Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-3719

LegacyLDAPSecuritySettingPlugin allows new user to access any newly created destinations

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • AMQ 7.8.0.CR1
    • AMQ 7.7.0.GA
    • security
    • None
    • +
    • Previously, when a new permission was added to LDAP, the `LegacyLDAPSecuritySettingPlugin` plugin used the new permission to modify the default security match. This could break authorization for existing users. This issue is now resolved.
    • Documented as Resolved Issue
    • Verified in a release

      This issue relates to ENTMQBR-3370 but a slightly different problem. 

      Newly created user/group can still access any newly created queues/destinations. For all existing destinations that have already had proper "read", "write" and "admin" permission configured, the newly created user/group worked fine. But not for any new destinations.

      For instance, an user "user3" from group "team3" has been configured to access queues "project3.$". If we create a new user "user4" from group "team4" and they are configured to only access queues "project4.$". But without restarting the AMQ broker, those changes in backend LDAP server will allow the user "user4" to access any other destinations, for instance, it can access queue "project8.test". For the existing configured queues like "project3.test", the user "user4" won't be able to access it, just as usual.

      This strange behaviour will disappear after the AMQ broker restart. After that, everything worked fine as expected.

        1. broker.xml
          12 kB
        2. login.config
          2 kB
        3. original.ldif
          6 kB
        4. user4.ldif
          1 kB

            rhn-support-jbertram Justin Bertram
            rhn-support-qluo Joe Luo
            Tiago Bueno Tiago Bueno
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: