[jira] Created: (QPID-2108) ACL Enhancement to support queue limit policies
ACL Enhancement to support queue limit policies
---
Key: QPID-2108
URL: https://issues.apache.org/jira/browse/QPID-2108
Project: Qpid
Issue Type: Improvement
Components: C++ Broker
Affects Versions: 0.5
Reporter: Tim Platten
It is a requirement for us to be able to enforce queue limit policies using the
ACL authorisation mechanism. I therefore propose the following enhancement:
Add three new properties to the "create queue" rule: limitpolicy, maxqueuesize
and maxqueuecount. The policy test can be implemented using existing code, but
the numeric limits require a less-than-or-equal test. I.e. if a value for
maxqueuesize is specified in the ACL file, an exception will be thrown if a
value greater than this is specified in declareQueue. A value less than or
equal would be acceptable. If maxqueuecount and/or maxqueuesize were omitted
from the rule or specified as zero, the corresponding check would interpret the
value as "unlimited".
Proposed code changes follow (prefixed with change-bar "|").
AclModule.h
.
.
.
enum Property {PROP_NAME, PROP_DURABLE, PROP_OWNER, PROP_ROUTINGKEY,
PROP_PASSIVE, PROP_AUTODELETE, PROP_EXCLUSIVE, PROP_TYPE,
PROP_ALTERNATE, PROP_QUEUENAME, PROP_SCHEMAPACKAGE,
| PROP_SCHEMACLASS, PROP_LIMITPOLICY, PROP_MAXQUEUESIZE,
PROP_MAXQUEUECOUNT};
.
.
.
static inline Property getProperty(const std::string& str) {
if (str.compare("name") == 0) return PROP_NAME;
if (str.compare("durable") == 0) return PROP_DURABLE;
if (str.compare("owner") == 0) return PROP_OWNER;
if (str.compare("routingkey") == 0) return PROP_ROUTINGKEY;
if (str.compare("passive") == 0) return PROP_PASSIVE;
if (str.compare("autodelete") == 0) return PROP_AUTODELETE;
if (str.compare("exclusive") == 0) return PROP_EXCLUSIVE;
if (str.compare("type") == 0) return PROP_TYPE;
if (str.compare("alternate") == 0) return PROP_ALTERNATE;
if (str.compare("queuename") == 0) return PROP_QUEUENAME;
if (str.compare("schemapackage") == 0) return PROP_SCHEMAPACKAGE;
if (str.compare("schemaclass") == 0) return PROP_SCHEMACLASS;
| if (str.compare("limitpolicy") == 0) return PROP_LIMITPOLICY;
| if (str.compare("maxqueuesize") == 0) return PROP_MAXQUEUESIZE;
| if (str.compare("maxqueuecount") == 0) return PROP_MAXQUEUECOUNT;
throw str;
}
static inline std::string getPropertyStr(const Property p) {
switch (p) {
case PROP_NAME: return "name";
case PROP_DURABLE: return "durable";
case PROP_OWNER: return "owner";
case PROP_ROUTINGKEY: return "routingkey";
case PROP_PASSIVE: return "passive";
case PROP_AUTODELETE: return "autodelete";
case PROP_EXCLUSIVE: return "exclusive";
case PROP_TYPE: return "type";
case PROP_ALTERNATE: return "alternate";
case PROP_QUEUENAME: return "queuename";
case PROP_SCHEMAPACKAGE: return "schemapackage";
case PROP_SCHEMACLASS: return "schemaclass";
| case PROP_LIMITPOLICY: return "limitpolicy";
| case PROP_MAXQUEUESIZE: return "maxqueuesize";
| case PROP_MAXQUEUECOUNT: return "maxqueuecount";
default: assert(false); // should never get here
}
return "";
}
.
.
.
// == Queues ==
propSetPtr p4(new propSet);
| p4->insert(PROP_ALTERNATE);
| p4->insert(PROP_PASSIVE);
| p4->insert(PROP_DURABLE);
| p4->insert(PROP_EXCLUSIVE);
| p4->insert(PROP_AUTODELETE);
| p4->insert(PROP_LIMITPOLICY);
| p4->insert(PROP_MAXQUEUESIZE);
| p4->insert(PROP_MAXQUEUECOUNT);
Note that currently (Qpid 0.5) this code appears to be incorrectly
dereferencing p3 instead of p4.
SessionAdapter.cpp
.
.
