Bug 522495

Event posted on 09-09-2009 09:54am EDT by rrajaram

Description of problem:

There is a bug in ACL when processing the exchangeBound method:

ACL:  
acl allow tester@QPID access exchange name=foo  

Code:  
session->exchangeBound("foo");  

Broker:  
2009-sep-08 09:12:17 info ACL Deny id:tester@QPID action:create ObjectType:exchange Name:foo
2009-sep-08 09:12:17 error Execution exception: not-allowed: ACL denied exhange bound request from tester@QPID (qpid/broker/SessionAdapter.cpp:234)

Mind the "action:create" in the broker log file record.


I believe this is due to a bug in SessionAdapter::ExchangeHandlerImpl::bound
if (!acl->authorise(getConnection().getUserId(),acl::ACT_CREATE,acl::OBJ_EXCHANGE,exchangeName,&params) )
should read  
if (!acl->authorise(getConnection().getUserId(),acl::ACT_ACCESS,acl::OBJ_EXCHANGE,exchangeName,&params) )

Mind the "acl::ACT_CREATE" in the original authorise call.

Additionally, there is a typo where "exchange" is incorrectly spelt "exhange" in most ACL message

How reproducible:

Always


Steps to Reproduce:

Create a ACL for the exchangeBound Method

Actual results:

Exchange bound method should not fail

Expected results:

Instead of create, it has to use ACT_ACCESS. Exchange bound method should succeed

Additional info:

Escalating this case as per Mike Cressman
This event sent from IssueTracker by mcressma  [SEG - MRG]
 issue 340322

This is fixed in rev 813850 (trunk) and test cases are checked in rev 814077 (trunk)

Added the commit diff from git
http://git.et.redhat.com/git/qpid.git/?p=qpid.git;a=commitdiff;h=ed3dde04721ac26f6f88757ac86522d03e28afbb

The issue has been fixed on RHEL 4.8 / 5.4 i386 / x86_64 on packages:

# rpm -qa | grep qpid | sort -u
python-qpid-0.5.752581-3.el5
qpidc-0.5.752581-28.el5
qpidc-debuginfo-0.5.752581-28.el5
qpidc-devel-0.5.752581-28.el5
qpidc-perftest-0.5.752581-28.el5
qpidc-rdma-0.5.752581-28.el5
qpidc-ssl-0.5.752581-28.el5
qpidd-0.5.752581-28.el5
qpidd-acl-0.5.752581-28.el5
qpidd-cluster-0.5.752581-28.el5
qpidd-devel-0.5.752581-28.el5
qpid-dotnet-0.4.738274-2.el5
qpidd-rdma-0.5.752581-28.el5
qpidd-ssl-0.5.752581-28.el5
qpidd-xml-0.5.752581-28.el5
qpid-java-client-0.5.751061-9.el5
qpid-java-common-0.5.751061-9.el5
rh-tests-distribution-MRG-Messaging-qpid_common-1.5-15


-> VERIFIED

Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
Corrected problem using ACL when processing the exchangeBound method, the method now works as expected (522495)

Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1 +1,8 @@
-Corrected problem using ACL when processing the exchangeBound method, the method now works as expected (522495)+Messaging bug fix
+
+C: Creating an Access Control List (ACL) for the exchangeBound method
+C: The exchangeBound method fails
+F: The method has been changed so that it uses ACT_ACCESS instead of the create command
+R: The exchangeBound method no longer fails
+
+Creating an Access Control List (ACL) for the exchangeBound method, was resulting in the method failing. It has now been changed so that it uses ACT_ACCESS instead of the create command, and the method no longer fails.

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1633.html