[Java Broker] Temporary queues ACLs for multiple users

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Java Broker] Temporary queues ACLs for multiple users

Vavricka
Hi,

I am trying to get working temporary queues on Java Broker. Each user should
have access only to queue which he created.

ACL rights:

ACL ALLOW-LOG user1 ACCESS VIRTUALHOST
ACL ALLOW-LOG user1 CREATE QUEUE temporary="true" owner="user1"
ACL ALLOW-LOG user1 CONSUME QUEUE temporary="true" owner="user1"

ACL ALLOW-LOG user2 ACCESS VIRTUALHOST
ACL ALLOW-LOG user2 CREATE QUEUE temporary="true" owner="user2"
ACL ALLOW-LOG user2 CONSUME QUEUE temporary="true" owner="user2"

I successfully create temporary queue by JMS method "TemporaryQueue
temporaryQueue = session.createTemporaryQueue()", queue is correctly created
on broker, but owner is not set in webgui (however createdBy and
lastUpdatedBy in JSON is correctly set to corresponding user).

When I try to create consumer by "MessageConsumer consumer =
session.createConsumer(temporaryQueue)", I get "Permission CREATE is denied
for : Consumer ...". When owner is not set in CONSUME ACL I can create
consumer without error, but both users can consume same queue. Is there any
different way to distinguish temporary queues, so one user cannot read other
user messages?

Another issue is I cannot sent messages directly to temporary queue. When I
try to send message I get error "Permission PERFORM_ACTION(publish) is
denied for : Queue 'TempQueueba2f889e-f95c-49d4-8c15-023e62666320'". We
could utilize sending messages directly to queue, because we cannot
dynamically create exchange binding by REST API. Or is there any way to set
bindings by JMS?

Java Broker 7.0.3
Qpid JMS client 0.31.0

Tomas



--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Java Broker] Temporary queues ACLs for multiple users

Keith Wall
Hi Tomas

Unfortunately, Broker-J's access_control plugin is not too good.  It
is something we would like to rework when schedules allow.  The
current module actually uses an object modal that pre-dates the
current one - which leads to user confusion and an ugly adaption layer
in the code.  The ACL also assumes AMQP 0-x conventions - publishing
only to exchanges and consuming from queues when expressing rules
which creates a further wrinkle when using AMQP 1.0.

The current module lets you specify rules that match objects using
zero or more property qualifiers (e.g. name="foo" or type="fanout"),
so it is possible to write rules about named objects in your system
and all objects matching certain criteria.   For temporary queues,
this doesn't work well as you have discovered.  It is possible to say
that user foo can (or cannot) consume from any temporary queue using
the temporary=true qualifier, but it is not possible to be specific,
but you cannot express a rule that gives users to temporary queues
that they have created.

The ACL mechanism is pluggable - so it would be possible to write a
module that would give the behaviour you need.  You would need to look
at the AccessControlProvider and AccessControl interfaces.  The Broker
supports one or more access control providers.  It consults each
AccessControlProvider in order until one make a decision that is not
DEFER.  So you could hopefully write a simple ACL module that you give
you the additional behaviour you need and fallback on access_control
plugin for everything else.  If you want to explore this route, I
could share some skeletal code to help get you started.

Turning to your last point, when using AMQP 1.0 and wishing to
permission publishing directly to queues, as access_control plugin
knows only AMQP 0-x conventions you have to permission the default
exchange.

ACL ALLOW-LOG foo PUBLISH EXCHANGE name="" routingKey="queueName"

Hope this helps.

Keith

On 5 April 2018 at 14:46, Vavricka <[hidden email]> wrote:

> Hi,
>
> I am trying to get working temporary queues on Java Broker. Each user should
> have access only to queue which he created.
>
> ACL rights:
>
> ACL ALLOW-LOG user1 ACCESS VIRTUALHOST
> ACL ALLOW-LOG user1 CREATE QUEUE temporary="true" owner="user1"
> ACL ALLOW-LOG user1 CONSUME QUEUE temporary="true" owner="user1"
>
> ACL ALLOW-LOG user2 ACCESS VIRTUALHOST
> ACL ALLOW-LOG user2 CREATE QUEUE temporary="true" owner="user2"
> ACL ALLOW-LOG user2 CONSUME QUEUE temporary="true" owner="user2"
>
> I successfully create temporary queue by JMS method "TemporaryQueue
> temporaryQueue = session.createTemporaryQueue()", queue is correctly created
> on broker, but owner is not set in webgui (however createdBy and
> lastUpdatedBy in JSON is correctly set to corresponding user).
>
> When I try to create consumer by "MessageConsumer consumer =
> session.createConsumer(temporaryQueue)", I get "Permission CREATE is denied
> for : Consumer ...". When owner is not set in CONSUME ACL I can create
> consumer without error, but both users can consume same queue. Is there any
> different way to distinguish temporary queues, so one user cannot read other
> user messages?
>
> Another issue is I cannot sent messages directly to temporary queue. When I
> try to send message I get error "Permission PERFORM_ACTION(publish) is
> denied for : Queue 'TempQueueba2f889e-f95c-49d4-8c15-023e62666320'". We
> could utilize sending messages directly to queue, because we cannot
> dynamically create exchange binding by REST API. Or is there any way to set
> bindings by JMS?
>
> Java Broker 7.0.3
> Qpid JMS client 0.31.0
>
> Tomas
>
>
>
> --
> Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Java Broker] Temporary queues ACLs for multiple users

Vavricka
Hi Keith,

thanks for explanation.

