Bug 587864

Summary: ACL policy doesn't permit certain characters in usernames added to groups
Product: Red Hat Enterprise MRG Reporter: Tim Powers <timp>
Component: qpid-cppAssignee: Rajith Attapattu <rattapat+nobody>
Status: CLOSED ERRATA QA Contact: ppecka <ppecka>
Severity: medium Docs Contact:
Priority: high    
Version: DevelopmentCC: freznice, gsim, ppecka
Target Milestone: 1.3   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Adds a completely untested checkUserName function to allow for both normal-ish usernames as well as kerberos host/service principles none

Description Tim Powers 2010-05-01 07:51:49 UTC
Created attachment 410648 [details]
Adds a completely untested checkUserName function to allow for both normal-ish usernames as well as kerberos host/service principles

Description of problem:
While trying to add a host principle to a group the acl policy file fails to load and prevents qpidd from running.

Version-Release number of selected component (if applicable):
0.7.929717-1.el5

How reproducible:
Fails every time.

Steps to Reproduce:
1. Add a host or service principle to a group in the acl file. Something like this will suffice:
  group somegroup host/somemachine.example.com@EXAMPLE.COM
  
Actual results:
Failure to start. Error message is:
Daemon startup failed: Could not read ACL file ACL format error: /etc/qpid/policy.acl:25: Name "host/somemachine.example.com@EXAMPLE.COM" contains illegal characters.

Expected results:
Should load and parse the group cleanly.

Comment 1 Rajith Attapattu 2010-05-12 13:34:06 UTC
I have checked in a fix upstream at rev 943351
This also contains test cases and improved error reporting.

Comment 2 ppecka 2010-05-31 13:29:33 UTC
verified on RHEL 5.5/4.8 - i386/x86_64:

rpm -qa | grep -E '(qpid|ais|sesame)' | sort -n
openais-0.80.6-16.el5_5.1
openais-debuginfo-0.80.6-16.el5_5.1
openais-devel-0.80.6-16.el5_5.1
python-qpid-0.7.946106-1.el5
qpid-cpp-client-0.7.946106-1.el5
qpid-cpp-client-devel-0.7.946106-1.el5
qpid-cpp-client-devel-docs-0.7.946106-1.el5
qpid-cpp-client-ssl-0.7.946106-1.el5
qpid-cpp-server-0.7.946106-1.el5
qpid-cpp-server-cluster-0.7.946106-1.el5
qpid-cpp-server-devel-0.7.946106-1.el5
qpid-cpp-server-ssl-0.7.946106-1.el5
qpid-cpp-server-store-0.7.946106-1.el5
qpid-cpp-server-xml-0.7.946106-1.el5
qpid-java-client-0.7.946106-3.el5
qpid-java-common-0.7.946106-3.el5
qpid-tools-0.7.946106-4.el5
rh-tests-distribution-MRG-Messaging-qpid_common-1.6-27
sesame-0.7.3918-2.el5

--> VERIFIED