Description of problem: With authentication enabled, when creating a federation link there is no username/id passed into the ACL module, thus the link rules with particular username are silently passed by with no match, only matching are the 'all' rules. #two brokers, second on port 10000 only as the originator of the link qpidd --data-dir=/tmp/qpidd-$$-$RANDOM --port=10000 --log-to-file=/tmp/originator_qpid.log ###QPIDD.CONF auth=yes #acl-file=/var/lib/qpidd/fed.acl acl-file=/etc/qpid/fed.acl #acl-file=/etc/qpid/qpidd.acl log-to-file=/var/lib/qpidd/qpidd.log log-enable=info+ log-enable=debug+:Acl data-dir=/var/lib/qpidd ###FED.ACL acl allow root@QPID all all acl deny all all ##Creating regular link from 10000->5672 qpid-route link add root/root@localhost:10000 root/root@localhost:5672 ###DESTINATION QPIDD LOG (10000) 2013-08-13 10:33:38 [Broker] info The Broker::connect() method will be removed in a future release of QPID. Please use the Broker::create() method with type='link' instead. 2013-08-13 10:33:38 [Broker] info The Broker::connect() method will be removed in a future release of QPID. Please use the Broker::create() method with type='link' instead. 2013-08-13 10:33:38 [System] info Connecting: [::1]:5672 2013-08-13 10:33:38 [System] info Connecting: [::1]:5672 2013-08-13 10:33:38 [Broker] info Inter-broker link connecting to localhost:5672 2013-08-13 10:33:38 [Broker] info Inter-broker link connecting to localhost:5672 2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to localhost:5672 2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to localhost:5672 2013-08-13 10:33:38 [Broker] info Inter-broker link established to localhost:5672 2013-08-13 10:33:38 [Broker] info Inter-broker link established to localhost:5672 2013-08-13 10:33:38 [Broker] warning Client closed connection with 320: ACL denied creating a federation link (/builddir/build/BUILD/qpid-0.22/cpp/src/qpid/broker/ConnectionHandler.cpp:205) 2013-08-13 10:33:38 [Broker] warning Client closed connection with 320: ACL denied creating a federation link (/builddir/build/BUILD/qpid-0.22/cpp/src/qpid/broker/ConnectionHandler.cpp:205) 2013-08-13 10:33:38 [Broker] info Inter-broker link disconnected from localhost:5672 Closed by peer 2013-08-13 10:33:38 [Broker] info Inter-broker link disconnected from localhost:5672 Closed by peer ###SOURCE QPID LOG (5672) 2013-08-13 10:33:26 [Broker] notice Shut down 2013-08-13 10:33:26 [Store] notice Journal "TplStore": Destroyed 2013-08-13 10:33:26 [Broker] info Management enabled 2013-08-13 10:33:26 [Management] info ManagementAgent restored broker ID: 1e1f0ae9-a2e3-435c-8f5e-366d93dd69bf 2013-08-13 10:33:26 [Broker] info Loaded protocol AMQP 1.0 2013-08-13 10:33:26 [Store] notice Journal "TplStore": Created 2013-08-13 10:33:26 [Store] notice Store module initialized; store-dir=/var/lib/qpidd 2013-08-13 10:33:26 [Store] info > Default files per journal: 8 2013-08-13 10:33:26 [Store] info > Default journal file size: 24 (wpgs) 2013-08-13 10:33:26 [Store] info > Default write cache page size: 32 (KiB) 2013-08-13 10:33:26 [Store] info > Default number of write cache pages: 32 2013-08-13 10:33:26 [Store] info > TPL files per journal: 8 2013-08-13 10:33:26 [Store] info > TPL journal file size: 24 (wpgs) 2013-08-13 10:33:26 [Store] info > TPL write cache page size: 4 (KiB) 2013-08-13 10:33:26 [Store] info > TPL number of write cache pages: 64 2013-08-13 10:33:26 [Security] notice SSL plugin not enabled, you must set --ssl-cert-db to enable it. 2013-08-13 10:33:26 [Broker] info Registered xml exchange 2013-08-13 10:33:26 [Store] info Most recent persistence id found: 0x0 2013-08-13 10:33:26 [Store] info Recovered exchange "amq.direct" 2013-08-13 10:33:26 [Store] info Recovered exchange "amq.topic" 2013-08-13 10:33:26 [Store] info Recovered exchange "amq.fanout" 2013-08-13 10:33:26 [Store] info Recovered exchange "amq.match" 2013-08-13 10:33:26 [Security] info SASL: config path set to /etc/sasl2 2013-08-13 10:33:26 [Broker] info SASL enabled 2013-08-13 10:33:26 [Network] info Listening to: 0.0.0.0:5672 2013-08-13 10:33:26 [Network] info Listening to: [::]:5672 2013-08-13 10:33:26 [Network] notice Listening on TCP/TCP6 