qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carl Trieloff <cctriel...@redhat.com>
Subject Re: Federation and ACLs
Date Mon, 23 Feb 2009 01:58:46 GMT
Mark Moseley wrote:
> On Fri, Feb 20, 2009 at 7:35 PM, Mark Moseley <moseleymark@gmail.com> wrote:
>   
>> I'll apologize in advance that I'm pretty new to QPid (and AMQP) in
>> general, so forgive the possibly n00b questions :)
>>
>> I've been playing around with federation and reading through the Qpid
>> docs as well as the Redhat MRG docs. I can only seem to get it working
>> if I completely open up the ACL on the destination side, i.e. acl has
>> "acl allow-log all all"
>>
>> When I send to the source broker, with a wide-open ACL, the message
>> gets dumped over to the dest broker just fine. Without "acl allow-log
>> all all" in my ACL, it gets denied. Looking at the logs on the dest
>> broker, there doesn't seem to be an 'id' associated with the publish,
>> even though it was authenticated on the source side. I'd have expected
>> that the 'id' showing up on the dest broker would either be the
>> authenticated sender ('mark' in this case) or the user used to create
>> the federation -- cleverly named 'router' in this case. I'm using the
>> same ACL file for both brokers and both 'mark' and 'router' have "acl
>> allow-log <username> all all", so they don't have any problem
>> performing actions on either broker (just a test bed).
>>
>> The federation was created with a static route:
>> # qpid-route  route add router/router@localhost:5672
>> router/router@localhost:5671 amq.direct mykey
>>
>> On the source broker:
>> 2009-feb-20 22:24:13 info ACL Allow id:mark@QPID action:publish
>> ObjectType:exchange Name:amq.direct
>> 2009-feb-20 22:24:13 debug Message 0x80cc400 enqueued on
>> bridge_queue_1_ba641f59-76ef-48c2-875c-d05e6c5d2132[0x80cb538]
>>
>> On the dest broker (with open ACL):
>> 2009-feb-20 22:24:05 info Inter-broker link established to localhost:5671
>> 2009-feb-20 22:24:13 info ACL Allow id: action:publish
>> ObjectType:exchange Name:amq.direct
>>
>> On the dest broker (without a wide-open ACL):
>> 2009-feb-20 22:32:04 info Inter-broker link established to localhost:5671
>> 2009-feb-20 22:32:20 info ACL Deny id: action:publish
>> ObjectType:exchange Name:amq.direct
>> 2009-feb-20 22:32:20 error Execution exception: not-allowed:  cannot
>> publish to amq.direct with routing-key mykey
>> (qpid/broker/SemanticState.cpp:384)
>>
>> My question is: is that a normal consequence of federation, i.e. that
>> credentials aren't passed around and that neither the authenticated
>> sender nor the user used to create the static route is used as the
>> 'id' on the dest side?
>>
>> If not, is there some obvious configuration option I'm missing?
>>
>> Thanks! And again, sorry for the possibly RTFM!
>>
>>     
>
>
> I probably ought to have mentioned that this is on the C++ broker,
> from the qpid-M4 distribution, with both brokers on localhost (one on
> port 5671, one on 5672).


Did you setup  dynamic or static federation routes?  Dynamic routes will 
require ACL to setup
subscriptions on-demand which can be blocked via ACL. static would have 
then pre configured...

There might be a case here for another action for dynamic links -- but 
lets try work through the details
first. (are you doing dynamic or static federation routes ?)

Carl.



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message