qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-7935) [Java Broker] [ACL] Allow legacy ACL rule set to specify a default result of defer
Date Fri, 29 Sep 2017 09:27:02 GMT

    [ https://issues.apache.org/jira/browse/QPID-7935?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16185560#comment-16185560

ASF subversion and git services commented on QPID-7935:

Commit 16a186babfa8ec9383b247172e255dc6a2951346 in qpid-broker-j's branch refs/heads/master
from [~k-wall]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=16a186b ]

QPID-7935: [Java Broker] [ACL] Allow an ACL file format to convey a default result of DEFER

Changed AbstractCommonRuleBasedAccessControlProvider#extractRules to write a default decision
CONFIG directive if the decision is not the default.

Required so that a user may use extractRules -> edit -> loadFromFile without the loss
of the current default decision.

> [Java Broker] [ACL] Allow legacy ACL rule set to specify a default result of defer
> ----------------------------------------------------------------------------------
>                 Key: QPID-7935
>                 URL: https://issues.apache.org/jira/browse/QPID-7935
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>            Reporter: Keith Wall
> When access control providers are installed at both the Broker and VirtualHost, the one
at the VirtualHost needs to DEFER if no decision is made about an access decision.  This gives
the Broker's  access control provider the opportunity to make a decision instead.
> Currently, the legacy ACL file format supports a CONFIG directive that allows the default
result of the ruleset to be configured as {{ALLOW}} or {{DENY}}, but not {{DEFER}}.  If no
CONFIG directive is specified the default result is always {{DENY}}.
> If the user is using RuleBasedVirtualHostAccessControlProvider#loadFromFile to populate
their virtualhost rule-set, the users has to additionally remember to reset the {{defaultResult}}
to {{DEFER}} otherwise the co-operation between Broker/VirtualHost will be broken.
> If the legacy ACL file format were to allow a CONFIG directive specifying DEFER, then
this would eliminate the extra step.
> The suggested changes:
> # Change the legacy ACL file format to allow CONFIG to specify a default result of DEFER.
> # Improve AbstractCommonRuleBasedAccessControlProvider#extractRules to that it writes
a CONFIG directive within the default result, if it is not the default.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message