qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chug Rolke" <cro...@redhat.com>
Subject Review Request 23447: Improve C++ Broker acl validation table
Date Sun, 13 Jul 2014 13:33:02 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/23447/
-----------------------------------------------------------

Review request for qpid.


Bugs: QPID-5890
    https://issues.apache.org/jira/browse/QPID-5890


Repository: qpid


Description
-------

The last step to completing QPID-5890 is flushing the AclHelper::loadValidationMap (ugh!)
function and rewriting it in AclValidator.cpp to be comprehensible, maintainable, and possibly
correct.

The new scheme has these features:

* Tables indexed by [action][object] contain the set of properties allowed.
** Property: holds the values that the broker sends to Acl for authorise().
** SpecProperty: holds the values an Acl file may contain. This mostly matches the Property
table except where a Property value (like maxpages) becomes an upper and lower limit in the
Acl world.
* The index table construction consists of a series of calls containing [calling-function,
action, object, allowed-properties] 
** Example: registerProperty("Broker::bind", ACT_BIND, OBJ_EXCHANGE, "queuename routingkey");
** The table is constructed by manually examining all the authorise() call sites and putting
the registration call together. Future work could generate this automatically but that's probably
more work than it's worth.

A great fringe benefit of this scheme is that a simple set of QPID_LOG statements can go into
these tables and their constructors and harvest information. Please see QPID-5890 for a comment
showing:
* Acl call sites
* For each action-object pair which properties are allowed
* For each property which action-object pairs allow it


Diffs
-----

  trunk/qpid/cpp/src/qpid/acl/AclLexer.h 1609833 
  trunk/qpid/cpp/src/qpid/acl/AclLexer.cpp 1609833 
  trunk/qpid/cpp/src/qpid/acl/AclReader.cpp 1609833 
  trunk/qpid/cpp/src/qpid/acl/AclValidator.h 1609833 
  trunk/qpid/cpp/src/qpid/acl/AclValidator.cpp 1609833 

Diff: https://reviews.apache.org/r/23447/diff/


Testing
-------

passes self and unit tests
compiles on windows


Thanks,

Chug Rolke


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message