You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by holger <ho...@credit-suisse.com> on 2012/08/22 11:35:54 UTC
Why does QPID create the exchange amq.direct?
Hi everyone,
I am trying to understand what the QPID C++ broker (v0.14) and JMS client
are doing under the hood. I have a scenario where I connect to a queue
("BURL:Q") and read and write from it. I already noticed that the default
settings in this case are to create the queue and set it to durable.
Now I am trying to setup ACL rules that do give the user the appropriate
rights for this test case, but not for anything else.
To my surprise I require the permission to create an exchange ("acl allow
users create exchange"). After looking at the logging output, I realized
that the client is declaring an exchange, which throws the exception:
1008 DEBUG [main] org.apache.qpid.transport.Connection - SEND:
[conn:11e7c5cb] ch=0 id=1 ExchangeDeclare(exchange=amq.direct, type=direct,
passive=true)
...
1015 DEBUG [IoReceiver - gbl20004204.eu.hedani.net/166.12.91.155:5672]
org.apache.qpid.transport.Connection - RECV: [conn:11e7c5cb] ch=0
ExecutionException(errorCode=UNAUTHORIZED_ACCESS, commandId=1, classCode=7,
commandCode=1, fieldIndex=0, description=unauthorized-access: ACL denied
exchange create request from holger@QPID
(qpid/broker/SessionAdapter.cpp:87), errorInfo={})
My question is now. Why does it do that? Shouldn't it understand that
amq.direct is always there and that he doesn't need the permission to create
it?
Cheers,
Holger
--
View this message in context: http://qpid.2158936.n2.nabble.com/Why-does-QPID-create-the-exchange-amq-direct-tp7581190.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Why does QPID create the exchange amq.direct?
Posted by holger <ho...@credit-suisse.com>.
Thanks for your immediate help. You are saving my day!
--
View this message in context: http://qpid.2158936.n2.nabble.com/Why-does-QPID-create-the-exchange-amq-direct-tp7581190p7581193.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Why does QPID create the exchange amq.direct?
Posted by Jakub Scholz <ja...@scholz.cz>.
Hi Holger,
I cannot answer your question "why". But to my understanding the
ExchangeDeclare command with passive=true doesn't really declare the
exchange, but it is just kind of asking whether the exchange exists -
it should return "OK" in case the exchange exists and "FAIL" in case
it doesn't.
To allow it in your ACLs, you do not need to use "acl allow users
create exchange", but you can use the "acl allow users create exchange
name=amq.direct passive=true" rule which will allow the users to send
only this specific command without giving them the possibility to
actually declare any exchange. So it should not cause any security
problems.
Regards
Jakub
On Wed, Aug 22, 2012 at 11:35 AM, holger
<ho...@credit-suisse.com> wrote:
> Hi everyone,
> I am trying to understand what the QPID C++ broker (v0.14) and JMS client
> are doing under the hood. I have a scenario where I connect to a queue
> ("BURL:Q") and read and write from it. I already noticed that the default
> settings in this case are to create the queue and set it to durable.
> Now I am trying to setup ACL rules that do give the user the appropriate
> rights for this test case, but not for anything else.
>
> To my surprise I require the permission to create an exchange ("acl allow
> users create exchange"). After looking at the logging output, I realized
> that the client is declaring an exchange, which throws the exception:
>
> 1008 DEBUG [main] org.apache.qpid.transport.Connection - SEND:
> [conn:11e7c5cb] ch=0 id=1 ExchangeDeclare(exchange=amq.direct, type=direct,
> passive=true)
> ...
> 1015 DEBUG [IoReceiver - gbl20004204.eu.hedani.net/166.12.91.155:5672]
> org.apache.qpid.transport.Connection - RECV: [conn:11e7c5cb] ch=0
> ExecutionException(errorCode=UNAUTHORIZED_ACCESS, commandId=1, classCode=7,
> commandCode=1, fieldIndex=0, description=unauthorized-access: ACL denied
> exchange create request from holger@QPID
> (qpid/broker/SessionAdapter.cpp:87), errorInfo={})
>
>
> My question is now. Why does it do that? Shouldn't it understand that
> amq.direct is always there and that he doesn't need the permission to create
> it?
