qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keith Wall (JIRA)" <j...@apache.org>
Subject [jira] [Created] (QPID-7935) [Java Broker] [ACL] Allow legacy ACL rule set to specify a default result of defer
Date Thu, 28 Sep 2017 16:06:02 GMT
Keith Wall created QPID-7935:
--------------------------------

             Summary: [Java Broker] [ACL] Allow legacy ACL rule set to specify a default result
of defer
                 Key: QPID-7935
                 URL: https://issues.apache.org/jira/browse/QPID-7935
             Project: Qpid
          Issue Type: Improvement
          Components: Java Broker
            Reporter: Keith Wall
             Fix For: qpid-java-broker-7.0.0


When access control providers are installed at both the Broker and VirtualHost, the one at
the VirtualHost needs to DEFER if no decision is made about an access decision.  This gives
the Broker's  access control provider the opportunity to make a decision instead.

Currently, the legacy ACL file format supports a CONFIG directive that allows the default
result of the ruleset to be configure to be {{ALLOW}} or {{DENY}}, but not {{DEFER}}.  If
no CONFIG directive is specified the default result is always {{DENY}}.

If the user is using RuleBasedVirtualHostAccessControlProvider#loadFromFile to populate their
virtualhost rule-set, the users has to additionally remember to reset the {{defaultResult}}
to {{DEFER}} otherwise the co-operation between Broker/VirtualHost will be broken.

If the legacy ACL file format were to allow a CONFIG value of DEFER, then this would eliminate
the extra step.

The suggested changes:

# Change the legacy ACL file format to allow CONFIG to specify a default result of DEFER.
# Improve AbstractCommonRuleBasedAccessControlProvider#extractRules to that it writes a CONFIG
directive within the default result, if it is not the default.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message