Chuck Rolke created QPID-6279:
---------------------------------
Summary: C++ Broker ACL connection management is incomplete
Key: QPID-6279
URL: https://issues.apache.org/jira/browse/QPID-6279
Project: Qpid
Issue Type: Bug
Components: C++ Broker
Affects Versions: 0.30
Reporter: Chuck Rolke
Assignee: Chuck Rolke
ACL has allow and deny rules for connections. Rules specified for user _all_
are treated specially: they are processed ahead of rules specified for named
uses or groups. The intent was to allow ACL to operate at the socket level. The
_all_ rules are applied immediately after the socket is accepted but before any
AMQP traffic is read or written. These rules let the system deny connections
from various addresses quickly and with a lower resource overhead.
Currently the way the _all_ rules are implemented is flawed: if an _all_ rule
is matched then it controls the connection decision. Consider these rules:
{noformat}
acl allow-log all create connection host=$SOME_HOST
acl deny-log bob@QPID create connection host=all
{noformat}
When bob tries to connect from $SOME_HOST then he is allowed. Using the current
rule processing the simple logic of this example is almost impossible to
achieve.
I propose several changes to improve ACL connection control:
* Socket-level rules are created explicitly with a new ACL object
_preconnection_. User name _all_ is no longer used for differentiating
socket-level and user-level rules.
* Preconnection rules must be specified for user _all_. User identities have
not been negotiated yet and are unknown so specifying a user name here makes no
sense. Only user _all_ is allowed.
* Preconnection rules may have a user _all_ and host _all_ mode specifier to
control the connection action to take when no other socket-level rule matches.
* Connection rules that specify user names are processed in addition to the
preconnection rules. That is, just because a rule matches a preconnection rule
and allows a connection, that does not bypass the second set of rule checks
that determine whether an individual user may connect or not.
* Connection rules may be specified with the _all_ user and are processed after
the user identity has been negotiated.
The net result of this change is that there will be two sets of connection
rules. The *preconnection* rules are processed in ACL-file-order to allow or
deny the connection. If the connection is allowed then the AMQP protocol is
allowed to start and negotiate AMQP version, encryption, and user identity.
Then the *connection* rules are processed in ACL-file-order to further allow or
deny the connection.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
