First Last Prev Next    This bug is not in your last search results.
Bug 1003661 - User ID is not passed to ACL when DIGEST-MD5 is used while creating link
User ID is not passed to ACL when DIGEST-MD5 is used while creating link
Status: CLOSED ERRATA
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp (Show other bugs)
3.0
Unspecified Unspecified
medium Severity medium
: 3.1
: ---
Assigned To: Pavel Moravec
Zdenek Kraus
: Patch, TestCaseProvided
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-02 11:08 EDT by Zdenek Kraus
Modified: 2015-04-14 09:47 EDT (History)
5 users (show)

See Also:
Fixed In Version: qpid-cpp-0.30-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-04-14 09:47:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Apache JIRA QPID-5621 None None None Never
Red Hat Product Errata RHEA-2015:0805 normal SHIPPED_LIVE Red Hat Enterprise MRG Messaging 3.1 Release 2015-04-14 13:45:54 EDT

  None (edit)
Description Zdenek Kraus 2013-09-02 11:08:21 EDT 
Description of problem:

With authentication enabled, when creating a federation link there is no username/id passed into the ACL module, thus the link rules with particular username are silently passed by with no match, only matching are the 'all' rules.

#two brokers, second on port 10000 only as the originator of the link
qpidd --data-dir=/tmp/qpidd-$$-$RANDOM --port=10000 --log-to-file=/tmp/originator_qpid.log 

###QPIDD.CONF
auth=yes
#acl-file=/var/lib/qpidd/fed.acl
acl-file=/etc/qpid/fed.acl
#acl-file=/etc/qpid/qpidd.acl

log-to-file=/var/lib/qpidd/qpidd.log
log-enable=info+
log-enable=debug+:Acl

data-dir=/var/lib/qpidd


###FED.ACL
acl allow root@QPID all all

acl deny all all


##Creating regular link from 10000->5672
qpid-route link add root/root@localhost:10000 root/root@localhost:5672


###DESTINATION QPIDD LOG (10000)
2013-08-13 10:33:38 [Broker] info The Broker::connect() method will be removed in a future release of QPID. Please use the Broker::create() method with type='link' instead.
2013-08-13 10:33:38 [Broker] info The Broker::connect() method will be removed in a future release of QPID. Please use the Broker::create() method with type='link' instead.
2013-08-13 10:33:38 [System] info Connecting: [::1]:5672
2013-08-13 10:33:38 [System] info Connecting: [::1]:5672
2013-08-13 10:33:38 [Broker] info Inter-broker link connecting to localhost:5672
2013-08-13 10:33:38 [Broker] info Inter-broker link connecting to localhost:5672
2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to localhost:5672
2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to localhost:5672
2013-08-13 10:33:38 [Broker] info Inter-broker link established to localhost:5672
2013-08-13 10:33:38 [Broker] info Inter-broker link established to localhost:5672
2013-08-13 10:33:38 [Broker] warning Client closed connection with 320: ACL denied  creating a federation link (/builddir/build/BUILD/qpid-0.22/cpp/src/qpid/broker/ConnectionHandler.cpp:205)
2013-08-13 10:33:38 [Broker] warning Client closed connection with 320: ACL denied  creating a federation link (/builddir/build/BUILD/qpid-0.22/cpp/src/qpid/broker/ConnectionHandler.cpp:205)
2013-08-13 10:33:38 [Broker] info Inter-broker link disconnected from localhost:5672 Closed by peer
2013-08-13 10:33:38 [Broker] info Inter-broker link disconnected from localhost:5672 Closed by peer


