Bug 808105

Summary: ACL syntax does not allow specifying '' exchange
Product: Red Hat Enterprise MRG Reporter: Pavel Moravec <pmoravec>
Component: qpid-cppAssignee: Chuck Rolke <crolke>
Status: CLOSED ERRATA QA Contact: Zdenek Kraus <zkraus>
Severity: low Docs Contact:
Priority: medium    
Version: 2.1CC: gsim, jross, lzhaldyb, rbinkhor, zkraus
Target Milestone: 3.0Keywords: Improvement
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qpid-cpp-0.22-4.el6, qpid-cpp-0.22-4.el5 Doc Type: Enhancement
Doc Text:
ACL PUBLISH EXCHANGE rules now have a simplified way to refer to the nameless default exchange. In situations where the default exchange requires ACL rules, it is now possible to name the unnamed exchange by specifying the keyword `amq.default` in the ACL rule syntax.
 Story Points: ---
Clone Of:
: 961006 (view as bug list) Environment:
Last Closed: 2014-09-24 15:04:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 802656    
Bug Blocks: 785156, 961006    

Description Pavel Moravec 2012-03-29 15:23:40 UTC 
Description of problem:
There is no way how to specify '' exchange in an ACL rule. These lines have been tried:
1) acl allow all publish exchange name=""
then ACL checks exchange of name '""' (string with 2 characters ")
2) acl allow all publish exchange name=''
then ACL checks exchange of name '''' (string with 2 characters ')
3) acl allow all publish exchange name=
then ACL syntax check rejects it as it requires a non-empty value

Workaround in specifying:
acl allow all publish exchange name=*
acl deny all publish exchange name=[a-zA-Z-0-9]*

is not applicable as each check would have to pass up to 62 rules.


Version-Release number of selected component (if applicable):
any (seen in 0.12)


How reproducible:
100% (missing configuration ability)


Steps to Reproduce:
n.a.

  
Actual results:
n.a.


Expected results:
n.a.


Additional info:
Can't 802656 (RFE: Support regular expressions in ACL) elegantly resolve this?
Comment 1 Justin Ross 2013-02-26 21:28:33 UTC 
*** Bug 707678 has been marked as a duplicate of this bug. ***
Comment 2 Chuck Rolke 2013-04-08 18:49:47 UTC 
Committed upstream trunk at r1465719

The patch adds an ACL keyword "amq.default" that stands in for the unnamed exchange during PUBLISH EXCHANGE lookups. The rule:

 acl allow mrPavel publish exchange name=amq.default routingkey=secretqueue

allows mrPavel to publish to secretqueue.
Comment 4 Zdenek Kraus 2013-07-18 08:45:38 UTC 
Fix is OK.

Issue was tested on RHEL5 and RHEL6, i686 and x86_64 with packages:
python-qpid-0.22-4
python-qpid-qmf-0.22-6
qpid-cpp-client-ssl-0.22-7
qpid-cpp-server-store-0.22-7
qpid-proton-c-0.4-2.2
qpid-cpp-client-0.22-7
qpid-cpp-client-rdma-0.22-7
qpid-cpp-server-ssl-0.22-7
qpid-cpp-server-ha-0.22-7
qpid-tools-0.22-3
qpid-cpp-server-0.22-7
qpid-qmf-0.22-6
qpid-cpp-server-devel-0.22-7
qpid-cpp-debuginfo-0.22-7
qpid-cpp-client-devel-0.22-7
qpid-cpp-server-xml-0.22-7
qpid-cpp-server-rdma-0.22-7
qpid-cpp-client-devel-docs-0.22-7

->VERIFIED
Comment 6 errata-xmlrpc 2014-09-24 15:04:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-1296.html