[
https://issues.apache.org/jira/browse/QPID-3614?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13149856#comment-13149856
]
Gordon Sim edited comment on QPID-3614 at 11/15/11 12:55 PM:
-------------------------------------------------------------
I don't believe it does use the specified user to publish messages, the
connection underlying the link was authenticated as anonymous (in my tests
anyway). Looking through the source code, it appears that transfers are *not*
subject to authorisation unless there are specific, explicit rules about it
(comments indicate this is due to concerns around performance otherwise).
Sadly I don't think this is documented, though the mechanism is listed as an
option in the usage statement for qpid-route.
was (Author: gsim):
I don't believe it does use the specified user to publish messages, the
connection underlying the link was authenticated as anonymous (in my tests
anyway). Looking through the source code, it appears that transfers are subject
to authorisation unless there are specific, explicit rules about it (comments
indicate this is due to concerns around performance otherwise).
Sadly I don't think this is documented, though the mechanism is listed as an
option in the usage statement for qpid-route.
> ACLs and federation links do not work
> -------------------------------------
>
> Key: QPID-3614
> URL: https://issues.apache.org/jira/browse/QPID-3614
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.12
> Environment: Built from source on ubuntu 10.04 x64
> Reporter: Brandon Pedersen
> Labels: acl, federation
>
> PROBLEM STATEMENT:
> I cannot get broker federation to work with ACLs enabled. I keep getting "ACL
> denied creating a federation link" even though my user has all permissions,
> on both brokers.
> STEPS TO REPRODUCE:
> - Create an acl file like the following:
> acl allow federation@QPID all all
> acl deny all all
> - Create the federation user in the sasl db
> - Using the following config:
> auth-realm=QPID
> log-enable=info+
> acl-file=/usr/local/etc/qpid/qpidd.acl
> sasl-config=/usr/local/etc/sasl2
> auth=yes
> - Start two brokers using the same config but different ports and data dirs
> (makes it easy to test the exact same authentication parameters for both
> brokers)
> - In my case I am create a queue push route, so create a queue and do:
> qpid-route queue add -s federation/password@localhost:5000
> federation/password@localhost:5001 amq.direct myqueue
> Note that the use of a push route does not matter, I tested push and pull and
> both fail, just want to point out that I am using a push route to ensure that
> gets tested as part of the fix for this.
> RESULTS:
> The connection fails to get created with an error: "ACL denied creating a
> federation link"
> In the debug log on the destination broker I see:
> 2011-11-11 15:50:20 debug ACL: Lookup for id: action:create objectType:link
> name: with params { }
> 2011-11-11 15:50:20 debug No successful match, defaulting to the decision
> mode deny
> It appear that the user ID is not getting sent across
> EXPECTED RESULTS:
> The federation link should work with proper ACLs in place
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
