Chapter 2. Changes in 3.1.0
2.1. Enhancements
qpid-cpp
- BZ#1089652 - [RFE]: Configuration option for linear store to delete the used journal files instead of recycling them.
- Because customers required used journal files to be cleaned of all legacy user data, and returned to the pool for re-use, a linearstore file overwrite option is implemented by adding the --overwrite-before-return option flag when starting the broker (with the linearstore module loaded).When using the --overwrite-before-return option, the store overwrites the data portion of the file (the entire file excluding the header) with
\0, which erases the previous contents of the file. This will prevent any legacy data from existing in the Empty File Pool (EFP). Using this option will have a performance impact because it takes time to overwrite each file. This option should not be used if security considerations do not require it. - BZ#1080165 - [qpid] Changing system time might cause heartbeat-enabled connections to drop
- Under some circumstances the qpid broker could get confused and drop connections if the system clock was changed. The Qpid broker timekeeping is now changed so that changing the system clock does not confuse internal timekeeping. The qpid broker timekeeping is now separated into two types: Wallclock time (as determined by the system time), which no longer affects the internal workings of the broker except to print timestamps; and Relative time (usually relative to the system boot time), which is used for internal timekeeping purposes.
- BZ#1049833 - [RFE]: Allowing users to connect only from selected IP addresses
- System administrators want to restrict the hosts from which users are allowed to connect. For example, an internal broker may be locked down so that engineering and finance users may only connect from hosts in the engineering and finance subnets respectively. ACL limits are added to allow or deny users from connecting from individual hosts as specified by IP address. Brokers can now prevent connections from any internet host. Brokers may improve performance, and will improve security by specifying which users can log in from which hosts. See "Connection Limits by Host Name" in http://qpid.apache.org/releases/qpid-0.30/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Security-Authorization
- BZ#1017743 - Posibility to disable the SSL hostname verification in C++ Linux clients
- It is now possible to disable hostname verification when connecting over SSL. In some circumstances, the certificate in use does not match the hostname used, yet there is no concern over spoofing due to other network controls. Disabling the verification performed by the qpid::messaging client is convenient in this circumstance. If a connection option 'ignore_ssl_hostname_verification_failure' is set to True, then when establishing an ssl connection, the client will not attempt to verify that the hostname of the server matches that included in the certificate.
- BZ#985870 - [RFE]: Add configurable time-delayed auto-delete for durable subscriptions
- Auto-deleted queues are useful for preventing stale queues. However without some delay on the deletion, they prevent any reliability as the queue is lost as soon as a subscriber is disconnected, which may be due to some failure condition. A delay can be configured between the time a queue becomes eligible for auto-deletion and the time the deletion actually occurs. By configuring a queue with a non-zero autodelete timeout, a subscriber of the queue can re-subscribe after a failure (providing the subscriber does so within the configured limit) and not have messages lost along with the queue.
- BZ#883866 - [RFE]: Access control for QMF functionality should be improved
- Some QMF methods bypassed ACL authorization, allowing content in any queue to be manipulated by any user that was authorized to invoke QMF methods. Missing ACL actions together with their parameters have been added that permit or deny users the ability to purge, move, redirect and reroute messages from a queue.
- BZ#728196 - Provide more descriptive error text when SASL config. file is malformed
- Improvements to the error message displayed when the /etc/sasl2/qpidd.conf contains invalid configuration are implemented in qpidd. When /etc/sasl2/qpidd.conf is unparsable, qpidd halts with a generic error. Based on the error text, it was impossible to identify the root cause of the issue (the misconfigured config file). If the qpidd.conf file contains an error, a "[Broker] critical Unexpected error" that better describes the issue is now thrown.
qpid-tools
- BZ#747314 - [RFE] Authentication error displayed for qpid is not meaningful
- It was discovered that the python client raised ambiguous error messages when trying to connect without credentials to a broker with disabled anonymous authentication. This caused the user to not get the exact reason of connection failure. An improved error message now conveys the exact information to the user.