qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rajith Attapattu <rajit...@gmail.com>
Subject Re: svn commit: r1210989 - in /qpid/trunk/qpid/cpp: rubygen/ src/ src/qpid/ src/qpid/broker/ src/qpid/client/ src/qpid/cluster/ src/tests/ xml/
Date Tue, 06 Dec 2011 19:37:12 GMT
On Tue, Dec 6, 2011 at 11:02 AM, Alan Conway <aconway@redhat.com> wrote:
> On 12/06/2011 10:59 AM, Carl Trieloff wrote:
>> On 12/06/2011 10:56 AM, aconway@apache.org wrote:
>>> NOTE 1: If you are using an ACL, the cluster-username must be allowed to
>>> publish to the qpid.cluster-credentials exchange. E.g. in your ACL file:
>>> acl allow foo@QPID publish exchange name=qpid.cluster-credentials

One point that I want to highlight here is that, even though the qpid
user does not want to use "publish" acl, this change will force all
publishing to do an ACL lookup.
I haven't really done much testing to see how much of an overhead this imposes.
Unfortunately I don't have enough context/knowledge about Alan's work
to see if we could use a different approach to get around this.

If we go ahead with this, we should definitely release note this
prominently, as the user will have ACL lookups for publish even
thought they don't have any explicit rules in the ACL file.
(Note: There is an optimization in the current ACL code to not do any
ACL lookups for publishing unless there are explicit rules around



>> Alan,
>> Why require this in ACL, seems fragile.  Why not if the cluster in
>> active explicitly Add this rule to the ACL from the cluster model to
>> prevent every use starting with a broken cluster and trying to figure
>> out what is wrong!
>> Seems unfriendly and error prone, we should do this automagically.
> Fair point. I'll do that.
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:dev-subscribe@qpid.apache.org

Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org

View raw message