Bug 505593

Summary:	Feature: single-user mode or ability to prevent clients other than mgmt tool to connect to broker
Product:	Red Hat Enterprise MRG	Reporter:	Gordon Sim <gsim>
Component:	qpid-cpp	Assignee:	Andrew Stitcher <astitcher>
Status:	CLOSED WONTFIX	QA Contact:	MRG Quality Engineering <mrgqe-bugs>
Severity:	medium	Docs Contact:
Priority:	low
Version:	1.0	CC:	astitcher, fhirtz, jross
Target Milestone:	---	Keywords:	FutureFeature
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Enhancement
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-05-22 14:34:57 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Gordon Sim 2009-06-12 14:37:13 UTC

It would be very useful to be able to start the broker in a mode whereby only a configuration process was able to connect to it and it remained inaccessible to other clients until configuration (e.g. queue creation and binding, cluster nodes joining etc) was complete.

Comment 1 Andrew Stitcher 2009-06-12 16:33:12 UTC

I think there are 2 necessary things here:

1. Limit the protocol or interface that connections are accepted on:

So in this mode we'd on accept connections say from localhost or a unix domain socket (when we implement that)

2. Use ACLs to limit access to only a user authenticated apropriately.

These things would also need to happen dynamically, so that restarting the broker wouldn't be necessary.

I think that 2 is probably possible, but not dynamically.

1 would need to implemented and to be made dynamic.

Comment 2 Gordon Sim 2013-07-08 08:07:36 UTC

(In reply to Andrew Stitcher from comment #1)
> I think there are 2 necessary things here:
> 
> 1. Limit the protocol or interface that connections are accepted on:
> 
> So in this mode we'd on accept connections say from localhost or a unix
> domain socket (when we implement that)
> 
> 2. Use ACLs to limit access to only a user authenticated apropriately.
> 
> These things would also need to happen dynamically, so that restarting the
> broker wouldn't be necessary.
> 
> I think that 2 is probably possible, but not dynamically.
> 
> 1 would need to implemented and to be made dynamic.

I don't think 1 is essential here, though it may be nice to have. 

The HA module does something quite similar here. Backups reject all but management clients (though they do so by a special connection option rather than authenticated user - however that option is I think protected by ACL).

I.e. have mode in which the broker rejects all connections except those identified as management clients (this could indeed be via a special 'access broker in management-mode' permission; have a command line flag to cause the broker to 'boot' into that mode; have a management command to move from that mode into normal mode.