qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aidan Skinner (JIRA)" <qpid-...@incubator.apache.org>
Subject [jira] Commented: (QPID-1583) IP White/Black lists for virtual hosts
Date Wed, 11 Feb 2009 11:34:59 GMT

    [ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12672602#action_12672602
] 

Aidan Skinner commented on QPID-1583:
-------------------------------------

I've comitted a first cut of this. There needs to be more tests written, and the following
are currently unimplemented:

config file reloading (uses commons configuration)
external configuration files
comma seperated lists of netmasks and hostnames in rules.

> IP White/Black lists for virtual hosts
> --------------------------------------
>
>                 Key: QPID-1583
>                 URL: https://issues.apache.org/jira/browse/QPID-1583
>             Project: Qpid
>          Issue Type: New Feature
>          Components: Java Broker
>    Affects Versions: M5
>            Reporter: Aidan Skinner
>            Assignee: Aidan Skinner
>             Fix For: M5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this list
> - should consider what to do if there file/props etc for this are corrupt/format wrong
> - if possible, the security filtering this provides should be part of a potential chain
of access REDUCING plugins so that this is easy to drop in and teams can potentially write
their own reducing filter class and use abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing
ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need to be editted
and then the broker restarted. This avoids the necessity to consider what happens to existing
connections which would be excluded by a new rule. Errors in configuration would prevent broker
startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for
ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket. 
> --- 
> We may need to reconsider allowing changes to the lists while the broker is running.
It would probably imply storing these outwith the main configuration file and instead having
something else, potentially a properties file, which could be editted by the broker as it
runs. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org


Mime
View raw message