Bug 849788

Summary: ERD 4.1.3: Acl-1000-6, Substitution symbol for the actual user name in an ACL
Product: Red Hat Enterprise MRG Reporter: Irina Boverman <iboverma>
Component: qpid-cppAssignee: Chuck Rolke <crolke>
Status: CLOSED ERRATA QA Contact: Zdenek Kraus <zkraus>
Severity: high Docs Contact:
Priority: high    
Version: 2.1.2CC: jross, lzhaldyb, mcressma, pematous, zkraus
Target Milestone: 2.3Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qpid-cpp-0.18-1 Doc Type: Enhancement
Doc Text:
CAUSE: Specifying Acl rules that allow named users to create named objects require an endless number of Acl rules. CONSEQUENCE: Administrators must keep adding users to the Acl file to allow the users to use the broker. FIX: User name substitution keywords are added to the Acl file so that a single rule may apply to all users. Keywords are created to substitute for the user name, the domain name, or the user and the domain name together. Keyword substitution is allowed for object names, routing key names, alternate exchange names, and queue names. Actual user and domain names are normalized. Periods and ampersands are replaced with underscores. RESULT: Any single rule using a name substitution may apply to thousands of different users thus saving Acl file overhead and maintenance. A simple set of Acl rules can give users freedom to create per user or per domain private resources by limiting the resource to contain the user's name or domain. Coincidently the same users are prevented from creating random resources as the names of what they can create is strictly controlled.
 Story Points: ---
Clone Of:
: 852579 (view as bug list) Environment:
Last Closed: 2013-03-06 18:51:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 808578, 852579    

Description Irina Boverman 2012-08-20 21:20:03 UTC 
Description of problem:

See Milan ERD/PRD.
Also tracked upstream as QPID-4230.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 Zdenek Kraus 2012-08-22 16:10:37 UTC 
Could you please specify details of this functionality?
 1/ How substitution is used ? like queue-name=myqueue.$USER ?
 2/ What is expected behaviour for username, that contains '.'
 3/ Is the substitution performed completely with @DOMAIN ? for example will rule specified with queue-name=myqueue.$USER for user1@QPID substitute to myqueue.user1@QPID ?
Comment 3 Chuck Rolke 2012-08-23 20:49:35 UTC 
Please see comment dated 20/Aug/12 18:59 in https://issues.apache.org/jira/browse/QPID-4230
Comment 4 Chuck Rolke 2012-08-23 20:49:35 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
CAUSE:
Specifying Acl rules that allow named users to create named objects require an endless number of Acl rules.

CONSEQUENCE:
Administrators must keep adding users to the Acl file to allow the users to use the broker.

FIX:
User name substitution keywords are added to the Acl file so that a single rule may apply to all users. 
Keywords are created to substitute for the user name, the domain name, or the user and the domain name together. 
Keyword substitution is allowed for object names, routing key names, alternate exchange names, and queue names.
Actual user and domain names are normalized. Periods and ampersands are replaced with underscores.

RESULT:
Any single rule using a name substitution may apply to thousands of different users thus saving Acl file overhead and maintenance.
A simple set of Acl rules can give users freedom to create per user or per domain private resources by limiting the resource to contain the user's name or domain. Coincidently the same users are prevented from creating random resources as the names of what they can create is strictly controlled.
Comment 6 Zdenek Kraus 2012-11-29 12:05:48 UTC 
Tested on RHEL 6.3, RHEL 6.4, RHEL 5.8 and RHEL 5.9 on architetures i686 and x86_64
Testing packages:
qpid-cpp-client-0.18-9.el5
qpid-cpp-server-0.18-9.el5

qpid-cpp-client-0.18-9.el6
qpid-cpp-server-0.18-9.el6

qpid-cpp-client-0.18-10.el6_3
qpid-cpp-server-0.18-10.el6_3

qpid-cpp-client-0.18-10.el5
qpid-cpp-server-0.18-10.el5

Feature is operational as expected -> VERIFIED.
Comment 7 Zdenek Kraus 2013-01-17 13:05:36 UTC 
Feature was successfully retested on RHEL 5.9, 6.4 && i686, x86_64 with packages
qpid-cpp-server-0.18-13
Comment 9 errata-xmlrpc 2013-03-06 18:51:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0561.html