txlongpoll

txlong poll reads any queue

Bug #900579 reported by Robert Collins on 2011-12-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	txlongpoll	Triaged	High	Unassigned

Bug Description

This seems undesirable to me, because any misconfiguration in permissions would trivially allow effectively direct access to suck down messages. (We've had misconfigurations sneak in).

I suggest that txlongpoll itself enforce the queue namespace we have (longpoll + random) giving us a defence in depth approach.

This is needed to go live with txlongpoll.

See original description

Tags:

Julian Edwards (julian-edwards) on 2011-12-06

tags:	added: lonjgpoll
tags:	added: longpoll removed: lonjgpoll

Revision history for this message

Gavin Panella (allenap) wrote on 2011-12-06:

Can this be addressed with RabbitMQ's access control mechanisms [1]
which appear to allow quite fine-grained control over what users may
do?

[1] http://www.rabbitmq.com/access-control.html

Revision history for this message

Robert Collins (lifeless) wrote on 2011-12-06: Re: [Bug 900579] Re: txlong poll reads any queue

The point of this is to provide extra insurance over everything being
configured Just Right. The rabbit acls are regexps - and its not that
hard to get such a thing wrong.

Revision history for this message

Gavin Panella (allenap) wrote on 2011-12-06:

Note to whoever fixes this: because txlongpoll is intended not just
for Launchpad, the namespace/pattern ought to be configurable. Right
now everything is done via command line arguments, so adding another
is probably the expedient approach.

Robert Collins (lifeless) on 2012-01-27

description:

updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.