Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1173543

Summary:	ACL QMF engine resolves queueRedirect call before ACL application
Product:	Red Hat Enterprise MRG	Reporter:	Zdenek Kraus <zkraus>
Component:	qpid-cpp	Assignee:	messaging-bugs <messaging-bugs>
Status:	CLOSED UPSTREAM	QA Contact:	Messaging QE <messaging-qe-bugs>
Severity:	high	Docs Contact:
Priority:	medium
Version:	Development	CC:	jross
Target Milestone:	3.3
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2025-02-10 03:43:45 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Zdenek Kraus 2014-12-12 11:54:47 UTC

Description of problem:
When redirecting already redirected queue, but as forbidden user, broker returns exception idicating queue is already redirected (ecode:65536, text: None, please see Bug 1173534), before it checks ACL and deny particular user

Version-Release number of selected component (if applicable):
qpid-cpp-server-0.30-4.el6.i686

How reproducible:
100%

Steps to Reproduce:
1. ACL:
acl deny UserB@QPID redirect queue 
acl allow all all

2. create 2 queues
qpid-config add queue a; qpid-config add queue b
3. redirect for the 1st time
qmf2_qpid_ctrl --broker UserA/UserA.75.113:5672 --connection-options "{  sasl_mechanisms : 'PLAIN' } --class broker --id amqp-broker queueRedirect sourceQueue=a targetQueue=b
4. subsequent redirection
qmf2_qpid_ctrl  --broker UserB/UserB.75.113:5672 --connection-options "{  sasl_mechanisms : 'PLAIN' } --class broker --id amqp-broker queueRedirect sourceQueue=a targetQueue=b

Actual results:
[3]
{}
[4]
{'_values': {'error_code': 65536, 'error_text': None}}

Expected results:
[4]
{'_values': {'error_code': 7, 'error_text': 'unauthorized-access: ACL denied redirect request from UserB@QPID (/builddir/build/BUILD/qpid-cpp-0.30/src/qpid/broker/Broker.cpp:1213)'}}

Additional info:
Please note that also "action:redirect object:queue" is not logged in debug+:acl mode with UserB@QPID

