qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chug Rolke <cro...@redhat.com>
Subject Re: Review Request 64645: authorization support for sasl delegation plugin
Date Fri, 15 Dec 2017 21:41:48 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64645/#review193976
-----------------------------------------------------------



This seems like a decent approach for starters.

It may have an issue when multiple vhosts come in to the router on the same port. All of the
connections then are sent to the same authServicePlugin authService port for authentication
and authz. In the current policy scheme the policy is decided later when the AMQP Open frame's
hostname field is used as the name of the vhost policy. Then the user name is looked up in
that vhost policy section.


tests/system_tests_authz_service_plugin.py
Lines 67 (patched)
<https://reviews.apache.org/r/64645/#comment272670>

    My system gets an error running authservice.py as the file is not in os.getcwd() but four
levels of directory up. It works with
    
    cls.tester.popen([os.path.join(os.path.dirname(os.path.abspath(__file__)), 'authservice.py'),
'-a', '127.0.0.1:%d' % cls.auth_service_port, '-c', os.getcwd()], expect=Process.RUNNING)
    
    and having 'chmod +x authservice.py'


- Chug Rolke


On Dec. 15, 2017, 6:20 p.m., Gordon Sim wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64645/
> -----------------------------------------------------------
> 
> (Updated Dec. 15, 2017, 6:20 p.m.)
> 
> 
> Review request for qpid, Chug Rolke, Ganesh Murthy, and Ted Ross.
> 
> 
> Bugs: DISPATCH-901
>     https://issues.apache.org/jira/browse/DISPATCH-901
> 
> 
> Repository: qpid-dispatch
> 
> 
> Description
> -------
> 
> If the client specifies its desire for the ADDRESS-AUTHZ capacbility, the authorization
service, if it supports this, will return a set of permissions in the properties of the open
frame. The properties will have an address-authz key, whose value is a map of address (or
wildcard pattern) to an array of permissions. The only permissions recognised at present by
this patch are 'send' and 'recv'.
> 
> 
> Diffs
> -----
> 
>   src/policy.c 22cc79f 
>   src/remote_sasl.c e3c969b 
>   tests/CMakeLists.txt 0c6454c 
>   tests/authservice.py PRE-CREATION 
>   tests/system_tests_authz_service_plugin.py PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/64645/diff/2/
> 
> 
> Testing
> -------
> 
> Added new systems tests using proton python based dummy auth service.
> 
> 
> Thanks,
> 
> Gordon Sim
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message