Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-3719

LegacyLDAPSecuritySettingPlugin allows new user to access any newly created destinations

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: AMQ 7.7.0.GA
    • Fix Version/s: AMQ 7.8.0.CR1
    • Component/s: security
    • Labels:
      None
    • Target Release:
    • Release Notes Text:
      Previously, when a new permission was added to LDAP, the `LegacyLDAPSecuritySettingPlugin` plugin used the new permission to modify the default security match. This could break authorization for existing users. This issue is now resolved.
    • Release Notes Docs Status:
      Documented as Resolved Issue
    • QE Test Coverage:
      +
    • Verified:
      Verified in a release

      Description

      This issue relates to ENTMQBR-3370 but a slightly different problem. 

      Newly created user/group can still access any newly created queues/destinations. For all existing destinations that have already had proper "read", "write" and "admin" permission configured, the newly created user/group worked fine. But not for any new destinations.

      For instance, an user "user3" from group "team3" has been configured to access queues "project3.$". If we create a new user "user4" from group "team4" and they are configured to only access queues "project4.$". But without restarting the AMQ broker, those changes in backend LDAP server will allow the user "user4" to access any other destinations, for instance, it can access queue "project8.test". For the existing configured queues like "project3.test", the user "user4" won't be able to access it, just as usual.

      This strange behaviour will disappear after the AMQ broker restart. After that, everything worked fine as expected.

        Attachments

        1. broker.xml
          12 kB
        2. login.config
          2 kB
        3. original.ldif
          6 kB
        4. user4.ldif
          1 kB

          Issue Links

            Activity

              People

              Assignee:
              rhn-support-jbertram Justin Bertram
              Reporter:
              rhn-support-qluo Joe Luo
              Tester:
              Tiago Bueno Tiago Bueno
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: