qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: Why does QPID create the exchange amq.direct?
Date Wed, 22 Aug 2012 09:50:07 GMT
Hi Holger,

I cannot answer your question "why". But to my understanding the
ExchangeDeclare command with passive=true doesn't really declare the
exchange, but it is just kind of asking whether the exchange exists -
it should return "OK" in case the exchange exists and "FAIL" in case
it doesn't.

To allow it in your ACLs, you do not need to use "acl allow users
create exchange", but you can use the "acl allow users create exchange
name=amq.direct passive=true" rule which will allow the users to send
only this specific command without giving them the possibility to
actually declare any exchange. So it should not cause any security
problems.

Regards
Jakub


On Wed, Aug 22, 2012 at 11:35 AM, holger
<holger.caesar@credit-suisse.com> wrote:
> Hi everyone,
> I am trying to understand what the QPID C++ broker (v0.14) and JMS client
> are doing under the hood. I have a scenario where I connect to a queue
> ("BURL:Q") and read and write from it. I already noticed that the default
> settings in this case are to create the queue and set it to durable.
> Now I am trying to setup ACL rules that do give the user the appropriate
> rights for this test case, but not for anything else.
>
> To my surprise I require the permission to create an exchange ("acl allow
> users create exchange"). After looking at the logging output, I realized
> that the client is declaring an exchange, which throws the exception:
>
> 1008 DEBUG [main]  org.apache.qpid.transport.Connection     - SEND:
> [conn:11e7c5cb] ch=0 id=1 ExchangeDeclare(exchange=amq.direct, type=direct,
> passive=true)
> ...
> 1015 DEBUG [IoReceiver - gbl20004204.eu.hedani.net/166.12.91.155:5672]
> org.apache.qpid.transport.Connection     - RECV: [conn:11e7c5cb] ch=0
> ExecutionException(errorCode=UNAUTHORIZED_ACCESS, commandId=1, classCode=7,
> commandCode=1, fieldIndex=0, description=unauthorized-access: ACL denied
> exchange create request from holger@QPID
> (qpid/broker/SessionAdapter.cpp:87), errorInfo={})
>
>
> My question is now. Why does it do that? Shouldn't it understand that
> amq.direct is always there and that he doesn't need the permission to create
> it?
>
> Cheers,
> Holger
>
>
>
> --
> View this message in context: http://qpid.2158936.n2.nabble.com/Why-does-QPID-create-the-exchange-amq-direct-tp7581190.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message