12:47:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3172