qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chuck Rolke (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-3892) ACLs shall support full regular expressions in property values
Date Wed, 14 Mar 2012 15:18:39 GMT

    [ https://issues.apache.org/jira/browse/QPID-3892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13229252#comment-13229252
] 

Chuck Rolke commented on QPID-3892:
-----------------------------------

Pavel Moravec has suggested changing the C++ Broker ACL syntax to use regular expressions.
I think this is a great idea as it addresses a missing functionality in the current ACL wildcard
syntax. I would like to elaborate on his proposal.

Plugging in his suggestion is not so straight forward:
1. It breaks the current ACL specifications.
   name=tmp* would match "tm", "tmp", and "tmpp" but not "tmp2".
2. It requires a regex library such as boost::regex.

I propose to include regular expressions in the ACL property values match by:

1. Adding new keyword to the ACL file to control regex matching.
{noformat}
matchregex on
matchregex off
{noformat}

   * This defaults to off and current ACL files are processed exactly as before.
   * Whenever 'matchregex on' happens in the ACL file then subsequent rules are processed
with the property value strings being regex match strings and not plain text strings.
   * Regex matching can be turned off again with 'matchregex off'.

2. Boost_regex is added as a dependency for acl.so. I know that there has been activity not
so long ago to get rid of boost_regex. However the need for more complex property value match
specifications is acute. 

My GCC 4.6.2 has a <tr1/regex> for compilation but it does not link so that's no good.
Are there better alternatives? 

Example:

An enterprise customer may wish to use:

{noformat}
acl allow dev bind exchange name=Price routingkey=Price.*.*.* queuename=TempQueue*
{noformat}


This is impossible to specify today. With regex processing the same customer could use:

{noformat}
matchregex on
acl allow dev bind exchange name=Price routingkey=Price\..*\..*\..* queuename=TempQueue.*
{noformat}

I'll complete these changes and put the up to Review Board.

-Chuck

                
> ACLs shall support full regular expressions in property values
> --------------------------------------------------------------
>
>                 Key: QPID-3892
>                 URL: https://issues.apache.org/jira/browse/QPID-3892
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Broker
>    Affects Versions: 0.14
>            Reporter: Pavel Moravec
>            Assignee: Chuck Rolke
>              Labels: features
>         Attachments: ACLs-full-regexp.patch
>
>
> Currently ACL syntax supports in a property value either direct match ("name=RequestQueue")
or a substring match ("name=tmp.*").
> That is not sufficient when authorizing access to topics. One particular example: amq.topic
exchange receives messages with keys usa.sports, usa.news, europe.sports and europe.news.
Currently we can not authorize access just to topics **.sports* and to *usa.* *
> As there exist different use cases where regular expressions are required in a, it is
meaningful to support (full) regular expressions in ACL property values.
> Since qpid C++ broker already relies on boost libraries a lot, I suggest (in a patch
proposed) using boost::regex library.
> I tested the attached patch on Fedora, not sure if other Linux distributions are familiar
with the change in Makefile.am.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message