qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gordon Sim <g...@redhat.com>
Subject Re: Why does QPID create the exchange amq.direct?
Date Wed, 22 Aug 2012 09:51:41 GMT
On 08/22/2012 10:35 AM, holger wrote:
> Hi everyone,
> I am trying to understand what the QPID C++ broker (v0.14) and JMS client
> are doing under the hood. I have a scenario where I connect to a queue
> ("BURL:Q") and read and write from it. I already noticed that the default
> settings in this case are to create the queue and set it to durable.
> Now I am trying to setup ACL rules that do give the user the appropriate
> rights for this test case, but not for anything else.
> To my surprise I require the permission to create an exchange ("acl allow
> users create exchange"). After looking at the logging output, I realized
> that the client is declaring an exchange, which throws the exception:
> 1008 DEBUG [main]  org.apache.qpid.transport.Connection     - SEND:
> [conn:11e7c5cb] ch=0 id=1 ExchangeDeclare(exchange=amq.direct, type=direct,
> passive=true)
> ...
> 1015 DEBUG [IoReceiver - gbl20004204.eu.hedani.net/]
> org.apache.qpid.transport.Connection     - RECV: [conn:11e7c5cb] ch=0
> ExecutionException(errorCode=UNAUTHORIZED_ACCESS, commandId=1, classCode=7,
> commandCode=1, fieldIndex=0, description=unauthorized-access: ACL denied
> exchange create request from holger@QPID
> (qpid/broker/SessionAdapter.cpp:87), errorInfo={})
> My question is now. Why does it do that? Shouldn't it understand that
> amq.direct is always there and that he doesn't need the permission to create
> it?

This was a defect with the broker[1], fixed for 0.18.

The exchange is declared with the passive flag set (this is required for 
all standard exchanges) meaning it should *not* be created. The broker's 
ACL model incorrectly checked for a 'create' permission for all 
declares, regardless of the passive flag.

However in the meantime you can workaround it be specifying a passive 
property for the ACL rule with a value of true to distinguish between 
permission to declare passively and permission to create if necessary.

 From 0.18, all that will be required is 'access' permission for the 

[1] https://issues.apache.org/jira/browse/QPID-3964

To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

View raw message