.
void SessionAdapter::QueueHandlerImpl::declare(const string& name, const
string& alternateExchange,
bool passive, bool durable, bool
exclusive,
bool autoDelete, const
qpid::framing::FieldTable& arguments)
{
AclModule* acl = getBroker().getAcl();
if (acl) {
std::map params;
params.insert(make_pair(acl::PROP_ALTERNATE, alternateExchange));
params.insert(make_pair(acl::PROP_PASSIVE, std::string(passive ? "true"
: "false") ));
params.insert(make_pair(acl::PROP_DURABLE, std::string(durable ? "true"
: "false")));
params.insert(make_pair(acl::PROP_EXCLUSIVE, std::string(exclusive ?
"true" : "false")));
params.insert(make_pair(acl::PROP_AUTODELETE, std::string(autoDelete ?
"true" : "false")));
| params.insert(make_pair(acl::PROP_LIMITPOLICY,
arguments.getAsString("qpid.policy_type")));
| params.insert(make_pair(acl::PROP_MAXQUEUECOUNT,
boost::
[jira] Created: (QPID-2107) Bug in ACL processing of exchangeBound()
Bug in ACL processing of exchangeBound()
Key: QPID-2107
URL: https://issues.apache.org/jira/browse/QPID-2107
Project: Qpid
Issue Type: Bug
Components: C++ Broker
Affects Versions: 0.5
Reporter: Tim Platten
There is a bug in ACL exchangeBound() processing which incorrectly checks the
"create exchange" action instead of "access exchange".
ACL:
acl allow tes...@qpid access exchange name=foo
Code:
result = session->exchangeBound("foo");
Broker:
2009-sep-08 09:12:17 info ACL Deny id:tes...@qpid action:create
ObjectType:exchange Name:eurex.baclo
2009-sep-08 09:12:17 error Execution exception: not-allowed: ACL denied exhange
bound request from tes...@qpid (qpid/broker/SessionAdapter.cpp:234)
I believe this is due to a bug in SessionAdapter::ExchangeHandlerImpl::bound
if
(!acl->authorise(getConnection().getUserId(),acl::ACT_CREATE,acl::OBJ_EXCHANGE,exchangeName,¶ms)
)
should read :
if
(!acl->authorise(getConnection().getUserId(),acl::ACT_ACCESS,acl::OBJ_EXCHANGE,exchangeName,¶ms)
)
Additionally, there is a typo where "exchange" is incorrectly spelt "exhange"
in most ACL messages.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
-
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Created: (QPID-2063) ACL does not check queuename (or routingkey) on bind
ACL does not check queuename (or routingkey) on bind
Key: QPID-2063
URL: https://issues.apache.org/jira/browse/QPID-2063
Project: Qpid
Issue Type: Bug
Components: C++ Broker
Affects Versions: 0.5
Reporter: Tim Platten
ACL allows binding to a queue to which access should be denied. e.g.
ACL:
acl deny tes...@qpid all queue name=baz
acl allow tes...@qpid bind exchange name=foo queuename=bar routingkey=foo.bar
The following command succeed and it shouldn't
qpid-config -a baclo/ba...@localhost bind foo baz foo.bar
I believe this is because SessionAdapter::ExchangeHandlerImpl::bind is not
checking either queueName or routingKey. I.e.
AclModule* acl = getBroker().getAcl();
if (acl) {
if
(!acl->authorise(getConnection().getUserId(),acl::ACT_BIND,acl::OBJ_EXCHANGE,exchangeName,routingKey)
)
should read:
AclModule* acl = getBroker().getAcl();
if (acl) {
std::map params;
params.insert(make_pair(acl::PROP_QUEUENAME, queueName));
params.insert(make_pair(acl::PROP_ROUTINGKEY, routingKey));
if
(!acl->authorise(getConnection().getUserId(),acl::ACT_BIND,acl::OBJ_EXCHANGE,exchangeName,¶ms)
)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
-
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Created: (QPID-2062) ACL processing does not handle wildcards correctly
ACL processing does not handle wildcards correctly
--
Key: QPID-2062
URL: https://issues.apache.org/jira/browse/QPID-2062
Project: Qpid
Issue Type: Bug
Components: C++ Broker
Affects Versions: 0.5
Reporter: Tim Platten
There seems to be a problem processing wildcards in ACL. e.g.
ACL:
acl allow tes...@qpid unbind exchange name=foo queuename=bar routingkey=foo.*
Command:
qpid-config -a tester/tes...@localhost unbind foo bar foo.bar
Broker:
2009-aug-21 11:47:42 info ACL Deny id:tes...@qpid action:unbind
ObjectType:exchange Name:foo
2009-aug-21 11:47:42 error Execution exception: not-allowed: ACL denied
exchange unbind request from tes...@qpid (qpid/broker/SessionAdapter.cpp:203)
I believe this is due to a bug in AclData::lookup
}else if (!matchProp(paramItr->second, pMItr->second)){
should read
}else if (!matchProp(pMItr->second, paramItr->second)){
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
-
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscr...@qpid.apache.org