>
> Cheers,
> Holger
>
>
>
> --
> View this message in context: http://qpid.2158936.n2.nabble.com/Why-does-QPID-create-the-exchange-amq-direct-tp7581190.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Why does QPID create the exchange amq.direct?
Posted by Chuck Rolke <cr...@redhat.com>.
Yes the docs need more work.
In the {bind, unbind, access} exchange case the routing key in the Acl rule is matched with a simple wildcard.
In the {publish} exchange case it is matched with the simple wildcard (pre 0.20) or with topic exchange matching (0.20 and later).
On further reflection in answering this question I believe that the topic exchange matching should be applied to all the cases. If a user is permitted in an Acl rule to bind to an exchange with routingkey=news.# then at run time he should be able to bind to news.this, news.that, news, or news.northamerica.usa
Could you open a Jira for this issue and assign it to me?
-Chuck
----- Original Message -----
> From: "Jakub Scholz" <ja...@scholz.cz>
> To: users@qpid.apache.org
> Sent: Wednesday, August 22, 2012 10:20:54 AM
> Subject: Re: Why does QPID create the exchange amq.direct?
>
> I think there are some misleading bugs in the docu ...
>
> The Qpid 0.16 docu, in chapter 1.5.2.3. uses as example:
> acl allow guest@QPID bind exchange name=amq.topic
> routingkey=stocks.rht.#
>
> (The same is also in MRG-M 2.1 docu chapter 11.2.3.)
>
> Also the cwiki page you linked to seems to contain following example:
> acl allow guest@QPID bind exchange name=amq.topic
> routingkey=stocks.ibm.# owner=self
>
> Regards
> Jakub
>
> On Wed, Aug 22, 2012 at 4:11 PM, Chuck Rolke <cr...@redhat.com>
> wrote:
> > A description of the C++ Broker (0.16) is in
> > https://cwiki.apache.org/qpid/acl.html
> > There is a table enumerating which Object/Action/Property
> > combinations are valid.
> >
> > In 0.14 through 0.18 the only wildcard allowed in an Acl rule is a
> > trailing '*'
> > when specifying a property. For example you can have
> >
> > acl allow all create queue name=T1.*
> >
> > A new feature that will be in 0.20 (it just missed 0.18) will be
> > the
> > specification of routing keys in topic exchange routing key format.
> > The same
> > syntax used at run-time is supported in the Acl specification of
> > routing keys:
> >
> > acl allow-log uMixed1@COMPANY publish exchange name=X
> > routingkey=*.x.#.y
> >
> > For 0.18 and earlier routing keys is Acl files may only have a
> > trailing '*'.
> >
> > See source tree qpid/cpp/src/tests/acl.py for a bunch of acl
> > example specifications.
> >
> > -Chuck
> >
> >
> > ----- Original Message -----
> >> From: "holger" <ho...@credit-suisse.com>
> >> To: users@qpid.apache.org
> >> Sent: Wednesday, August 22, 2012 8:29:17 AM
> >> Subject: Re: Why does QPID create the exchange amq.direct?
> >>
> >> One more thing: Now I setup the inverse, a test for topics "T.1.1"
> >> to
> >> "T.4.4"
> >> where I try to figure out the minimum settings. To my amusement I
> >> now
> >> also
> >> require the permission to create a queue. If I allow all queues,
> >> it
> >> works.
> >> If I try to limit it to the actual queue, it doesn't.
> >> I tried adding "name=T.#", "routingkey=T.#", "queuename=T.#". No
> >> results.
> >>
> >> Can you tell me, why this queue is needed and what its name
> >> actually
> >> is?
> >>
> >> I think it would be very useful for the users if the User Guide
> >> also
> >> mentioned for which keyword (such as queue) you can use which
> >> attribute
> >> (such as passive). Many users probably don't know whether they are
> >> binding/creating/consuming a queue or an exchange..
> >>
> >> Regards,
> >> Holger
> >>
> >>
> >>
> >> --
> >> View this message in context:
> >> http://qpid.2158936.n2.nabble.com/Why-does-QPID-create-the-exchange-amq-direct-tp7581190p7581197.html
> >> Sent from the Apache Qpid users mailing list archive at
> >> Nabble.com.
