qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [qpid-dispatch] ChugR opened a new pull request #540: DISPATCH-1388: Clarify policy restrictions defined by vhost objects
Date Thu, 18 Jul 2019 16:28:48 GMT
ChugR opened a new pull request #540: DISPATCH-1388: Clarify policy restrictions defined by
vhost objects
URL: https://github.com/apache/qpid-dispatch/pull/540
 
 
   State more clearly that policy restrictions are applied to client requests
   at network ingress only.
   
   As I read the document now it is unclear if a policy restriction defined
   by a vhost would be applied to a request originated at a distant point in
   the network. Suppose I have two vhosts, vhost1 and vhost2, and two users,
   Alice and Bob. Vhost policy is enabled for address "orders":
   
     |"orders" | vhost1 | vhost2 |
     +---------+--------+--------+
     | Alice   | allow  | deny   |
     | Bob     | deny   | allow  |
   
   If Alice creates a receiver for "orders" on vhost1 and Bob creates a
   sender for "orders" on vhost2 then the router network will Bob's
   sender to send messages to Alice's receiver. This is allowed even though
   user Alice is denied access to that address on vhost2 and user Bob
   is denied access on vhost1.
   
   There are separate namespaces for users on each vhost. What user Alice
   does on vhost1 is unaffected by the namespace restrictions applied to
   vhost2. Alice's identity is not propagated to vhost2 for subsequent
   authorization checks.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message