From users-return-899-apmail-qpid-users-archive=qpid.apache.org@qpid.apache.org Sat Feb 21 03:36:00 2009 Return-Path: Delivered-To: apmail-qpid-users-archive@www.apache.org Received: (qmail 78837 invoked from network); 21 Feb 2009 03:36:00 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 21 Feb 2009 03:36:00 -0000 Received: (qmail 52256 invoked by uid 500); 21 Feb 2009 03:35:59 -0000 Delivered-To: apmail-qpid-users-archive@qpid.apache.org Received: (qmail 52243 invoked by uid 500); 21 Feb 2009 03:35:59 -0000 Mailing-List: contact users-help@qpid.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@qpid.apache.org Delivered-To: mailing list users@qpid.apache.org Received: (qmail 52232 invoked by uid 99); 21 Feb 2009 03:35:59 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Feb 2009 19:35:59 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of moseleymark@gmail.com designates 209.85.198.234 as permitted sender) Received: from [209.85.198.234] (HELO rv-out-0506.google.com) (209.85.198.234) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 21 Feb 2009 03:35:51 +0000 Received: by rv-out-0506.google.com with SMTP id l9so1161673rvb.9 for ; Fri, 20 Feb 2009 19:35:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=m4llUrGtS7roN8NYsV6tioB9FcoctP1+JwoonbuXjaA=; b=SOLyvF6eNm6D0BXRDyLbVYAfSnMQcbZBaKhOWT5bei6yChrIhYUH4RfORhOaELcSgK W3uMRNuLhSj1H1IW7rvl36JLC00fiblhsvOj1HnRdj5HAccvbvmazXxdPlr5G+8Noak8 I7tOL4BOumqirkjT4NdgG88KUPIWfnhI2QOzk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=lP6uCffmOfb0MewBw7uH/vfSD42/9v2IQTSuDE1mWrcMrebLYu2i5BJBvTNc8EjSjP F+KLoUIqyd1vlHcYUFsKq9++3AEsyI9xdT0vbKe0GJ32CGMeZaUGn89Jnk6az6t4TuI3 dqmXPOl4sBYSrnLzMDgoDlH26+etedMbi/6wQ= MIME-Version: 1.0 Received: by 10.142.215.5 with SMTP id n5mr727476wfg.292.1235187330277; Fri, 20 Feb 2009 19:35:30 -0800 (PST) Date: Fri, 20 Feb 2009 19:35:30 -0800 Message-ID: <294d5daa0902201935j5b2534d9ib1d1b843014d5edf@mail.gmail.com> Subject: Federation and ACLs From: Mark Moseley To: users@qpid.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org I'll apologize in advance that I'm pretty new to QPid (and AMQP) in general, so forgive the possibly n00b questions :) I've been playing around with federation and reading through the Qpid docs as well as the Redhat MRG docs. I can only seem to get it working if I completely open up the ACL on the destination side, i.e. acl has "acl allow-log all all" When I send to the source broker, with a wide-open ACL, the message gets dumped over to the dest broker just fine. Without "acl allow-log all all" in my ACL, it gets denied. Looking at the logs on the dest broker, there doesn't seem to be an 'id' associated with the publish, even though it was authenticated on the source side. I'd have expected that the 'id' showing up on the dest broker would either be the authenticated sender ('mark' in this case) or the user used to create the federation -- cleverly named 'router' in this case. I'm using the same ACL file for both brokers and both 'mark' and 'router' have "acl allow-log all all", so they don't have any problem performing actions on either broker (just a test bed). The federation was created with a static route: # qpid-route route add router/router@localhost:5672 router/router@localhost:5671 amq.direct mykey On the source broker: 2009-feb-20 22:24:13 info ACL Allow id:mark@QPID action:publish ObjectType:exchange Name:amq.direct 2009-feb-20 22:24:13 debug Message 0x80cc400 enqueued on bridge_queue_1_ba641f59-76ef-48c2-875c-d05e6c5d2132[0x80cb538] On the dest broker (with open ACL): 2009-feb-20 22:24:05 info Inter-broker link established to localhost:5671 2009-feb-20 22:24:13 info ACL Allow id: action:publish ObjectType:exchange Name:amq.direct On the dest broker (without a wide-open ACL): 2009-feb-20 22:32:04 info Inter-broker link established to localhost:5671 2009-feb-20 22:32:20 info ACL Deny id: action:publish ObjectType:exchange Name:amq.direct 2009-feb-20 22:32:20 error Execution exception: not-allowed: cannot publish to amq.direct with routing-key mykey (qpid/broker/SemanticState.cpp:384) My question is: is that a normal consequence of federation, i.e. that credentials aren't passed around and that neither the authenticated sender nor the user used to create the static route is used as the 'id' on the dest side? If not, is there some obvious configuration option I'm missing? Thanks! And again, sorry for the possibly RTFM! --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:users-subscribe@qpid.apache.org