qpid already has some support for QMF methods&queries authorization. Many (or maybe all?) QMF methods call:
bool Manageable::AuthorizeMethod(uint32_t, Args&, const std::string&)
I suppose this is required:
- ensure the method is called by invoking any QMF method/query
- call ACL stuff from the AuthorizeMethod
- enhance ACLs according to QMF methods and its arguments
Created attachment 899491 [details]
patch proposal (inital draft)
Initial version of patch for the same.
What misses there:
- on ACL denial, provide better text than "Forbidden" (raise framing::UnauthorizedAccessException).
- add some automated tests
example acl file:
acl deny all purge queue name=q
acl deny all move queue name=q queuename=w
acl deny all redirect queue name=q queuename=w
acl deny all reroute queue name=q exchangename=amq.fanout
acl deny all delete queue name=q
acl allow all all
Chuck, would you be ok with this proposal, including naming? Thanks.
The code looks good to me; the names are ok.
The only thing it needs is a few tests added to qpid/cpp/src/tests/acl.py.
Created attachment 902128 [details]
Patch proposal, including automated tests enhancement.
Automated tests depend on QPID-5797 / commit https://svn.apache.org/r1599221 (trivial change in qpid-tools). Fix in broker does _not_ depend on QPID-5797.
/me to post a patch for relevant 1101533 as well and send both to upstream for a review.
Upstream review request: https://reviews.apache.org/r/22606/
Committed as r1603364.
The QMF methods mentioned by Comment 8 was tested on RHEL6 i686 and x86_64 with following packages:
ACL rules for above mentioned QMF methods works as expected, except following issues:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.