qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Moseley <moseleym...@gmail.com>
Subject Re: Federation and ACLs
Date Sat, 21 Feb 2009 03:42:00 GMT
On Fri, Feb 20, 2009 at 7:35 PM, Mark Moseley <moseleymark@gmail.com> wrote:
> I'll apologize in advance that I'm pretty new to QPid (and AMQP) in
> general, so forgive the possibly n00b questions :)
>
> I've been playing around with federation and reading through the Qpid
> docs as well as the Redhat MRG docs. I can only seem to get it working
> if I completely open up the ACL on the destination side, i.e. acl has
> "acl allow-log all all"
>
> When I send to the source broker, with a wide-open ACL, the message
> gets dumped over to the dest broker just fine. Without "acl allow-log
> all all" in my ACL, it gets denied. Looking at the logs on the dest
> broker, there doesn't seem to be an 'id' associated with the publish,
> even though it was authenticated on the source side. I'd have expected
> that the 'id' showing up on the dest broker would either be the
> authenticated sender ('mark' in this case) or the user used to create
> the federation -- cleverly named 'router' in this case. I'm using the
> same ACL file for both brokers and both 'mark' and 'router' have "acl
> allow-log <username> all all", so they don't have any problem
> performing actions on either broker (just a test bed).
>
> The federation was created with a static route:
> # qpid-route  route add router/router@localhost:5672
> router/router@localhost:5671 amq.direct mykey
>
> On the source broker:
> 2009-feb-20 22:24:13 info ACL Allow id:mark@QPID action:publish
> ObjectType:exchange Name:amq.direct
> 2009-feb-20 22:24:13 debug Message 0x80cc400 enqueued on
> bridge_queue_1_ba641f59-76ef-48c2-875c-d05e6c5d2132[0x80cb538]
>
> On the dest broker (with open ACL):
> 2009-feb-20 22:24:05 info Inter-broker link established to localhost:5671
> 2009-feb-20 22:24:13 info ACL Allow id: action:publish
> ObjectType:exchange Name:amq.direct
>
> On the dest broker (without a wide-open ACL):
> 2009-feb-20 22:32:04 info Inter-broker link established to localhost:5671
> 2009-feb-20 22:32:20 info ACL Deny id: action:publish
> ObjectType:exchange Name:amq.direct
> 2009-feb-20 22:32:20 error Execution exception: not-allowed:  cannot
> publish to amq.direct with routing-key mykey
> (qpid/broker/SemanticState.cpp:384)
>
> My question is: is that a normal consequence of federation, i.e. that
> credentials aren't passed around and that neither the authenticated
> sender nor the user used to create the static route is used as the
> 'id' on the dest side?
>
> If not, is there some obvious configuration option I'm missing?
>
> Thanks! And again, sorry for the possibly RTFM!
>


I probably ought to have mentioned that this is on the C++ broker,
from the qpid-M4 distribution, with both brokers on localhost (one on
port 5671, one on 5672).

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org


Mime
View raw message