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> >> For additional commands, e-mail: users-help@qpid.apache.org
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > For additional commands, e-mail: users-help@qpid.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Why does QPID create the exchange amq.direct?
Posted by Jakub Scholz <ja...@scholz.cz>.
I think there are some misleading bugs in the docu ...
The Qpid 0.16 docu, in chapter 1.5.2.3. uses as example:
acl allow guest@QPID bind exchange name=amq.topic routingkey=stocks.rht.#
(The same is also in MRG-M 2.1 docu chapter 11.2.3.)
Also the cwiki page you linked to seems to contain following example:
acl allow guest@QPID bind exchange name=amq.topic
routingkey=stocks.ibm.# owner=self
Regards
Jakub
On Wed, Aug 22, 2012 at 4:11 PM, Chuck Rolke <cr...@redhat.com> wrote:
> A description of the C++ Broker (0.16) is in https://cwiki.apache.org/qpid/acl.html
> There is a table enumerating which Object/Action/Property combinations are valid.
>
> In 0.14 through 0.18 the only wildcard allowed in an Acl rule is a trailing '*'
> when specifying a property. For example you can have
>
> acl allow all create queue name=T1.*
>
> A new feature that will be in 0.20 (it just missed 0.18) will be the
> specification of routing keys in topic exchange routing key format. The same
> syntax used at run-time is supported in the Acl specification of routing keys:
>
> acl allow-log uMixed1@COMPANY publish exchange name=X routingkey=*.x.#.y
>
> For 0.18 and earlier routing keys is Acl files may only have a trailing '*'.
>
> See source tree qpid/cpp/src/tests/acl.py for a bunch of acl example specifications.
>
> -Chuck
>
>
> ----- Original Message -----
>> From: "holger" <ho...@credit-suisse.com>
>> To: users@qpid.apache.org
>> Sent: Wednesday, August 22, 2012 8:29:17 AM
>> Subject: Re: Why does QPID create the exchange amq.direct?
>>
>> One more thing: Now I setup the inverse, a test for topics "T.1.1" to
>> "T.4.4"
>> where I try to figure out the minimum settings. To my amusement I now
>> also
>> require the permission to create a queue. If I allow all queues, it
>> works.
>> If I try to limit it to the actual queue, it doesn't.
>> I tried adding "name=T.#", "routingkey=T.#", "queuename=T.#". No
>> results.
>>
>> Can you tell me, why this queue is needed and what its name actually
>> is?
>>
>> I think it would be very useful for the users if the User Guide also
>> mentioned for which keyword (such as queue) you can use which
>> attribute
>> (such as passive). Many users probably don't know whether they are
>> binding/creating/consuming a queue or an exchange..
>>
>> Regards,
>> Holger
>>
>>
>>
>> --
>> View this message in context:
>> http://qpid.2158936.n2.nabble.com/Why-does-QPID-create-the-exchange-amq-direct-tp7581190p7581197.html
>> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>> For additional commands, e-mail: users-help@qpid.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Why does QPID create the exchange amq.direct?
Posted by holger <ho...@credit-suisse.com>.
My philosophy was that you can use # wherever you can also use *, or am I
mistaken there? In this line it works: "acl allow users consume queue
routingkey=T.#". It is also mentioned in
https://cwiki.apache.org/qpid/acl.html
Can you think of any workaround, other than just allowing to create any kind
of queue?
I am using BURL, because my original approach was to port a Tibco EMS test
harness to QPID, relying on the JMS compatibility. Even though the address
format is not covered by the standard, I don't want to dive into all these
details on exchanges etc. and actually I shouldn't have to. I just want to
use createQueue("Q.1") and createTopic("T.1") and have everything else done
under the hood. So that's why the ADDR format was never an option for me...
--
View this message in context: http://qpid.2158936.n2.nabble.com/Why-does-QPID-create-the-exchange-amq-direct-tp7581190p7581200.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Why does QPID create the exchange amq.direct?
Posted by Jakub Scholz <ja...@scholz.cz>.
I do not think the # signs are supposed to be used in the ACL rules
for queue names, exchange names or routing keys. I think you have to
use *. Or am I wrong?
