You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Ernest Allen (JIRA)" <ji...@apache.org> on 2015/05/15 17:20:59 UTC

[jira] [Closed] (QPID-6544) [ACL] Python client demands unnecessary permission / performs unnecessary actions

     [ https://issues.apache.org/jira/browse/QPID-6544?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ernest Allen closed QPID-6544.
------------------------------
    Resolution: Duplicate

Didn't see duplicate: https://issues.apache.org/jira/browse/QPID-6326

>  [ACL] Python client demands unnecessary permission / performs unnecessary actions
> ----------------------------------------------------------------------------------
>
>                 Key: QPID-6544
>                 URL: https://issues.apache.org/jira/browse/QPID-6544
>             Project: Qpid
>          Issue Type: Bug
>          Components: Python Client
>    Affects Versions: 0.22
>            Reporter: Ernest Allen
>
> Description of problem:
> Python clients accesses both exchange and queue objects, even when the object types is specified. Thus demanding unnecessary ACL rules to be allowed.
> Steps to Reproduce:
> Scenario A (access)
> 1. create acl:
> acl allow-log all access exchange
> acl deny-log all all
> 2. send message to an amq.fanout
> /usr/share/doc/python-qpid-0.22/examples/api/spout -c 1 -b UserA/UserA@localhost:5672 "amq.fanout;{node:{type:topic}}"
> 3. check qpidd log
> Scenario B (create)
> 1. create acl:
> acl allow-log all access all
> acl allow-log all create queue
> acl deny-log all all
> 2. create a queue using spout
> /usr/share/doc/python-qpid-0.22/examples/api/spout -c 1 -b UserA/UserA@localhost:5672 "q;{create:always, node:{type:queue}}"
> 3. check qpidd log
> Scenario A
> Actual results:
> 2014-07-28 10:45:07 [Security] info ACL Allow id:UserA@QPID action:access ObjectType:exchange Name:amq.fanout
> 2014-07-28 10:45:07 [Security] info ACL Deny id:UserA@QPID action:access ObjectType:queue Name:amq.fanout
> Expected results:
> Scenario A: expected results should be just with "action:access" and no "action:publish", as publish is for queue object (and in our case, the message is discarded by the exchange due to no route/binding).
> Scenario B
> Actual results:
> 2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:access ObjectType:exchange Name:q
> 2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:access ObjectType:queue Name:q
> 2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:create ObjectType:queue Name:q
> Expected results:
> 2014-07-28 10:57:31 [Security] info ACL Allow id:UserA@QPID action:create ObjectType:queue Name:q
> Additional info:
> [A] it behaves the same for node/type:queue, querying the exchanges then queue.
> [B] when creating, client should request only 'create' action, same as C++



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org