Red Hat Bugzilla – Bug 784957
Qpid broker ACL processing produces unexpected results
Last modified: 2015-11-15 20:13:48 EST
Description of problem: ACL processing discards specific allow or deny acl commands. Version-Release number of selected component (if applicable): any to date: testing on 0.14 upstream trunk How reproducible: 100% Steps to Reproduce: 1. Paste this code into acl.py test code: def test_a_group_override_allow_mode(self): aclf = self.get_acl_file() aclf.write('group admins bob@QPID joe@QPID \n') aclf.write('acl allow bob@QPID create queue \n') aclf.write('acl deny admins create queue \n') aclf.write('acl allow all all') aclf.close() result = self.reload_acl() if (result.text.find("format error",0,len(result.text)) != -1): self.fail(result) session = self.get_session('bob','bob') try: session.queue_declare(queue='q1') except qpid.session.SessionException, e: if (403 == e.args[0].error_code): self.fail("ACL should allow create queue request"); 2. Run ./run_acl_tests Actual results: The test fails as bob is denied the right to create queue 'q1'. Expected results: User bob should be allowed to create queue 'q1'. Additional info: Internally, since the last ACL line is 'allow all all', all other 'allow' acl rules are discarded and only deny acl rules remain. bob, being a member of group admins is then denied. Similarly with a 'deny all all' list all other 'deny' acl rules are discarded.
Fixed upstream at r1295730 1-Mar-2012. See also https://issues.apache.org/jira/browse/QPID-3799
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: CAUSE: Acl processing logic discarded certain rules in a premature optimization. CONSEQUENCE: Some sequences of rules would not work. (See Description) FIX: Keep all Acl rules and process them in the order given. RESULT: Allow and Deny rules may be intermixed and give the expected allow or deny result.
The issue has been fixed (above ACL unit test does not fail anymore). Retested on RHEL 5.9 beta / 6.3 i[36]86 / x86_64 using packages: python-qpid-0.18-4.el5 python-qpid-qmf-0.18-6.el5 qpid-cpp-client-0.18-7.el5 qpid-cpp-client-devel-0.18-7.el5 qpid-cpp-client-devel-docs-0.18-7.el5 qpid-cpp-client-rdma-0.18-7.el5 qpid-cpp-client-ssl-0.18-7.el5 qpid-cpp-mrg-debuginfo-0.18-7.el5 qpid-cpp-server-0.18-7.el5 qpid-cpp-server-cluster-0.18-7.el5 qpid-cpp-server-devel-0.18-7.el5 qpid-cpp-server-rdma-0.18-7.el5 qpid-cpp-server-ssl-0.18-7.el5 qpid-cpp-server-store-0.18-7.el5 qpid-cpp-server-xml-0.18-7.el5 qpid-java-client-0.18-5.el5 qpid-java-common-0.18-5.el5 qpid-java-example-0.18-5.el5 qpid-jca-0.18-5.el5 qpid-jca-xarecovery-0.18-5.el5 qpid-jca-zip-0.18-5.el5 qpid-qmf-0.18-6.el5 qpid-qmf-debuginfo-0.18-6.el5 qpid-qmf-devel-0.18-6.el5 qpid-tests-0.18-2.el5 qpid-tools-0.18-5.el5 rh-qpid-cpp-tests-0.18-7.el5 ruby-qpid-qmf-0.18-6.el5 -> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0561.html