Re: Add qmf shutdown command to the broker [was Re: QPID C++ - Dynamically Managing Broker]

Tue, 23 Sep 2014 01:14:03 -0700 


Kind regards,
Pavel


----- Original Message -----
> From: "Alan Conway" <acon...@redhat.com>
> To: users@qpid.apache.org
> Cc: "Chuck Rolke" <cro...@redhat.com>, "Gordon Sim" <g...@redhat.com>
> Sent: Monday, September 22, 2014 10:10:12 PM
> Subject: Add qmf shutdown command to the broker [was Re: QPID C++ - 
> Dynamically Managing Broker]
> 
> On Thu, 2014-09-18 at 15:12 -0700, Spencer.Doak wrote:
> > Hey Gordon,
> > 
> > Thank you very much! That should give me a great start on this task.
> > 
> > As for the 'shutdown' command, that's actually exactly what I was thinking
> > too. I'm thinking about running a receiver process on the broker machine.
> > When it receives a message that says "shutdown" from an authenticated user,
> > it will perform 'system("/sbin/service qpid-stop");' or whatever the
> > relevant OS command is. In your opinion, is this a reasonable way to
> > accomplish this task? Would there perhaps be a better way than creating a
> > system call?
> 
> Not presently. I've long thought we should have a qmf shutdown command
> on the broker but never actually did anything about it. Mucking about
> with extra processes is painful for such a basic task.
> 
> There is a denial of service security concern, my feeling is that adding
> a "shutdown" permission to the ACL rules would cover that.

Note you can already delete anything from provisioning via QMF (until prevented 
by authentication and ACLs). This in my eyes is bigger security concern than 
possibility to shut down a broker. As deleting a durable queue, one loses all 
(durable) messages in.

Also, what is the difference between connecting to AMQP listening port, 
providing proper (stolen?) credentials and shutting the broker via QMF, and 
doing the same via ssh "killall qpidd"? (until you disable ssh from outside 
network where AMQP is allowed)

So I would be in favour of adding the shutdown QMF command and relevant ACL 
action.

> 
> Anyone think this is a bad idea, or have a better idea?
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> For additional commands, e-mail: users-h...@qpid.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org

Reply via email to