qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DISPATCH-1388) Authorization doc fails to describe vhost abstraction clearly
Date Fri, 19 Jul 2019 18:25:00 GMT

    [ https://issues.apache.org/jira/browse/DISPATCH-1388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16889084#comment-16889084
] 

ASF subversion and git services commented on DISPATCH-1388:
-----------------------------------------------------------

Commit ab665701376e34b0a1bc213010f902e778aa7028 in qpid-dispatch's branch refs/heads/master
from Charles E. Rolke
[ https://gitbox.apache.org/repos/asf?p=qpid-dispatch.git;h=ab66570 ]

DISPATCH-1388: Clarify policy restrictions defined by vhost objects

State more clearly that policy restrictions are applied to client requests
at network ingress only.

As I read the document now it is unclear if a policy restriction defined
by a vhost would be applied to a request originated at a distant point in
the network. Suppose I have two vhosts, vhost1 and vhost2, and two users,
Alice and Bob. Vhost policy is enabled for address "orders":

  |"orders" | vhost1 | vhost2 |
  +---------+--------+--------+
  | Alice   | allow  | deny   |
  | Bob     | deny   | allow  |

If Alice creates a receiver for "orders" on vhost1 and Bob creates a
sender for "orders" on vhost2 then the router network will Bob's
sender to send messages to Alice's receiver. This is allowed even though
user Alice is denied access to that address on vhost2 and user Bob
is denied access on vhost1.

There are separate namespaces for users on each vhost. What user Alice
does on vhost1 is unaffected by the namespace restrictions applied to
vhost2. Alice's identity is not propagated to vhost2 for subsequent
authorization checks.

This closes #540


> Authorization doc fails to describe vhost abstraction clearly
> -------------------------------------------------------------
>
>                 Key: DISPATCH-1388
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-1388
>             Project: Qpid Dispatch
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: 1.8.0
>            Reporter: Chuck Rolke
>            Assignee: Chuck Rolke
>            Priority: Major
>
> Security documentation misses an important point when describing policy and how policy
is effected by vhost settings: Access policy is applied at the point of ingress to a router
network. Once access is granted to a resource then all resources with that name anywhere in
the network are accessible.
> Access restrictions are specified in a policy vhost object. The vhost contains the restrictions
that get applied to a connection when the connection is established. Reading the doc it sounds
as if there are vhost objects that may contain addresses somewhere in the router. That conceptual
model is the issue in the doc that needs to be fixed.
> Methods for Specifying Vhost Policy Source and Target Addresses is a good example. In
the table the first item is titled _Allow all users in the user group to access all source
or target addresses on the vhost_ . In reality the addresses are not _on the vhost but are
in the router network_.
> Throughout the document the text "on a vhost" could be changed to "through a vhost" or
"specified by a vhost", or could be removed entirely. 
> h4.  



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message