2014-12-12 12:52:33 [Security] debug ACL: Lookup for id:UserA@QPID action:access objectType:exchange name:qmf.default.topic with params { }
2014-12-12 12:52:33 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:33 [Security] debug ACL: Lookup for id:UserA@QPID action:access objectType:exchange name:qmf.default.topic with params { durable=false autodelete=false type= alternate= }
2014-12-12 12:52:33 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:33 [Security] debug ACL: Lookup for id:UserA@QPID action:create objectType:queue name:qmf.default.topic_51b91933-46c0-4b9a-9502-2bbedb0e1bbf with params { durable=false autodelete=true exclusive=true alternate= policytype=reject paging=false maxqueuesize=104857600 }
2014-12-12 12:52:33 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:33 [Security] debug ACL: Lookup for id:UserA@QPID action:bind objectType:exchange name:qmf.default.topic with params { routingkey=direct.82ce0742-667e-437d-89ac-6be24eb015db queuename=qmf.default.topic_51b91933-46c0-4b9a-9502-2bbedb0e1bbf }
2014-12-12 12:52:33 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:33 [Security] debug ACL: Lookup for id:UserA@QPID action:consume objectType:queue name:qmf.default.topic_51b91933-46c0-4b9a-9502-2bbedb0e1bbf with params { }
2014-12-12 12:52:33 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:33 [Security] debug ACL: Lookup for id:UserA@QPID action:access objectType:exchange name:qmf.default.direct with params { routingkey= queuename=qmf.default.direct }
2014-12-12 12:52:33 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:33 [Security] debug ACL: Lookup for id:UserA@QPID action:access objectType:exchange name:qmf.default.direct with params { durable=false autodelete=false type= alternate= }
2014-12-12 12:52:33 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:33 [Security] debug ACL: Lookup for id:UserA@QPID action:access objectType:method name:queueRedirect with params { schemapackage=org.apache.qpid.broker schemaclass=broker }
2014-12-12 12:52:33 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:33 [Security] debug ACL: Lookup for id:UserA@QPID action:redirect objectType:queue name:a with params { queuename=b }
2014-12-12 12:52:33 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:33 [Security] debug ACL: Lookup for id:UserA@QPID action:delete objectType:queue name:qmf.default.topic_51b91933-46c0-4b9a-9502-2bbedb0e1bbf with params { durable=false autodelete=true exclusive=true alternate= policytype=reject }
2014-12-12 12:52:33 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:40 [Security] debug ACL: Lookup for id:UserB@QPID action:access objectType:exchange name:qmf.default.topic with params { }
2014-12-12 12:52:40 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:40 [Security] debug ACL: Lookup for id:UserB@QPID action:access objectType:exchange name:qmf.default.topic with params { durable=false autodelete=false type= alternate= }
2014-12-12 12:52:40 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:40 [Security] debug ACL: Lookup for id:UserB@QPID action:create objectType:queue name:qmf.default.topic_922fa1b8-1ea1-4a08-9d40-bb74592f27f6 with params { durable=false autodelete=true exclusive=true alternate= policytype=reject paging=false maxqueuesize=104857600 }
2014-12-12 12:52:40 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:40 [Security] debug ACL: Lookup for id:UserB@QPID action:bind objectType:exchange name:qmf.default.topic with params { routingkey=direct.5ea72c19-aa1e-4f3f-970b-f6b931a63e5f queuename=qmf.default.topic_922fa1b8-1ea1-4a08-9d40-bb74592f27f6 }
2014-12-12 12:52:40 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:40 [Security] debug ACL: Lookup for id:UserB@QPID action:consume objectType:queue name:qmf.default.topic_922fa1b8-1ea1-4a08-9d40-bb74592f27f6 with params { }
2014-12-12 12:52:40 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:40 [Security] debug ACL: Lookup for id:UserB@QPID action:access objectType:exchange name:qmf.default.direct with params { routingkey= queuename=qmf.default.direct }
2014-12-12 12:52:40 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:40 [Security] debug ACL: Lookup for id:UserB@QPID action:access objectType:exchange name:qmf.default.direct with params { durable=false autodelete=false type= alternate= }
2014-12-12 12:52:40 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:40 [Security] debug ACL: Lookup for id:UserB@QPID action:access objectType:method name:queueRedirect with params { schemapackage=org.apache.qpid.broker schemaclass=broker }
2014-12-12 12:52:40 [Security] debug ACL: No successful match, defaulting to the decision mode allow
2014-12-12 12:52:40 [Security] debug ACL: Lookup for id:UserB@QPID action:delete objectType:queue name:qmf.default.topic_922fa1b8-1ea1-4a08-9d40-bb74592f27f6 with params { durable=false autodelete=true exclusive=true alternate= policytype=reject }
2014-12-12 12:52:40 [Security] debug ACL: No successful match, defaulting to the decision mode allow

Comment 1 Justin Ross 2014-12-15 15:12:53 UTC

Chuck, you took a look at this.  Could you explain what you found?

Comment 2 Chuck Rolke 2014-12-15 18:49:27 UTC

The code checks for the queues to be in the proper sate before checking the ACL for user permission. A better security model would be to check the ACL user permission first and then the queue states. That would prevent information about the queues being exposed to unauthorized users.

Moving the ACL check up to beginning of the management method appears trivial.

Comment 3 Chuck Rolke 2014-12-15 20:06:18 UTC

Actually although the user permission is checked last there in no information leak about why the user could not redirect the queue when one of the queue state checks fails.

ACL FILE
========
acl deny zig@QPID redirect queue
acl allow all all

CONSOLE
=======
1 > qpid-config add queue a
2 > qpid-config add queue b

3 > qpid-ctrl -b zag/zag@localhost:5672 --class broker --id amqp-broker \
     queueRedirect sourceQueue=a targetQueue=b

4 > qpid-ctrl -b zag/zag@localhost:5672 --class broker --id amqp-broker \
     queueRedirect sourceQueue=a targetQueue=b
Error: error_code=65536 error_text= 

5 > qpid-ctrl -b zig/zig@localhost:5672 --class broker --id amqp-broker \
     queueRedirect sourceQueue=a targetQueue=b
Error: error_code=65536 error_text= 

The log message for commands 4 and 5 is the same:
  [Broker] error Queue redirect source queue: a is already redirected
but neither user sees that. The errors are masked by bz1173544 where the user sees 'error_code=65536' and no text.

Comment 7 Red Hat Bugzilla 2025-02-10 03:43:45 UTC

This product has been discontinued or is no longer tracked in Red Hat Bugzilla.