qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DISPATCH-1067) Doc improvements for router policies
Date Fri, 13 Jul 2018 21:16:00 GMT

    [ https://issues.apache.org/jira/browse/DISPATCH-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16543724#comment-16543724
] 

ASF GitHub Bot commented on DISPATCH-1067:
------------------------------------------

Github user ChugR commented on a diff in the pull request:

    https://github.com/apache/qpid-dispatch/pull/342#discussion_r202471950
  
    --- Diff: docs/books/user-guide/configuration-security.adoc ---
    @@ -417,290 +417,367 @@ For more information about these attributes, see xref:adding-sasl-authentication
     
     == Authorizing Access to Messaging Resources
     
    -You can restrict the number of user connections, and control access to AMQP messaging
resources by configuring _policies_.
    +You can configure _policies_ to secure messaging resources in your messaging environment.
Policies ensure that only authorized users can access messaging endpoints through the router
network, and that the resources on those endpoints are used in an authorized way.
     
    -=== Types of Policies
    -
    -You can configure two different types of policies: _global policies_ and _vhost policies_.
    +{RouterName} provides the following types of policies:
     
     Global policies::
    -Settings for the router. A global policy defines the maximum number of incoming user
connections for the router (across all vhost policies), and defines how the router should
use vhost policies.
    +Settings for the router. A global policy defines the maximum number of incoming user
connections for the router (across all messaging endpoints), and defines how the router should
use vhost policies.
     
     Vhost policies::
    -Connection and AMQP resource limits for a messaging endpoint (called an AMQP virtual
host, or _vhost_). A vhost policy defines what a client can access on a messaging endpoint
over a particular connection.
    -+
    -[NOTE]
    -====
    -A vhost is typically the name of the host to which the client connection is directed.
For example, if a client application opens a connection to the `amqp://mybroker.example.com:5672/queue01`
URL, the vhost would be `mybroker.example.com`.
    -====
    +Connection and AMQP resource limits for a messaging endpoint (called an AMQP virtual
host, or vhost). A vhost policy defines what a client can access on a messaging endpoint over
a particular connection.
     
     The resource limits defined in global and vhost policies are applied to user connections
only. The limits do not affect inter-router connections or router connections that are outbound
to waypoints.
     
    -=== How {RouterName} Applies Policies
    +=== How {RouterName} Enforces Connection and Resource Limits
     
    -{RouterName} uses both global and vhost policies to determine whether to permit a connection,
and if it is permitted, to apply the appropriate resource limits.
    +{RouterName} uses policies to determine whether to permit a connection, and if it is
permitted, to apply the appropriate resource limits.
     
     When a client creates a connection to the router, the router first determines whether
to allow or deny the connection. This decision is based on the following criteria:
     
    -* Whether the connection will exceed the router's global connection limit (defined in
the global policy)
    -* Whether the connection will exceed the vhost's connection limits (defined in the vhost
policy that matches the host to which the connection is directed)
    +* Whether the connection will exceed the router’s global connection limit (defined
in the global policy)
     
    -If the connection is allowed, the router assigns the user (the authenticated user name
from the connection) to a user group, and enforces the user group's resource limits for the
lifetime of the connection.
    +* Whether the connection will exceed the vhost’s connection limits (defined in the
vhost policy that matches the host to which the connection is directed)
     
    -=== Configuring Global Policies
    +If the connection is allowed, the router assigns the user (the authenticated user name
from the connection) to a user group, and enforces the user group’s resource limits for
the lifetime of the connection.
     
    -You can set the incoming connection limit for the router and define how it should use
vhost policies by configuring a global policy.
    +=== Setting Global Connection Limits
    +
    +You can set the incoming connection limit for the router. This limit defines the total
number of concurrent client connections that can be open for this router.
     
     .Procedure
     
    -* In the router configuration file, add a `policy` section.
    +* In the router configuration file, add a `policy` section and set the `maxConnections`.
     +
     --
     [options="nowrap",subs="+quotes"]
     ----
    -policy = {
    -    maxConnections: 10000  // <1>
    -    enableVhostPolicy: true  // <2>
    -    policyDir: /etc/qpid-dispatch/policies/  // <3>
    -    defaultVhost: $default  // <4>
    +policy {
    +    maxConnections: 10000
     }
     ----
    -<1> The maximum number of concurrent client connections allowed for this router.
This limit is always enforced, even if no other policy settings have been defined. The limit
is applied to all incoming connections regardless of remote host, authenticated user, or targeted
vhost. The default (and the maximum) value is `65535`.
    +`maxConnections`::
    +This limit is always enforced, even if no other policy settings have been defined. The
limit is applied to all incoming connections regardless of remote host, authenticated user,
or targeted vhost. The default (and the maximum) value is `65535`.
    +--
    +
    +=== Setting Connection and Resource Limits for Messaging Endpoints
    +
    +You can define the connection limit and AMQP resource limits for a messaging endpoint
by configuring a _vhost policy_. Vhost policies define what clients can access on a messaging
endpoint over a particular connection. 
    --- End diff --
    
    The second sentence would be clearer as "Vhost policies define what resources clients
are permitted to access on a messaging endpoint over a particular connection."


> Doc improvements for router policies
> ------------------------------------
>
>                 Key: DISPATCH-1067
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-1067
>             Project: Qpid Dispatch
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: 1.2.0
>            Reporter: Ben Hardesty
>            Assignee: Ben Hardesty
>            Priority: Major
>
> The router policy doc needs to be updated to cover the following enhancements:
>  * Patterns for policy hostnames (DISPATCH-990)
>  * New policy config attributes (DISPATCH-976)
>  * Policy username substitution improvements (DISPATCH-1011)
>  * Allow vhost policies to be configured in the router configuration file (DISPATCH-1013)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message