Bug 1122499 - qpid-route does not report ACL denial
Summary: qpid-route does not report ACL denial
Keywords:
Status: CLOSED DUPLICATE of bug 797073
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-tools
Version: 3.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: 3.2
: ---
Assignee: Ernie
QA Contact: MRG Quality Engineering
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-23 11:44 UTC by Leonid Zhaldybin
Modified: 2015-09-28 13:20 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-30 11:22:40 UTC


Attachments (Terms of Use)

Description Leonid Zhaldybin 2014-07-23 11:44:35 UTC
Description of problem:
In case that the link creation on the broker fails because of ACL denial, qpid-route tool does not return any error. Example:

There are two brokers running on two different machines. Their configuration files are the same:
[root@lzhaldyb-rhel65i ~]# cat /etc/qpid/qpidd.acl
acl deny all create link
acl allow all all

[root@lzhaldyb-rhel65i ~]# cat /etc/qpid/qpidd.conf
auth=yes
log-enable=info+
log-to-file=/var/lib/qpidd/qpidd.log
acl-file=/etc/qpid/qpidd.acl

The attempt to create queue route from the queue fed.q on the one broker to the fed.ex exchange on the second broker fails due to ACL denial, the destination broker says "[Broker] warning Client closed connection with 320: ACL denied  creating a federation link". The qpid-route, however, does not report any problem:
[root@lzhaldyb-rhel65x ~]# qpid-route queue add user/password@192.168.65.1:5672 user/password@192.168.65.3:5672 fed.ex fed.q
[root@lzhaldyb-rhel65x ~]# echo $?
0

Version-Release number of selected component (if applicable):
qpid-tools-0.22-13.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1. Configure ACL rule to deny link creation on destination broker.
2. Try to create a route to destination broker using qpid-route tool.
3.

Actual results:
Route is not created due to ACL denial, the tool does not return any error.

Expected results:
Route is not created, the tool reports the error.

Additional info:
In case that no ACL rules are provided on the destination broker (no "acl-file" directive in qpidd.conf), the warning in broker's log is different: "[Broker] warning Client closed connection with 320: User  federation connection denied. Systems with authentication enabled must specify ACL create link rules." But the result is the same - no route is created (which is what's supposed to happen under these conditions), and no error reported by qpid-route (which is wrong).

Comment 1 Pavel Moravec 2014-07-30 11:22:40 UTC

*** This bug has been marked as a duplicate of bug 797073 ***


Note You need to log in before you can comment on or make changes to this bug.