qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chuck Rolke (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-3892) ACLs shall support full regular expressions in property values
Date Wed, 14 Mar 2012 15:18:39 GMT

    [ https://issues.apache.org/jira/browse/QPID-3892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13229252#comment-13229252

Chuck Rolke commented on QPID-3892:

Pavel Moravec has suggested changing the C++ Broker ACL syntax to use regular expressions.
I think this is a great idea as it addresses a missing functionality in the current ACL wildcard
syntax. I would like to elaborate on his proposal.

Plugging in his suggestion is not so straight forward:
1. It breaks the current ACL specifications.
   name=tmp* would match "tm", "tmp", and "tmpp" but not "tmp2".
2. It requires a regex library such as boost::regex.

I propose to include regular expressions in the ACL property values match by:

1. Adding new keyword to the ACL file to control regex matching.
matchregex on
matchregex off

   * This defaults to off and current ACL files are processed exactly as before.
   * Whenever 'matchregex on' happens in the ACL file then subsequent rules are processed
with the property value strings being regex match strings and not plain text strings.
   * Regex matching can be turned off again with 'matchregex off'.

2. Boost_regex is added as a dependency for acl.so. I know that there has been activity not
so long ago to get rid of boost_regex. However the need for more complex property value match
specifications is acute. 

My GCC 4.6.2 has a <tr1/regex> for compilation but it does not link so that's no good.
Are there better alternatives? 


An enterprise customer may wish to use:

acl allow dev bind exchange name=Price routingkey=Price.*.*.* queuename=TempQueue*

This is impossible to specify today. With regex processing the same customer could use:

matchregex on
acl allow dev bind exchange name=Price routingkey=Price\..*\..*\..* queuename=TempQueue.*

I'll complete these changes and put the up to Review Board.


> ACLs shall support full regular expressions in property values
> --------------------------------------------------------------
>                 Key: QPID-3892
>                 URL: https://issues.apache.org/jira/browse/QPID-3892
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Broker
>    Affects Versions: 0.14
>            Reporter: Pavel Moravec
>            Assignee: Chuck Rolke
>              Labels: features
>         Attachments: ACLs-full-regexp.patch
> Currently ACL syntax supports in a property value either direct match ("name=RequestQueue")
or a substring match ("name=tmp.*").
> That is not sufficient when authorizing access to topics. One particular example: amq.topic
exchange receives messages with keys usa.sports, usa.news, europe.sports and europe.news.
Currently we can not authorize access just to topics **.sports* and to *usa.* *
> As there exist different use cases where regular expressions are required in a, it is
meaningful to support (full) regular expressions in ACL property values.
> Since qpid C++ broker already relies on boost libraries a lot, I suggest (in a patch
proposed) using boost::regex library.
> I tested the attached patch on Fedora, not sure if other Linux distributions are familiar
with the change in Makefile.am.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message