qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-4123) C++ Broker Acl creates too many run-time rules
Date Wed, 23 Jul 2014 17:03:38 GMT

    [ https://issues.apache.org/jira/browse/QPID-4123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14071965#comment-14071965

ASF subversion and git services commented on QPID-4123:

Commit 1612874 from chug@apache.org in branch 'qpid/trunk'
[ https://svn.apache.org/r1612874 ]

QPID-4123: C++ Broker ACL creates too many rules

Recent changes have added new tables to define what
are ACL lookups and their properties. This commit
finishes that work by not propagating rules that
will never match. Also, it completes the scaffolding
for allowed and denied host lists to be fully 
integrated. This commit:

* Adds startup logging of ACL validation tables
  with cross references to possible rule matches.
* Hooks the ACL host allow/deny connection lists
  into self test.
* Fixes self tests that get broken by proper rule
  table handling.
* Introduces a 'create connection' decision mode
  similar to ACL rule decision mode.
* Describes it all in doc book.

> C++ Broker Acl creates too many run-time rules
> ----------------------------------------------
>                 Key: QPID-4123
>                 URL: https://issues.apache.org/jira/browse/QPID-4123
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Broker
>    Affects Versions: 0.16
>            Reporter: Chuck Rolke
>            Assignee: Chuck Rolke
>            Priority: Minor
>             Fix For: Future
> The Acl module creates a table rules in a two dimensional array. The typical reference
to this table is: actionList[action][objType].
> When an Acl rule from the file is processed and the action or objType is '*' then the
rule is propagated into the actionList table at every row or column even when the action/object
pair will never be references.
> For example a rule such as
>  acl allow bob publish * name=X routingkey=a.b.c
> will put the rule into publish/queue, publish/exchange, publish/broker, etc. even when
only publish/exchange will ever be referenced.
> In AclModule.h a validationMap is created that identifies which intersections in the
actionList are ever used but this map is not used.
> With 5 objects and 9 actions there are 45 actionList entries. Of these only 13 are ever
referenced for authorise lookups.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message