###SOURCE QPID LOG (5672)
2013-08-13 10:33:26 [Broker] notice Shut down
2013-08-13 10:33:26 [Store] notice Journal "TplStore": Destroyed
2013-08-13 10:33:26 [Broker] info Management enabled
2013-08-13 10:33:26 [Management] info ManagementAgent restored broker ID: 1e1f0ae9-a2e3-435c-8f5e-366d93dd69bf
2013-08-13 10:33:26 [Broker] info Loaded protocol AMQP 1.0
2013-08-13 10:33:26 [Store] notice Journal "TplStore": Created
2013-08-13 10:33:26 [Store] notice Store module initialized; store-dir=/var/lib/qpidd
2013-08-13 10:33:26 [Store] info > Default files per journal: 8
2013-08-13 10:33:26 [Store] info > Default journal file size: 24 (wpgs)
2013-08-13 10:33:26 [Store] info > Default write cache page size: 32 (KiB)
2013-08-13 10:33:26 [Store] info > Default number of write cache pages: 32
2013-08-13 10:33:26 [Store] info > TPL files per journal: 8
2013-08-13 10:33:26 [Store] info > TPL journal file size: 24 (wpgs)
2013-08-13 10:33:26 [Store] info > TPL write cache page size: 4 (KiB)
2013-08-13 10:33:26 [Store] info > TPL number of write cache pages: 64
2013-08-13 10:33:26 [Security] notice SSL plugin not enabled, you must set --ssl-cert-db to enable it.
2013-08-13 10:33:26 [Broker] info Registered xml exchange
2013-08-13 10:33:26 [Store] info Most recent persistence id found: 0x0
2013-08-13 10:33:26 [Store] info Recovered exchange "amq.direct"
2013-08-13 10:33:26 [Store] info Recovered exchange "amq.topic"
2013-08-13 10:33:26 [Store] info Recovered exchange "amq.fanout"
2013-08-13 10:33:26 [Store] info Recovered exchange "amq.match"
2013-08-13 10:33:26 [Security] info SASL: config path set to /etc/sasl2
2013-08-13 10:33:26 [Broker] info SASL enabled
2013-08-13 10:33:26 [Network] info Listening to: 0.0.0.0:5672
2013-08-13 10:33:26 [Network] info Listening to: [::]:5672
2013-08-13 10:33:26 [Network] notice Listening on TCP/TCP6 port 5672
2013-08-13 10:33:26 [Security] notice ACL: Read file "/etc/qpid/fed.acl"
2013-08-13 10:33:26 [Security] debug ACL: Group list: 0 groups found:
2013-08-13 10:33:26 [Security] debug ACL: name list: 2 names found:
2013-08-13 10:33:26 [Security] debug ACL:  * root@QPID
2013-08-13 10:33:26 [Security] debug ACL: Rule list: 2 ACL rules found:
2013-08-13 10:33:26 [Security] debug ACL:    1 allow [root@QPID] * *
2013-08-13 10:33:26 [Security] debug ACL:    2 deny [*] *
2013-08-13 10:33:26 [Security] debug ACL: connections quota: 0 rules found:
2013-08-13 10:33:26 [Security] debug ACL: queues quota: 0 rules found:
2013-08-13 10:33:26 [Security] debug ACL: Load Rules
2013-08-13 10:33:26 [Security] debug ACL: Processing  2 deny [*] *
2013-08-13 10:33:26 [Security] debug ACL: FoundMode deny
2013-08-13 10:33:26 [Security] debug ACL: Processing  1 allow [root@QPID] * *
2013-08-13 10:33:26 [Security] debug ACL: Adding actions {consume,publish,create,access,bind,unbind,delete,purge,update} to objects {queue,exchange,broker,link,method} with props { } for users {root@QPID}
2013-08-13 10:33:26 [Security] debug ACL: Transfer ACL is Enabled!
2013-08-13 10:33:26 [Security] info ACL Plugin loaded
2013-08-13 10:33:26 [Store] info Enabling management instrumentation for the store.
2013-08-13 10:33:26 [System] info Rdma: Disabled: no rdma devices found
2013-08-13 10:33:26 [Broker] notice Broker running
2013-08-13 10:33:38 [Network] info Set TCP_NODELAY on connection to [::1]:49312
2013-08-13 10:33:38 [Security] info SASL: Mechanism list: DIGEST-MD5 ANONYMOUS PLAIN
2013-08-13 10:33:38 [Security] info SASL: Starting authentication with mechanism: DIGEST-MD5
2013-08-13 10:33:38 [Security] debug ACL: Lookup for id: action:create objectType:link name: with params { }
2013-08-13 10:33:38 [Security] debug ACL: No successful match, defaulting to the decision mode deny

Works just fine with other auth methods.


Version-Release number of selected component (if applicable):
qpid-cpp-0.22-10
qpid-cpp-0.22-7


How reproducible:
100%

Steps to Reproduce:
1. ACL
acl allow root@QPID all all

acl deny all all

2. start 2 brokers

3. create regular authenticated link between them using digest-md5
qpid-route link add root/root@localhost:10000 root/root@localhost:5672 DIGEST-MD5

Actual results:
link creation is denied because user id is not passed to ACL module

Expected results:
user id should be passed to let ACL module make the right decision

Additional info:
Comment 1 Pavel Moravec 2014-03-10 10:21:48 EDT 
It is not ACL module issue, but rather broker itself one. 

The root cause is because ACL for links is checked after getting connection.startOk AMQP method. While DIGEST-MD5 (and other auth.methods) provide userId later on - during connection.secureOk AMQP method.

/me raised review request on https://reviews.apache.org/r/18968/ as I have minor questions about the patch there.
Comment 2 Pavel Moravec 2014-03-10 10:32:34 EDT 
FYI I saw the bug be valid also for CRAM-MD5 (and I guess also for GSSAPI and EXTERNAL/SSL) mechanisms.


My reproducer:


echo "acl allow guest@QPID all all

acl deny all all" > /root/qpidd.acl


killall qpidd
rm -rf _5672 _10000 qpidd.*.log
mkdir _5672 _10000
cp qpidd.sasldb _5672
cp qpidd.sasldb _10000
qpidd --port=5672 --acl-file=/root/qpidd.acl --auth=yes --log-to-file=qpidd.5672.log --trace --data-dir=_5672 --log-to-stdout=no --log-to-stderr=no --log-function=yes &
qpidd --port=10000 --acl-file=/root/qpidd.acl --auth=yes --log-to-file=qpidd.10000.log --trace --data-dir=_10000 --log-to-stdout=no --log-to-stderr=no &

sleep 2
qpid-route link add guest/guest@localhost:10000 guest/guest@localhost:5672
Comment 3 Pavel Moravec 2014-03-11 05:41:40 EDT 
Committed revision 1576248.
Comment 5 Zdenek Kraus 2015-01-12 06:50:05 EST 
tested on RHEL 6.6 i686 and x86_64 with following packages:
python-qpid-0.30-3
python-qpid-qmf-0.30-3
qpid-cpp-client-0.30-5
qpid-cpp-client-devel-0.30-5
qpid-cpp-client-rdma-0.30-5
qpid-cpp-debuginfo-0.30-5
qpid-cpp-server-0.30-5
qpid-cpp-server-devel-0.30-5
qpid-cpp-server-ha-0.30-5
qpid-cpp-server-linearstore-0.30-5
qpid-cpp-server-rdma-0.30-5
qpid-cpp-server-xml-0.30-5
qpid-java-client-0.30-3
qpid-java-common-0.30-3
qpid-java-example-0.30-3
qpid-jca-0.22-2
qpid-jca-xarecovery-0.22-2
qpid-proton-c-0.7-4
qpid-qmf-0.30-3
qpid-tools-0.30-3

fix works as expected.
->VERIFIED
Comment 7 errata-xmlrpc 2015-04-14 09:47:01 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0805.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.