Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-3719

LegacyLDAPSecuritySettingPlugin allows new user to access any newly created destinations



    • Bug
    • Resolution: Done
    • Critical
    • AMQ 7.8.0.CR1
    • AMQ 7.7.0.GA
    • security
    • None
    • +
    • Previously, when a new permission was added to LDAP, the `LegacyLDAPSecuritySettingPlugin` plugin used the new permission to modify the default security match. This could break authorization for existing users. This issue is now resolved.
    • Documented as Resolved Issue
    • Verified in a release


      This issue relates to ENTMQBR-3370 but a slightly different problem. 

      Newly created user/group can still access any newly created queues/destinations. For all existing destinations that have already had proper "read", "write" and "admin" permission configured, the newly created user/group worked fine. But not for any new destinations.

      For instance, an user "user3" from group "team3" has been configured to access queues "project3.$". If we create a new user "user4" from group "team4" and they are configured to only access queues "project4.$". But without restarting the AMQ broker, those changes in backend LDAP server will allow the user "user4" to access any other destinations, for instance, it can access queue "project8.test". For the existing configured queues like "project3.test", the user "user4" won't be able to access it, just as usual.

      This strange behaviour will disappear after the AMQ broker restart. After that, everything worked fine as expected.


        1. broker.xml
          12 kB
        2. login.config
          2 kB
        3. original.ldif
          6 kB
        4. user4.ldif
          1 kB

        Issue Links



              rhn-support-jbertram Justin Bertram
              rhn-support-qluo Joe Luo
              Tiago Bueno Tiago Bueno
              0 Vote for this issue
              4 Start watching this issue