qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.
Date Fri, 02 Mar 2018 22:15:00 GMT

    [ https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16384233#comment-16384233
] 

ASF GitHub Bot commented on DISPATCH-333:
-----------------------------------------

Github user bhardesty commented on a diff in the pull request:

    https://github.com/apache/qpid-dispatch/pull/255#discussion_r171977044
  
    --- Diff: doc/new-book/configuration-security.adoc ---
    @@ -412,3 +414,356 @@ listener {
     
     For more information about these attributes, see xref:adding_sasl_authentication_to_incoming_connection[].
     --
    +
    +== Authorizing Access to Messaging Resources
    +
    +You can restrict the number of user connections, and control access to AMQP messaging
resources by configuring _policies_.
    +
    +=== Types of Policies
    +
    +You can configure two different types of policies: _global policies_ and _vhost policies_.
    +
    +Global policies::
    +Settings for the router. A global policy defines the maximum number of incoming user
connections for the router (across all vhost policies), and defines how the router should
use vhost policies.
    +
    +Vhost policies::
    +Connection and AMQP resource limits for a messaging endpoint (called an AMQP virtual
host, or _vhost_). A vhost policy defines what a client can access on a messaging endpoint
over a particular connection.
    ++
    +[NOTE]
    +====
    +A vhost is typically the name of the host to which the client connection is directed.
For example, if a client application opens a connection to the `amqp://mybroker.example.com:5672/queue01`
URL, the vhost would be `mybroker.example.com`.
    +====
    +
    +The resource limits defined in global and vhost policies are applied to user connections
only. The limits do not affect inter-router connections or router connections that are outbound
to waypoints.
    +
    +=== How {RouterName} Applies Policies
    +
    +When a client connects to a router, the router determines whether to permit the connection
based on the global and vhost policies, and the following properties of the connection:
    +
    +* The host to which the connection is directed (the vhost)
    +* The connection's authenticated user name
    +* The host from which the client is connecting (the remote host)
    +
    +If the connection is permitted, then the router applies a vhost policy that matches the
vhost to which the connection is directed. The vhost policy limits are enforced for the lifetime
of the connection.
    +
    +=== Configuring Global Policies
    +
    +You can set the incoming connection limit for the router and define how it should use
vhost policies by configuring a global policy.
    +
    +.Procedure
    +
    +* In the router configuration file, add a `policy` section.
    ++
    +--
    +[options="nowrap",subs="+quotes"]
    +----
    +policy = {
    +    maxConnections: 10000  // <1>
    +    enableVhostPolicy: true  // <2>
    +    policyDir: /etc/qpid-dispatch/policies/  // <3>
    +    defaultVhost: $default  // <4>
    +}
    +----
    +<1> The maximum number of concurrent client connections allowed for this router.
This limit is always enforced, even if no other policy settings have been defined. The limit
is applied to all incoming connections regardless of remote host, authenticated user, or targeted
vhost. The default value is `65535`.
    +
    +<2> Enables the router to enforce the connection denials and resource limits defined
in the configured vhost policies. The default is `false`, which means that the router will
not enforce any vhost policies.
    ++
    +[NOTE]
    +====
    +Setting `enableVhostPolicy` to `false` improves the router's performance.
    +====
    +
    +<3> The absolute path to a directory that holds vhost policy definition files in
JSON format (`*.json`). The router processes all of the vhost policies in each JSON file that
is in this directory. For more information, see xref:configuring-vhost-policies-json[].
    +
    +<4> The name of the default vhost policy, which is applied to any connection for
which a vhost policy has not been configured. The default is `$default`. If `defaultVhost`
is not defined, then default vhost processing is disabled.
    +--
    +
    +=== Configuring Vhost Policies
    +
    +You configure vhost policies to define the connection limits and AMQP resource limits
for a messaging endpoint.
    +
    +A vhost policy consists of the following:
    +
    +* Connection limits
    ++
    +These limits control the number of users that can be connected to the vhost simultaneously.
    +
    +* User groups
    ++
    +A user group defines the messaging resources that the group members are permitted to
access. Each user group defines the following:
    +
    +** A set of users that can connect to the vhost (the group members)
    +** The remote hosts from which the group members may connect to the router network
    +** The AMQP resources that the group members are permitted to access on the vhost
    +
    +You can configure vhost policies directly in the router configuration file, or create
them as JSON files.
    --- End diff --
    
    Done.


> Add a chapter on policy to the Qpid Dispatch Router Book.
> ---------------------------------------------------------
>
>                 Key: DISPATCH-333
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-333
>             Project: Qpid Dispatch
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: 0.7.0
>            Reporter: Ganesh Murthy
>            Assignee: Ben Hardesty
>            Priority: Minor
>
> Add a new chapter containing details on how policy works and how to setup policy to the
Qpid Dispatch Router Book



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message