You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Chuck Rolke (JIRA)" <ji...@apache.org> on 2013/05/02 17:46:16 UTC

[jira] [Resolved] (QPID-4775) ACL delete action should not ignore object's properties other than name

     [ https://issues.apache.org/jira/browse/QPID-4775?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chuck Rolke resolved QPID-4775.
-------------------------------

       Resolution: Fixed
    Fix Version/s: 0.23

Fixed with Committed revision 1478418.

The patch was for 0.18-based code and needed adjustment for trunk.
The various MAX-SIZE properties, which make sense for queue creation, were removed from the ACL paramenter list for queue deletion.
                
> ACL delete action should not ignore object's properties other than name
> -----------------------------------------------------------------------
>
>                 Key: QPID-4775
>                 URL: https://issues.apache.org/jira/browse/QPID-4775
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Broker
>    Affects Versions: 0.18, 0.20
>            Reporter: Pavel Moravec
>            Priority: Minor
>              Labels: patch, security
>             Fix For: 0.23
>
>         Attachments: bz955674.patch
>
>
> Description of problem:
> ACL rule like:
> acl allow all delete queue autodelete=true
> should allow deletion of autodelete queues _only_. While any queue can be deleted. The same applies to any object's property other than queue's name (see Broker::deleteQueue method and how acl->authorise is called).
> The same applies not only to queues but also to exchanges.
> Version-Release number of selected component (if applicable):
> any
> How reproducible:
> 100%
> Steps to Reproduce:
> 1. cat <acl-file>
> # simply allow all except for deleting non-durable queue
> acl allow-log all consume all
> acl allow-log all publish all
> acl allow-log all create all
> acl allow-log all access all
> acl allow-log all bind all
> acl allow-log all unbind all
> acl allow-log all purge all
> acl allow-log all update all
> acl allow-log all delete exchange
> acl allow-log all delete queue durable=true
> acl deny-log all all
> 2. Start broker with auth=yes and the ACL file
> 3. qpid-config -b admin/admin@localhost:5672 add queue TransientQueue
> 4. qpid-config -b admin/admin@localhost:5672 del queue TransientQueue
> Actual results:
> Steps 3 and 4 pass.
> Expected results:
> Deleting queue should fail, as the queue is not durable.
> In fact, even _creating_ the queue that way should raise an exception, as deleting auxiliary queue named like "4135cd9e-04b8-4cef-bcd0-5404444d7a04:0.0" (where the qpid-config gets response) should fail.
> Additional info:
> Same scenarios are applicable for all other queue properties and/or exchange properties. Just queue/exchange name is checked.
> Patch proposed.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org