Apart from that I'm not sure what is the binding URL you are using
actually supposed to do. Is there some reason why are you using the
old binding URLs in the JMS API instead of the addresses?
Regards
Jakub
On Wed, Aug 22, 2012 at 2:29 PM, holger <ho...@credit-suisse.com> wrote:
> One more thing: Now I setup the inverse, a test for topics "T.1.1" to "T.4.4"
> where I try to figure out the minimum settings. To my amusement I now also
> require the permission to create a queue. If I allow all queues, it works.
> If I try to limit it to the actual queue, it doesn't.
> I tried adding "name=T.#", "routingkey=T.#", "queuename=T.#". No results.
>
> Can you tell me, why this queue is needed and what its name actually is?
>
> I think it would be very useful for the users if the User Guide also
> mentioned for which keyword (such as queue) you can use which attribute
> (such as passive). Many users probably don't know whether they are
> binding/creating/consuming a queue or an exchange..
>
> Regards,
> Holger
>
>
>
> --
> View this message in context: http://qpid.2158936.n2.nabble.com/Why-does-QPID-create-the-exchange-amq-direct-tp7581190p7581197.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Why does QPID create the exchange amq.direct?
Posted by Jakub Scholz <ja...@scholz.cz>.
T.* will work for all T.1, T.2, T.1.1, T.2.1.3 ... i.e. it will work
as T.# and not as T.* :-o
Regards
Jakub
On Wed, Aug 22, 2012 at 5:45 PM, holger <ho...@credit-suisse.com> wrote:
> Refering to what Chug said. I understand there's no "#" in ACLs. Now I want
> to emulate "T.#" with the help of "*". Of course, that is an issue, but I
> can approximate it by using "T.*" and "T.*.*" and "T.*.*.*" ....
>
> But do you really mean that only trailing wildcards are allowed? So then I
> cannot even specify "T.*.*", because it also has a wildcard in the middle
> position, or?
>
> Thanks for further clarification.
> Regards,
> Holger
>
>
>
> --
> View this message in context: http://qpid.2158936.n2.nabble.com/Why-does-QPID-create-the-exchange-amq-direct-tp7581190p7581209.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Why does QPID create the exchange amq.direct?
Posted by holger <ho...@credit-suisse.com>.
Refering to what Chug said. I understand there's no "#" in ACLs. Now I want
to emulate "T.#" with the help of "*". Of course, that is an issue, but I
can approximate it by using "T.*" and "T.*.*" and "T.*.*.*" ....
But do you really mean that only trailing wildcards are allowed? So then I
cannot even specify "T.*.*", because it also has a wildcard in the middle
position, or?
Thanks for further clarification.
Regards,
Holger
--
View this message in context: http://qpid.2158936.n2.nabble.com/Why-does-QPID-create-the-exchange-amq-direct-tp7581190p7581209.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Why does QPID create the exchange amq.direct?
Posted by Chuck Rolke <cr...@redhat.com>.
A description of the C++ Broker (0.16) is in https://cwiki.apache.org/qpid/acl.html
There is a table enumerating which Object/Action/Property combinations are valid.
In 0.14 through 0.18 the only wildcard allowed in an Acl rule is a trailing '*'
when specifying a property. For example you can have
acl allow all create queue name=T1.*
A new feature that will be in 0.20 (it just missed 0.18) will be the
specification of routing keys in topic exchange routing key format. The same
syntax used at run-time is supported in the Acl specification of routing keys:
acl allow-log uMixed1@COMPANY publish exchange name=X routingkey=*.x.#.y
For 0.18 and earlier routing keys is Acl files may only have a trailing '*'.
See source tree qpid/cpp/src/tests/acl.py for a bunch of acl example specifications.
-Chuck
----- Original Message -----
> From: "holger" <ho...@credit-suisse.com>
> To: users@qpid.apache.org
> Sent: Wednesday, August 22, 2012 8:29:17 AM
> Subject: Re: Why does QPID create the exchange amq.direct?
>
> One more thing: Now I setup the inverse, a test for topics "T.1.1" to
> "T.4.4"
> where I try to figure out the minimum settings. To my amusement I now
> also
> require the permission to create a queue. If I allow all queues, it
> works.
