qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Kennedy <andrewinternatio...@gmail.com>
Subject Re: vhost-level access control in Java broker
Date Thu, 24 Mar 2011 21:53:36 GMT
On 23 Mar 2011, at 17:53, Danushka Menikkumbura wrote:
> Hi Marnie,
> So, "properties" in "public Result authorise(Operation operation,  
> ObjectType
> objectType, ObjectProperties properties)" should include the vhost  
> name?. I
> do not see anything like that.
> Thanks,
> Danushka
> On Wed, Mar 23, 2011 at 10:14 PM, Marnie McCormack <
> marnie.mccormack@googlemail.com> wrote:
>> Hi Danushka,
>> The ACLs (v2) on the java broker are specified per virtual host,  
>> so the
>> queue permissions already have a 'namepsace' effectively.
>> If you look at virtualhosts-systests-aclv2-settings.xml you'll see  
>> where
>> virtualhost level acl files get specified. Thus permissions for  
>> foo on
>> different vhosts get specified separately,and the call into  
>> authorise done
>> at the vhost level.


Here is an example showing what Marnie described. Suppose we have two  
virtualhosts, 'test' and 'dev', with *separate* ACL files specified  
in 'virtualhosts.xml' for each, contents as follows:

test ACL file:
	acl allow client create queue name="client.queue"
	acl allow guest create queue name="guest.queue"

dev ACL file:
	acl allow guest create queue name="client.queue"
	acl allow client create queue name="guest.queue"

This table shows the results of different users trying to create  
queues of various names on both virtualhosts:

	user	vhost	queueName	result
	----	-----	---------	------
	client	test	client.queue	yes
	guest	test	guest.queue	yes
	client	test	guest.queue	no
	guest	test	client.queue	no
	client	dev	client.queue	no
	guest	dev	guest.queue	no
	client	dev	guest.queue	yes
	guest	dev	client.queue	yes

This works because the ACL file is associated with a virtualhost  
configuration, as are broker configured entities such as queues.  
However, it is also possible to specify a *global* ACL file, and the  
protections specified in that file will apply to all virtual hosts,  
regardless. The correct/only way to obtain the behaviour described  
above is by creating an ACL file per virtualhost.

-- andrew d kennedy ? do not fold, bend, spindle, or mutilate ;
-- http://grkvlt.blogspot.com/ ? edinburgh : +44 7582 293 255 ;

Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org

View raw message