port 5672 2013-08-13 10:33:26 [Security] notice ACL: Read file "/etc/qpid/fed.acl" 2013-08-13 10:33:26 [Security] debug ACL: Group list: 0 groups found: 2013-08-13 10:33:26 [Security] debug ACL: name list: 2 names found: 2013-08-13 10:33:26 [Security] debug ACL: * root@QPID 2013-08-13 10:33:26 [Security] debug ACL: Rule list: 2 ACL rules found: 2013-08-13 10:33:26 [Security] debug ACL: 1 allow [root@QPID] * * 2013-08-13 10:33:26 [Security] debug ACL: 2 deny [*] * 2013-08-13 10:33:26 [Security] debug ACL: connections quota: 0 rules found: 2013-08-13 10:33:26 [Security] debug ACL: queues quota: 0 rules found: 2013-08-13 10:33:26 [Security] debug ACL: Load Rules 2013-08-13 10:33:26 [Security] debug ACL: Processing 2 deny [*] * 2013-08-13 10:33:26 [Security] debug ACL: FoundMode deny 2013-08-13 10:33:26 [Security] debug ACL: Processing 1 allow [root@QPID] * * 2013-08-13 10:33:26 [Security] debug ACL: Adding actions {consume,publish,create,access,bind,unbind,delete,purge,update} to objects {queue,exchange,broker,link,method} with props { } for users {root@QPID} 2013-08-13 10:33:26 [Security] debug ACL: Transfer ACL is Enabled! 2013-08-13 10:33:26 [Security] info ACL Plugin loaded 2013-08-13 10:33:26 [Store] info Enabling management instrumentation for the store. 2013-08-13 10:33:26 [System] info Rdma: Disabled: no rdma devices found 2013-08-13 10:33:26 [Broker] notice Broker running 2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to [::1]:49312 2013-08-13 10:33:38 [Security] info SASL: Mechanism list: DIGEST-MD5 ANONYMOUS PLAIN 2013-08-13 10:33:38 [Security] info SASL: Starting authentication with mechanism: DIGEST-MD5 2013-08-13 10:33:38 [Security] debug ACL: Lookup for id: action:create objectType:link name: with params { } 2013-08-13 10:33:38 [Security] debug ACL: No successful match, defaulting to the decision mode deny Works just fine with other auth methods. Version-Release number of selected component (if applicable): qpid-cpp-0.22-10 qpid-cpp-0.22-7 How reproducible: 100% Steps to Reproduce: 1. ACL acl allow root@QPID all all acl deny all all 2. start 2 brokers 3. create regular authenticated link between them using digest-md5 qpid-route link add root/root@localhost:10000 root/root@localhost:5672 DIGEST-MD5 Actual results: link creation is denied because user id is not passed to ACL module Expected results: user id should be passed to let ACL module make the right decision Additional info:
It is not ACL module issue, but rather broker itself one. The root cause is because ACL for links is checked after getting connection.startOk AMQP method. While DIGEST-MD5 (and other auth.methods) provide userId later on - during connection.secureOk AMQP method. /me raised review request on https://reviews.apache.org/r/18968/ as I have minor questions about the patch there.
FYI I saw the bug be valid also for CRAM-MD5 (and I guess also for GSSAPI and EXTERNAL/SSL) mechanisms. My reproducer: echo "acl allow guest@QPID all all acl deny all all" > /root/qpidd.acl killall qpidd rm -rf _5672 _10000 qpidd.*.log mkdir _5672 _10000 cp qpidd.sasldb _5672 cp qpidd.sasldb _10000 qpidd --port=5672 --acl-file=/root/qpidd.acl --auth=yes --log-to-file=qpidd.5672.log --trace --data-dir=_5672 --log-to-stdout=no --log-to-stderr=no --log-function=yes & qpidd --port=10000 --acl-file=/root/qpidd.acl --auth=yes --log-to-file=qpidd.10000.log --trace --data-dir=_10000 --log-to-stdout=no --log-to-stderr=no & sleep 2 qpid-route link add guest/guest@localhost:10000 guest/guest@localhost:5672
Committed revision 1576248.
tested on RHEL 6.6 i686 and x86_64 with following packages: python-qpid-0.30-3 python-qpid-qmf-0.30-3 qpid-cpp-client-0.30-5 qpid-cpp-client-devel-0.30-5 qpid-cpp-client-rdma-0.30-5 qpid-cpp-debuginfo-0.30-5 qpid-cpp-server-0.30-5 qpid-cpp-server-devel-0.30-5 qpid-cpp-server-ha-0.30-5 qpid-cpp-server-linearstore-0.30-5 qpid-cpp-server-rdma-0.30-5 qpid-cpp-server-xml-0.30-5 qpid-java-client-0.30-3 qpid-java-common-0.30-3 qpid-java-example-0.30-3 qpid-jca-0.22-2 qpid-jca-xarecovery-0.22-2 qpid-proton-c-0.7-4 qpid-qmf-0.30-3 qpid-tools-0.30-3 fix works as expected. ->VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0805.html