> If I try to limit it to the actual queue, it doesn't.
> I tried adding "name=T.#", "routingkey=T.#", "queuename=T.#". No
> results.
>
> Can you tell me, why this queue is needed and what its name actually
> is?
>
> I think it would be very useful for the users if the User Guide also
> mentioned for which keyword (such as queue) you can use which
> attribute
> (such as passive). Many users probably don't know whether they are
> binding/creating/consuming a queue or an exchange..
>
> Regards,
> Holger
>
>
>
> --
> View this message in context:
> http://qpid.2158936.n2.nabble.com/Why-does-QPID-create-the-exchange-amq-direct-tp7581190p7581197.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Why does QPID create the exchange amq.direct?
Posted by holger <ho...@credit-suisse.com>.
One more thing: Now I setup the inverse, a test for topics "T.1.1" to "T.4.4"
where I try to figure out the minimum settings. To my amusement I now also
require the permission to create a queue. If I allow all queues, it works.
If I try to limit it to the actual queue, it doesn't.
I tried adding "name=T.#", "routingkey=T.#", "queuename=T.#". No results.
Can you tell me, why this queue is needed and what its name actually is?
I think it would be very useful for the users if the User Guide also
mentioned for which keyword (such as queue) you can use which attribute
(such as passive). Many users probably don't know whether they are
binding/creating/consuming a queue or an exchange..
Regards,
Holger
--
View this message in context: http://qpid.2158936.n2.nabble.com/Why-does-QPID-create-the-exchange-amq-direct-tp7581190p7581197.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Why does QPID create the exchange amq.direct?
Posted by Jakub Scholz <ja...@scholz.cz>.
That will be definitely a useful change. It will save us a loooooot of
rules in our ACL file :-).
Regards
Jakub
On Wed, Aug 22, 2012 at 11:51 AM, Gordon Sim <gs...@redhat.com> wrote:
> From 0.18, all that will be required is 'access' permission for the
> exchange.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Why does QPID create the exchange amq.direct?
Posted by Gordon Sim <gs...@redhat.com>.
On 08/22/2012 10:35 AM, holger wrote:
> Hi everyone,
> I am trying to understand what the QPID C++ broker (v0.14) and JMS client
> are doing under the hood. I have a scenario where I connect to a queue
> ("BURL:Q") and read and write from it. I already noticed that the default
> settings in this case are to create the queue and set it to durable.
> Now I am trying to setup ACL rules that do give the user the appropriate
> rights for this test case, but not for anything else.
>
> To my surprise I require the permission to create an exchange ("acl allow
> users create exchange"). After looking at the logging output, I realized
> that the client is declaring an exchange, which throws the exception:
>
> 1008 DEBUG [main] org.apache.qpid.transport.Connection - SEND:
> [conn:11e7c5cb] ch=0 id=1 ExchangeDeclare(exchange=amq.direct, type=direct,
> passive=true)
> ...
> 1015 DEBUG [IoReceiver - gbl20004204.eu.hedani.net/166.12.91.155:5672]
> org.apache.qpid.transport.Connection - RECV: [conn:11e7c5cb] ch=0
> ExecutionException(errorCode=UNAUTHORIZED_ACCESS, commandId=1, classCode=7,
> commandCode=1, fieldIndex=0, description=unauthorized-access: ACL denied
> exchange create request from holger@QPID
> (qpid/broker/SessionAdapter.cpp:87), errorInfo={})
>
>
> My question is now. Why does it do that? Shouldn't it understand that
> amq.direct is always there and that he doesn't need the permission to create
> it?
This was a defect with the broker[1], fixed for 0.18.
The exchange is declared with the passive flag set (this is required for
all standard exchanges) meaning it should *not* be created. The broker's
ACL model incorrectly checked for a 'create' permission for all
declares, regardless of the passive flag.
However in the meantime you can workaround it be specifying a passive
property for the ACL rule with a value of true to distinguish between
permission to declare passively and permission to create if necessary.
From 0.18, all that will be required is 'access' permission for the
exchange.
[1] https://issues.apache.org/jira/browse/QPID-3964
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org