Bug 1005243 - newHA with auth=yes has to specifically allow link creation in ACLs
newHA with auth=yes has to specifically allow link creation in ACLs
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: Messaging_Installation_and_Configuration_Guide (Show other bugs)
All All
high Severity high
: 3.0
: ---
Assigned To: Jared MORGAN
Eric Sammons
Depends On:
  Show dependency treegraph
Reported: 2013-09-06 09:52 EDT by Pavel Moravec
Modified: 2015-08-09 21:23 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-01-22 10:27:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 476133 None None None Never

  None (edit)
Description Pavel Moravec 2013-09-06 09:52:58 EDT
Description of problem:
Due to QPID-4631 / bz851355 (see e.g. "Doc Text" there), federation links are disallowed by default with auth=yes. That brings a problem for newHA that relies on federation.

Therefore it is required to document that when newHA is used with authentication, ACLs have to specifically allow link creation like:

acl allow <ha-username> create link

Version-Release number of selected component (if applicable):
doc for MRG-M 3.0

How reproducible:
n.a. (doc issue)

Steps to Reproduce:
to reproduce the _problem_ with auth=yes and no ACL:

1) configure 2 brokers in newHA cluster with /etc/qpid/qpidd.conf:


2) start first broker and "qpid-ha promote" it
3) try to start 2nd broker

Actual results:
2nd broker startup fails with:

warning Client closed connection with 320: User guest@QPID federation connection denied. Systems with authentication enabled must specify ACL create link rules. (/root/rpmbuild/BUILD/qpid-0.22/cpp/src/qpid/broker/ConnectionHandler.cpp:214)

Expected results:
User reads in MICG that ACLs need to be set up:)

Additional info:
Comment 2 Leonid Zhaldybin 2014-01-08 04:43:54 EST
The ACL configuration necessary for the new HA is documented properly.

Note You need to log in before you can comment on or make changes to this bug.