qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Rudyy (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (QPID-7246) Make ACL module realm aware
Date Mon, 04 Jun 2018 10:03:00 GMT

     [ https://issues.apache.org/jira/browse/QPID-7246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alex Rudyy updated QPID-7246:
-----------------------------
    Fix Version/s:     (was: qpid-java-broker-7.1.0)
                   Future

> Make ACL module realm aware
> ---------------------------
>
>                 Key: QPID-7246
>                 URL: https://issues.apache.org/jira/browse/QPID-7246
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>            Reporter: Keith Wall
>            Priority: Major
>             Fix For: Future
>
>
> Make the existing ACL module realm aware.
> The parser will need to be adapted to accept realm qualified user/group names.  Currently
some symbols, such as the {{=}} and {{/}} within X500 realms will choke the parser.  Perhaps
insisting that the name is quoted will help?
> Change RuleSet#isRelevant() so that applicability of the rule is considers realm in addition
to the Principal's name.
> In order to ease upgrade, to allow existing ACL rules files to contain to work without
change, it may be better to allow an instance of AccessControl to be associated with a default
authentication provider and default group provider.  If the ACL rule is written in term of
of the identity without realm, the authorisation engine would fallback to either of the two
associated providers,  thus a rule {{ACL ALLOW 'fred'...}} would be treated as if it were
{{ACL ALLOW 'fred@ldap.example.com'}}.  At configuration upgrade time, if there is a singleton
authentication provider and singleton group provider, these would be associated with the Access
Control Provider automatically.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message