diff options
-rw-r--r-- | qpid/cpp/src/qpid/acl/Acl.cpp | 4 | ||||
-rw-r--r-- | qpid/cpp/src/qpid/acl/Acl.h | 5 | ||||
-rw-r--r-- | qpid/cpp/src/qpid/acl/AclPlugin.cpp | 25 | ||||
-rw-r--r-- | qpid/cpp/src/qpid/broker/AclModule.h | 2 | ||||
-rw-r--r-- | qpid/cpp/src/qpid/broker/ConnectionHandler.cpp | 2 | ||||
-rw-r--r-- | qpid/cpp/src/qpid/broker/amqp/Authorise.cpp | 2 |
6 files changed, 23 insertions, 17 deletions
diff --git a/qpid/cpp/src/qpid/acl/Acl.cpp b/qpid/cpp/src/qpid/acl/Acl.cpp index e75573b623..3d83cb0b2b 100644 --- a/qpid/cpp/src/qpid/acl/Acl.cpp +++ b/qpid/cpp/src/qpid/acl/Acl.cpp @@ -55,7 +55,8 @@ namespace _qmf = qmf::org::apache::qpid::acl; Acl::Acl (AclValues& av, Broker& b): aclValues(av), broker(&b), transferAcl(false), connectionCounter(new ConnectionCounter(*this, aclValues.aclMaxConnectPerUser, aclValues.aclMaxConnectPerIp, aclValues.aclMaxConnectTotal)), - resourceCounter(new ResourceCounter(*this, aclValues.aclMaxQueuesPerUser)){ + resourceCounter(new ResourceCounter(*this, aclValues.aclMaxQueuesPerUser)),userRules(true) +{ if (aclValues.aclMaxConnectPerUser > AclData::getConnectMaxSpec()) throw Exception("--connection-limit-per-user switch cannot be larger than " + AclData::getMaxConnectSpecStr()); @@ -86,6 +87,7 @@ Acl::Acl (AclValues& av, Broker& b): aclValues(av), broker(&b), transferAcl(fals } } else { loadEmptyAclRuleset(); + userRules = false; QPID_LOG(debug, "ACL loaded empty rule set"); } broker->getConnectionObservers().add(connectionCounter); diff --git a/qpid/cpp/src/qpid/acl/Acl.h b/qpid/cpp/src/qpid/acl/Acl.h index d1d7033fe3..655e1554f6 100644 --- a/qpid/cpp/src/qpid/acl/Acl.h +++ b/qpid/cpp/src/qpid/acl/Acl.h @@ -67,6 +67,7 @@ private: mutable qpid::sys::Mutex dataLock; boost::shared_ptr<ConnectionCounter> connectionCounter; boost::shared_ptr<ResourceCounter> resourceCounter; + bool userRules; public: Acl (AclValues& av, broker::Broker& b); @@ -85,6 +86,10 @@ public: return aclValues.aclMaxConnectTotal; }; + inline virtual bool userAclRules() { + return userRules; + }; + // create specilied authorise methods for cases that need faster matching as needed. virtual bool authorise( const std::string& id, diff --git a/qpid/cpp/src/qpid/acl/AclPlugin.cpp b/qpid/cpp/src/qpid/acl/AclPlugin.cpp index 04044867ec..77580ba531 100644 --- a/qpid/cpp/src/qpid/acl/AclPlugin.cpp +++ b/qpid/cpp/src/qpid/acl/AclPlugin.cpp @@ -62,20 +62,17 @@ struct AclPlugin : public Plugin { Options* getOptions() { return &options; } void init(broker::Broker& b) { - if (acl) throw Exception("ACL plugin cannot be initialized twice in one process."); - - if (values.aclFile.empty()){ - QPID_LOG(info, "ACL Policy file not specified."); - } else { - sys::Path aclFile(values.aclFile); - sys::Path dataDir(b.getDataDir().getPath()); - if (!aclFile.isAbsolute() && !dataDir.empty()) - values.aclFile = (dataDir + aclFile).str(); - - acl = new Acl(values, b); - b.setAcl(acl.get()); - b.addFinalizer(boost::bind(&AclPlugin::shutdown, this)); - } + if (acl) throw Exception("ACL plugin cannot be initialized twice in one process."); + + if (!values.aclFile.empty()){ + sys::Path aclFile(values.aclFile); + sys::Path dataDir(b.getDataDir().getPath()); + if (!aclFile.isAbsolute() && !dataDir.empty()) + values.aclFile = (dataDir + aclFile).str(); + } + acl = new Acl(values, b); + b.setAcl(acl.get()); + b.addFinalizer(boost::bind(&AclPlugin::shutdown, this)); } template <class T> bool init(Plugin::Target& target) { diff --git a/qpid/cpp/src/qpid/broker/AclModule.h b/qpid/cpp/src/qpid/broker/AclModule.h index aa0ea0c6b0..f97c932e27 100644 --- a/qpid/cpp/src/qpid/broker/AclModule.h +++ b/qpid/cpp/src/qpid/broker/AclModule.h @@ -142,6 +142,8 @@ namespace broker { virtual uint16_t getMaxConnectTotal()=0; + virtual bool userAclRules()=0; + virtual bool authorise( const std::string& id, const acl::Action& action, diff --git a/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp b/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp index 09f774da62..fe8a84dcce 100644 --- a/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp +++ b/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp @@ -198,7 +198,7 @@ void ConnectionHandler::Handler::startOk(const ConnectionStartOkBody& body) } if (connection.isFederationLink()) { AclModule* acl = connection.getBroker().getAcl(); - if (acl) { + if (acl && acl->userAclRules()) { if (!acl->authorise(connection.getUserId(),acl::ACT_CREATE,acl::OBJ_LINK,"")){ proxy.close(framing::connection::CLOSE_CODE_CONNECTION_FORCED, QPID_MSG("ACL denied " << connection.getUserId() diff --git a/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp b/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp index 28dc3b25ac..3c88414567 100644 --- a/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp +++ b/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp @@ -121,7 +121,7 @@ void Authorise::route(boost::shared_ptr<Exchange> exchange, const Message& msg) void Authorise::interlink() { - if (acl) { + if (acl && acl->userAclRules()) { if (!acl->authorise(user, acl::ACT_CREATE, acl::OBJ_LINK, "")){ throw Exception(qpid::amqp::error_conditions::UNAUTHORIZED_ACCESS, QPID_MSG("ACL denied " << user << " a AMQP 1.0 link")); } |