qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Moseley <moseleym...@gmail.com>
Subject Federation and ACLs
Date Sat, 21 Feb 2009 03:35:30 GMT
I'll apologize in advance that I'm pretty new to QPid (and AMQP) in
general, so forgive the possibly n00b questions :)

I've been playing around with federation and reading through the Qpid
docs as well as the Redhat MRG docs. I can only seem to get it working
if I completely open up the ACL on the destination side, i.e. acl has
"acl allow-log all all"

When I send to the source broker, with a wide-open ACL, the message
gets dumped over to the dest broker just fine. Without "acl allow-log
all all" in my ACL, it gets denied. Looking at the logs on the dest
broker, there doesn't seem to be an 'id' associated with the publish,
even though it was authenticated on the source side. I'd have expected
that the 'id' showing up on the dest broker would either be the
authenticated sender ('mark' in this case) or the user used to create
the federation -- cleverly named 'router' in this case. I'm using the
same ACL file for both brokers and both 'mark' and 'router' have "acl
allow-log <username> all all", so they don't have any problem
performing actions on either broker (just a test bed).

The federation was created with a static route:
# qpid-route  route add router/router@localhost:5672
router/router@localhost:5671 amq.direct mykey

On the source broker:
2009-feb-20 22:24:13 info ACL Allow id:mark@QPID action:publish
ObjectType:exchange Name:amq.direct
2009-feb-20 22:24:13 debug Message 0x80cc400 enqueued on

On the dest broker (with open ACL):
2009-feb-20 22:24:05 info Inter-broker link established to localhost:5671
2009-feb-20 22:24:13 info ACL Allow id: action:publish
ObjectType:exchange Name:amq.direct

On the dest broker (without a wide-open ACL):
2009-feb-20 22:32:04 info Inter-broker link established to localhost:5671
2009-feb-20 22:32:20 info ACL Deny id: action:publish
ObjectType:exchange Name:amq.direct
2009-feb-20 22:32:20 error Execution exception: not-allowed:  cannot
publish to amq.direct with routing-key mykey

My question is: is that a normal consequence of federation, i.e. that
credentials aren't passed around and that neither the authenticated
sender nor the user used to create the static route is used as the
'id' on the dest side?

If not, is there some obvious configuration option I'm missing?

Thanks! And again, sorry for the possibly RTFM!

Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

View raw message