Bug 1005243 - newHA with auth=yes has to specifically allow link creation in ACLs
newHA with auth=yes has to specifically allow link creation in ACLs
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: Messaging_Installation_and_Configuration_Guide (Show other bugs)
3.0
All All
high Severity high
: 3.0
: ---
Assigned To: Jared MORGAN
Eric Sammons
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-06 09:52 EDT by Pavel Moravec
Modified: 2015-08-09 21:23 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-22 10:27:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 476133 None None None Never

  None (edit)
Description Pavel Moravec 2013-09-06 09:52:58 EDT
Description of problem:
Due to QPID-4631 / bz851355 (see e.g. "Doc Text" there), federation links are disallowed by default with auth=yes. That brings a problem for newHA that relies on federation.

Therefore it is required to document that when newHA is used with authentication, ACLs have to specifically allow link creation like:

acl allow <ha-username> create link


Version-Release number of selected component (if applicable):
doc for MRG-M 3.0


How reproducible:
n.a. (doc issue)


Steps to Reproduce:
to reproduce the _problem_ with auth=yes and no ACL:

1) configure 2 brokers in newHA cluster with /etc/qpid/qpidd.conf:

log-to-file=/tmp/qpidd.log
ha-replicate=all
ha-cluster=yes
ha-brokers-url=node1,node2
auth=yes
ha-username=guest
ha-password=guest
ha-mechanism=PLAIN
trace=yes

2) start first broker and "qpid-ha promote" it
3) try to start 2nd broker


Actual results:
2nd broker startup fails with:

warning Client closed connection with 320: User guest@QPID federation connection denied. Systems with authentication enabled must specify ACL create link rules. (/root/rpmbuild/BUILD/qpid-0.22/cpp/src/qpid/broker/ConnectionHandler.cpp:214)


Expected results:
User reads in MICG that ACLs need to be set up:)


Additional info:
Comment 2 Leonid Zhaldybin 2014-01-08 04:43:54 EST
The ACL configuration necessary for the new HA is documented properly.

Note You need to log in before you can comment on or make changes to this bug.