It will be great if you can post skeletal code of ACL module.

Tomas


Keith Wall wrote

> Hi Tomas
>
> Unfortunately, Broker-J's access_control plugin is not too good.  It
> is something we would like to rework when schedules allow.  The
> current module actually uses an object modal that pre-dates the
> current one - which leads to user confusion and an ugly adaption layer
> in the code.  The ACL also assumes AMQP 0-x conventions - publishing
> only to exchanges and consuming from queues when expressing rules
> which creates a further wrinkle when using AMQP 1.0.
>
> The current module lets you specify rules that match objects using
> zero or more property qualifiers (e.g. name="foo" or type="fanout"),
> so it is possible to write rules about named objects in your system
> and all objects matching certain criteria.   For temporary queues,
> this doesn't work well as you have discovered.  It is possible to say
> that user foo can (or cannot) consume from any temporary queue using
> the temporary=true qualifier, but it is not possible to be specific,
> but you cannot express a rule that gives users to temporary queues
> that they have created.
>
> The ACL mechanism is pluggable - so it would be possible to write a
> module that would give the behaviour you need.  You would need to look
> at the AccessControlProvider and AccessControl interfaces.  The Broker
> supports one or more access control providers.  It consults each
> AccessControlProvider in order until one make a decision that is not
> DEFER.  So you could hopefully write a simple ACL module that you give
> you the additional behaviour you need and fallback on access_control
> plugin for everything else.  If you want to explore this route, I
> could share some skeletal code to help get you started.
>
> Turning to your last point, when using AMQP 1.0 and wishing to
> permission publishing directly to queues, as access_control plugin
> knows only AMQP 0-x conventions you have to permission the default
> exchange.
>
> ACL ALLOW-LOG foo PUBLISH EXCHANGE name="" routingKey="queueName"
>
> Hope this helps.
>
> Keith
>
> On 5 April 2018 at 14:46, Vavricka &lt;

> vavricka.tomas@

> &gt; wrote:
>> Hi,
>>
>> I am trying to get working temporary queues on Java Broker. Each user
>> should
>> have access only to queue which he created.
>>
>> ACL rights:
>>
>> ACL ALLOW-LOG user1 ACCESS VIRTUALHOST
>> ACL ALLOW-LOG user1 CREATE QUEUE temporary="true" owner="user1"
>> ACL ALLOW-LOG user1 CONSUME QUEUE temporary="true" owner="user1"
>>
>> ACL ALLOW-LOG user2 ACCESS VIRTUALHOST
>> ACL ALLOW-LOG user2 CREATE QUEUE temporary="true" owner="user2"
>> ACL ALLOW-LOG user2 CONSUME QUEUE temporary="true" owner="user2"
>>
>> I successfully create temporary queue by JMS method "TemporaryQueue
>> temporaryQueue = session.createTemporaryQueue()", queue is correctly
>> created
>> on broker, but owner is not set in webgui (however createdBy and
>> lastUpdatedBy in JSON is correctly set to corresponding user).
>>
>> When I try to create consumer by "MessageConsumer consumer =
>> session.createConsumer(temporaryQueue)", I get "Permission CREATE is
>> denied
>> for : Consumer ...". When owner is not set in CONSUME ACL I can create
>> consumer without error, but both users can consume same queue. Is there
>> any
>> different way to distinguish temporary queues, so one user cannot read
>> other
>> user messages?
>>
>> Another issue is I cannot sent messages directly to temporary queue. When
>> I
>> try to send message I get error "Permission PERFORM_ACTION(publish) is
>> denied for : Queue 'TempQueueba2f889e-f95c-49d4-8c15-023e62666320'". We
>> could utilize sending messages directly to queue, because we cannot
>> dynamically create exchange binding by REST API. Or is there any way to
>> set
>> bindings by JMS?
>>
>> Java Broker 7.0.3
>> Qpid JMS client 0.31.0
>>
>> Tomas
>>
>>
>>
>> --
>> Sent from:
>> http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:

> users-unsubscribe@.apache

>> For additional commands, e-mail:

> users-help@.apache

>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:

> users-unsubscribe@.apache

> For additional commands, e-mail:

> users-help@.apache





--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Java Broker] Temporary queues ACLs for multiple users

Keith Wall
Hi Tomas

Having had change to reflect on this a bit more, I am contemplating a
change to the existing access-control-plugin which would let you
express rules for objects that the current user has created using a
special pseudo subject 'OWNER'.

