qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ChugR <...@git.apache.org>
Subject [GitHub] qpid-dispatch pull request #255: DISPATCH-333: Create new router policies do...
Date Fri, 02 Mar 2018 15:52:16 GMT
Github user ChugR commented on a diff in the pull request:

    https://github.com/apache/qpid-dispatch/pull/255#discussion_r171883800
  
    --- Diff: doc/new-book/configuration-security.adoc ---
    @@ -412,3 +414,356 @@ listener {
     
     For more information about these attributes, see xref:adding_sasl_authentication_to_incoming_connection[].
     --
    +
    +== Authorizing Access to Messaging Resources
    +
    +You can restrict the number of user connections, and control access to AMQP messaging
resources by configuring _policies_.
    +
    +=== Types of Policies
    +
    +You can configure two different types of policies: _global policies_ and _vhost policies_.
    +
    +Global policies::
    +Settings for the router. A global policy defines the maximum number of incoming user
connections for the router (across all vhost policies), and defines how the router should
use vhost policies.
    +
    +Vhost policies::
    +Connection and AMQP resource limits for a messaging endpoint (called an AMQP virtual
host, or _vhost_). A vhost policy defines what a client can access on a messaging endpoint
over a particular connection.
    ++
    +[NOTE]
    +====
    +A vhost is typically the name of the host to which the client connection is directed.
For example, if a client application opens a connection to the `amqp://mybroker.example.com:5672/queue01`
URL, the vhost would be `mybroker.example.com`.
    +====
    +
    +The resource limits defined in global and vhost policies are applied to user connections
only. The limits do not affect inter-router connections or router connections that are outbound
to waypoints.
    +
    +=== How {RouterName} Applies Policies
    +
    +When a client connects to a router, the router determines whether to permit the connection
based on the global and vhost policies, and the following properties of the connection:
    +
    +* The host to which the connection is directed (the vhost)
    +* The connection's authenticated user name
    +* The host from which the client is connecting (the remote host)
    +
    +If the connection is permitted, then the router applies a vhost policy that matches the
vhost to which the connection is directed. The vhost policy limits are enforced for the lifetime
of the connection.
    +
    --- End diff --
    
    This description is correct but it glosses over some of the structure within a vhost policy.
In a vhost policy  maxConnections, maxConnectionsPerUser, maxConnectionsPerHost, and allowUnknownUser
are common for all users. Then based on the user name the vhost policy assigns the remaining
policy settings (vhostUserGroupSettings). Users who connect to a given vhost may receive different
settings based on what user group the user is assigned.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message