You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Robbie Gemmell (JIRA)" <qp...@incubator.apache.org> on 2009/10/16 16:59:31 UTC

[jira] Closed: (QPID-2133) PrincipalPermissions handling of exchange elements within the ACL v1 create subsection can lead to inconsistent behaviour

     [ https://issues.apache.org/jira/browse/QPID-2133?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robbie Gemmell closed QPID-2133.
--------------------------------

    Resolution: Won't Fix

> PrincipalPermissions handling of exchange elements within the ACL v1 create subsection can lead to inconsistent behaviour
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-2133
>                 URL: https://issues.apache.org/jira/browse/QPID-2133
>             Project: Qpid
>          Issue Type: Bug
>    Affects Versions: 0.5
>            Reporter: Robbie Gemmell
>
> Whilst investigating QPID-1204, a limitation was discovered in the ACL v1 PrincipalPermissions handling for Exchange(s) elements within the Create subsection of the ACL configuration.
> If no Exchange elements exist within the Create section for a given set of users, they will have create capabilities for any exchange. This is accomplished by never creating a permissions list for creating exchanges, and is covered in the authorise check by the null check in the code below.
> PrincipalPermissions: L483
>                 if (rights == null || rights.containsKey(exchangeName))
>                 {
>                     return AuthzResult.ALLOWED; 
>                 }
> However, if for example a Queue Create subsection for that user did specify a specific exchange that the creation is permitted in, then the exchange creation rights list will be created. As a result, any Create sections previously relying on the list being null to permit queue creation in any exchange, or the ability to declare any exchange, will be broken (unless the exchange name being used happens to match one which was specificlly defined, in which case it will exist in the list)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org