Bug 849788 - ERD 4.1.3: Acl-1000-6, Substitution symbol for the actual user name in an ACL
ERD 4.1.3: Acl-1000-6, Substitution symbol for the actual user name in an ACL
Status: CLOSED ERRATA
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp (Show other bugs)
2.1.2
Unspecified Unspecified
high Severity high
: 2.3
: ---
Assigned To: Chuck Rolke
Zdenek Kraus
: FutureFeature
Depends On:
Blocks: 808578 852579
  Show dependency treegraph
 
Reported: 2012-08-20 17:20 EDT by Irina Boverman
Modified: 2013-04-15 20:48 EDT (History)
5 users (show)

See Also:
Fixed In Version: qpid-cpp-0.18-1
Doc Type: Enhancement
Doc Text:
CAUSE: Specifying Acl rules that allow named users to create named objects require an endless number of Acl rules. CONSEQUENCE: Administrators must keep adding users to the Acl file to allow the users to use the broker. FIX: User name substitution keywords are added to the Acl file so that a single rule may apply to all users. Keywords are created to substitute for the user name, the domain name, or the user and the domain name together. Keyword substitution is allowed for object names, routing key names, alternate exchange names, and queue names. Actual user and domain names are normalized. Periods and ampersands are replaced with underscores. RESULT: Any single rule using a name substitution may apply to thousands of different users thus saving Acl file overhead and maintenance. A simple set of Acl rules can give users freedom to create per user or per domain private resources by limiting the resource to contain the user's name or domain. Coincidently the same users are prevented from creating random resources as the names of what they can create is strictly controlled.
Story Points: ---
Clone Of:
: 852579 (view as bug list)
Environment:
Last Closed: 2013-03-06 13:51:42 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Irina Boverman 2012-08-20 17:20:03 EDT
Description of problem:

See Milan ERD/PRD.
Also tracked upstream as QPID-4230.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 Zdenek Kraus 2012-08-22 12:10:37 EDT
Could you please specify details of this functionality?
 1/ How substitution is used ? like queue-name=myqueue.$USER ?
 2/ What is expected behaviour for username, that contains '.'
 3/ Is the substitution performed completely with @DOMAIN ? for example will rule specified with queue-name=myqueue.$USER for user1@QPID substitute to myqueue.user1@QPID ?
Comment 3 Chuck Rolke 2012-08-23 16:49:35 EDT
Please see comment dated 20/Aug/12 18:59 in https://issues.apache.org/jira/browse/QPID-4230
Comment 4 Chuck Rolke 2012-08-23 16:49:35 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
CAUSE:
Specifying Acl rules that allow named users to create named objects require an endless number of Acl rules.

CONSEQUENCE:
Administrators must keep adding users to the Acl file to allow the users to use the broker.

FIX:
User name substitution keywords are added to the Acl file so that a single rule may apply to all users. 
Keywords are created to substitute for the user name, the domain name, or the user and the domain name together. 
Keyword substitution is allowed for object names, routing key names, alternate exchange names, and queue names.
Actual user and domain names are normalized. Periods and ampersands are replaced with underscores.

RESULT:
Any single rule using a name substitution may apply to thousands of different users thus saving Acl file overhead and maintenance.
A simple set of Acl rules can give users freedom to create per user or per domain private resources by limiting the resource to contain the user's name or domain. Coincidently the same users are prevented from creating random resources as the names of what they can create is strictly controlled.
Comment 6 Zdenek Kraus 2012-11-29 07:05:48 EST
Tested on RHEL 6.3, RHEL 6.4, RHEL 5.8 and RHEL 5.9 on architetures i686 and x86_64
Testing packages:
qpid-cpp-client-0.18-9.el5
qpid-cpp-server-0.18-9.el5

qpid-cpp-client-0.18-9.el6
qpid-cpp-server-0.18-9.el6

qpid-cpp-client-0.18-10.el6_3
qpid-cpp-server-0.18-10.el6_3

qpid-cpp-client-0.18-10.el5
qpid-cpp-server-0.18-10.el5

Feature is operational as expected -> VERIFIED.
Comment 7 Zdenek Kraus 2013-01-17 08:05:36 EST
Feature was successfully retested on RHEL 5.9, 6.4 && i686, x86_64 with packages
qpid-cpp-server-0.18-13
Comment 9 errata-xmlrpc 2013-03-06 13:51:42 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0561.html

Note You need to log in before you can comment on or make changes to this bug.