It will look something like:

ACL ALLOW-LOG OWNER CONSUME QUEUE

This rule would allow anyone who was the creator of queue (as carried
by the queue's createdBy attribute), to consume from it.

If such an extension existed, would it solve your use-case?  I hope to
have a patch up for you to play with tomorrow.

cheers, Keith.



On 6 April 2018 at 11:25, Vavricka <[hidden email]> wrote:

> Hi Keith,
>
> thanks for explanation.
>
> It will be great if you can post skeletal code of ACL module.
>
> Tomas
>
>
> Keith Wall wrote
>> Hi Tomas
>>
>> Unfortunately, Broker-J's access_control plugin is not too good.  It
>> is something we would like to rework when schedules allow.  The
>> current module actually uses an object modal that pre-dates the
>> current one - which leads to user confusion and an ugly adaption layer
>> in the code.  The ACL also assumes AMQP 0-x conventions - publishing
>> only to exchanges and consuming from queues when expressing rules
>> which creates a further wrinkle when using AMQP 1.0.
>>
>> The current module lets you specify rules that match objects using
>> zero or more property qualifiers (e.g. name="foo" or type="fanout"),
>> so it is possible to write rules about named objects in your system
>> and all objects matching certain criteria.   For temporary queues,
>> this doesn't work well as you have discovered.  It is possible to say
>> that user foo can (or cannot) consume from any temporary queue using
>> the temporary=true qualifier, but it is not possible to be specific,
>> but you cannot express a rule that gives users to temporary queues
>> that they have created.
>>
>> The ACL mechanism is pluggable - so it would be possible to write a
>> module that would give the behaviour you need.  You would need to look
>> at the AccessControlProvider and AccessControl interfaces.  The Broker
>> supports one or more access control providers.  It consults each
>> AccessControlProvider in order until one make a decision that is not
>> DEFER.  So you could hopefully write a simple ACL module that you give
>> you the additional behaviour you need and fallback on access_control
>> plugin for everything else.  If you want to explore this route, I
>> could share some skeletal code to help get you started.
>>
>> Turning to your last point, when using AMQP 1.0 and wishing to
>> permission publishing directly to queues, as access_control plugin
>> knows only AMQP 0-x conventions you have to permission the default
>> exchange.
>>
>> ACL ALLOW-LOG foo PUBLISH EXCHANGE name="" routingKey="queueName"
>>
>> Hope this helps.
>>
>> Keith
>>
>> On 5 April 2018 at 14:46, Vavricka &lt;
>
>> vavricka.tomas@
>
>> &gt; wrote:
>>> Hi,
>>>
>>> I am trying to get working temporary queues on Java Broker. Each user
>>> should
>>> have access only to queue which he created.
>>>
>>> ACL rights:
>>>
>>> ACL ALLOW-LOG user1 ACCESS VIRTUALHOST
>>> ACL ALLOW-LOG user1 CREATE QUEUE temporary="true" owner="user1"
>>> ACL ALLOW-LOG user1 CONSUME QUEUE temporary="true" owner="user1"
>>>
>>> ACL ALLOW-LOG user2 ACCESS VIRTUALHOST
>>> ACL ALLOW-LOG user2 CREATE QUEUE temporary="true" owner="user2"
>>> ACL ALLOW-LOG user2 CONSUME QUEUE temporary="true" owner="user2"
>>>
>>> I successfully create temporary queue by JMS method "TemporaryQueue
>>> temporaryQueue = session.createTemporaryQueue()", queue is correctly
>>> created
>>> on broker, but owner is not set in webgui (however createdBy and
>>> lastUpdatedBy in JSON is correctly set to corresponding user).
>>>
>>> When I try to create consumer by "MessageConsumer consumer =
>>> session.createConsumer(temporaryQueue)", I get "Permission CREATE is
>>> denied
>>> for : Consumer ...". When owner is not set in CONSUME ACL I can create
>>> consumer without error, but both users can consume same queue. Is there
>>> any
>>> different way to distinguish temporary queues, so one user cannot read
>>> other
>>> user messages?
>>>
>>> Another issue is I cannot sent messages directly to temporary queue. When
>>> I
>>> try to send message I get error "Permission PERFORM_ACTION(publish) is
>>> denied for : Queue 'TempQueueba2f889e-f95c-49d4-8c15-023e62666320'". We
>>> could utilize sending messages directly to queue, because we cannot
>>> dynamically create exchange binding by REST API. Or is there any way to
>>> set
>>> bindings by JMS?
>>>
>>> Java Broker 7.0.3
>>> Qpid JMS client 0.31.0
>>>
>>> Tomas
>>>
>>>
>>>
>>> --
>>> Sent from:
>>> http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>
>> users-unsubscribe@.apache
>
>>> For additional commands, e-mail:
>
>> users-help@.apache
>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>
>> users-unsubscribe@.apache
>
>> For additional commands, e-mail:
>
>> users-help@.apache
>
>
>
>
>
> --
> Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Java Broker] Temporary queues ACLs for multiple users

Vavricka
Hi Keith,

excellent idea, this will completely solve our use case.

Regards,
Tomas



--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]