Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Not A Problem
-
0.12
-
None
-
Built from source on ubuntu 10.04 x64
Description
PROBLEM STATEMENT:
I cannot get broker federation to work with ACLs enabled. I keep getting "ACL denied creating a federation link" even though my user has all permissions, on both brokers.
STEPS TO REPRODUCE:
- Create an acl file like the following:
acl allow federation@QPID all all
acl deny all all
- Create the federation user in the sasl db
- Using the following config:
auth-realm=QPID
log-enable=info+
acl-file=/usr/local/etc/qpid/qpidd.acl
sasl-config=/usr/local/etc/sasl2
auth=yes
- Start two brokers using the same config but different ports and data dirs (makes it easy to test the exact same authentication parameters for both brokers)
- In my case I am create a queue push route, so create a queue and do:
qpid-route queue add -s federation/password@localhost:5000 federation/password@localhost:5001 amq.direct myqueue
Note that the use of a push route does not matter, I tested push and pull and both fail, just want to point out that I am using a push route to ensure that gets tested as part of the fix for this.
RESULTS:
The connection fails to get created with an error: "ACL denied creating a federation link"
In the debug log on the destination broker I see:
2011-11-11 15:50:20 debug ACL: Lookup for id: action:create objectType:link name: with params { }
2011-11-11 15:50:20 debug No successful match, defaulting to the decision mode deny
It appear that the user ID is not getting sent across
EXPECTED RESULTS:
The federation link should work with proper ACLs in place