You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org> on 2009/01/15 17:30:59 UTC
[jira] Created: (QPID-1583) IP White/Black lists for virtual hosts
IP White/Black lists for virtual hosts
--------------------------------------
Key: QPID-1583
URL: https://issues.apache.org/jira/browse/QPID-1583
Project: Qpid
Issue Type: New Feature
Components: Java Broker
Affects Versions: M5
Reporter: Aidan Skinner
Assignee: Aidan Skinner
Fix For: M5
Having white/black lists for connecting to a virtual host would be useful.
Questions:
- need to provide an easy way for operate to maintain, secure & backup this list
- should consider what to do if there file/props etc for this are corrupt/format wrong
- if possible, the security filtering this provides should be part of a potential chain of access REDUCING plugins so that this is easy to drop in and teams can potentially write their own reducing filter class and use abstraction to define in config for broker
- needs to be at vhost level, and potentially at queue level ?
------------
Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing ACL infrastructure for entities below that.
Pattern would be one of:
IP address
CIDR mask
regexp on hostname
Changes would not be possible while broker was running, the file would need to be editted and then the broker restarted. This avoids the necessity to consider what happens to existing connections which would be excluded by a new rule. Errors in configuration would prevent broker startup.
Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for ConnectionOpen and checks against the list of rules.
AMQProtocolSession needs to expose access to the underlying socket.
---
We may need to reconsider allowing changes to the lists while the broker is running. It would probably imply storing these outwith the main configuration file and instead having something else, potentially a properties file, which could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (QPID-1583) IP White/Black lists for virtual
hosts
Posted by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12666194#action_12666194 ]
Aidan Skinner commented on QPID-1583:
-------------------------------------
OK, a simpler approach which aovids problems with rule precedence could be adding a <whitelist default-action="[allow|deny]"></whitelist> element to the config file.
Elements inside <whitelist> would be <rule> or <include file="[path"]/>. <include> would read the file specified at path, which would contain an <external-whitelist host="hostname"/>. <external-whitelist> would validate it's hostname against the host attribute and cause a fatal error on startup if it did not match. <external-whitelist> would contain further <rule> entries, but not <include>.
<rule> would have action, virtualhost, hostname and network attributes. Action and one of host or network would be mandatory. Virtualhost would be optional, if specified it would match one of the virtualhosts. The action attribute would be either allow or deny. host would be a regexp against which it would match the reverse dns lookup of the connecting IP. network would be a CIDR against which the IP would be matched.
The first <rule> which matched the connection would apply. If no rules applied, the default-action would apply.
Example:
<whitelist default-action="deny">
<rule action="allow" hostname="*.qpid.apache.org" virtualhost="dev"/>
<include file="/path/to/file" />
<rule action="allow" network="192.168.1.0/24" />
<rule action="allow" network="10.0.0.0/8" />
</whitelist>
<external-whitelist> <!-- in /path/to/file -->
<rule action="deny" newtork="192.168.1.0/24" virtualhost="prod"/>
</external-whitelist>
any machine in the qpid.apache.org domain could access dev.
Any machine in the 192.168.1.0/24 network would be allowed access to any virtualhost other than prod
Any machine in the 10.0.0.0/8 network would be allowed access to any virtual host
Any other machine would be denied access.
> IP White/Black lists for virtual hosts
> --------------------------------------
>
> Key: QPID-1583
> URL: https://issues.apache.org/jira/browse/QPID-1583
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Affects Versions: M5
> Reporter: Aidan Skinner
> Assignee: Aidan Skinner
> Fix For: M5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this list
> - should consider what to do if there file/props etc for this are corrupt/format wrong
> - if possible, the security filtering this provides should be part of a potential chain of access REDUCING plugins so that this is easy to drop in and teams can potentially write their own reducing filter class and use abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need to be editted and then the broker restarted. This avoids the necessity to consider what happens to existing connections which would be excluded by a new rule. Errors in configuration would prevent broker startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket.
> ---
> We may need to reconsider allowing changes to the lists while the broker is running. It would probably imply storing these outwith the main configuration file and instead having something else, potentially a properties file, which could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-1583) IP White/Black lists for virtual
hosts
Posted by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12665805#action_12665805 ]
Aidan Skinner commented on QPID-1583:
-------------------------------------
<virtualhost>
<name>test</name>
<test>
<access>
<allow>
<network>192.168.1.0/24</network><!-- allow all machines in 192.168.1.0-192.168.1.255 -->
<host>*.qpid.apache.org</host><!-- allow all machines in the qpid.apache.org domain -->
</allow>
<deny>
<network>10.0.0.0/8</network><!-- deny all machines in 10.0.0.0-10.255.255.255 -->
<host>[^a]*.qpid.apache.org</host><!-- deny all machines in the qpid.apache.org domain that don't start with an a -->
</deny>
</access>
<queues>
<queue>
<name>example</name>
</queue>
</queues>
</test>
<virtualhost>
> IP White/Black lists for virtual hosts
> --------------------------------------
>
> Key: QPID-1583
> URL: https://issues.apache.org/jira/browse/QPID-1583
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Affects Versions: M5
> Reporter: Aidan Skinner
> Assignee: Aidan Skinner
> Fix For: M5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this list
> - should consider what to do if there file/props etc for this are corrupt/format wrong
> - if possible, the security filtering this provides should be part of a potential chain of access REDUCING plugins so that this is easy to drop in and teams can potentially write their own reducing filter class and use abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need to be editted and then the broker restarted. This avoids the necessity to consider what happens to existing connections which would be excluded by a new rule. Errors in configuration would prevent broker startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket.
> ---
> We may need to reconsider allowing changes to the lists while the broker is running. It would probably imply storing these outwith the main configuration file and instead having something else, potentially a properties file, which could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-1583) IP White/Black lists for virtual
hosts
Posted by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12669921#action_12669921 ]
Aidan Skinner commented on QPID-1583:
-------------------------------------
This is written up a bit more fully at http://qpid.apache.org/ip-whitelisting.html
> IP White/Black lists for virtual hosts
> --------------------------------------
>
> Key: QPID-1583
> URL: https://issues.apache.org/jira/browse/QPID-1583
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Affects Versions: M5
> Reporter: Aidan Skinner
> Assignee: Aidan Skinner
> Fix For: M5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this list
> - should consider what to do if there file/props etc for this are corrupt/format wrong
> - if possible, the security filtering this provides should be part of a potential chain of access REDUCING plugins so that this is easy to drop in and teams can potentially write their own reducing filter class and use abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need to be editted and then the broker restarted. This avoids the necessity to consider what happens to existing connections which would be excluded by a new rule. Errors in configuration would prevent broker startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket.
> ---
> We may need to reconsider allowing changes to the lists while the broker is running. It would probably imply storing these outwith the main configuration file and instead having something else, potentially a properties file, which could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-1583) IP White/Black lists for virtual
hosts
Posted by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12666564#action_12666564 ]
Aidan Skinner commented on QPID-1583:
-------------------------------------
When doing this it's important to remember to set the networkaddress.cache.ttl property since java will cache forever otherwise and ignore the ttl that's on the record itself.
> IP White/Black lists for virtual hosts
> --------------------------------------
>
> Key: QPID-1583
> URL: https://issues.apache.org/jira/browse/QPID-1583
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Affects Versions: M5
> Reporter: Aidan Skinner
> Assignee: Aidan Skinner
> Fix For: M5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this list
> - should consider what to do if there file/props etc for this are corrupt/format wrong
> - if possible, the security filtering this provides should be part of a potential chain of access REDUCING plugins so that this is easy to drop in and teams can potentially write their own reducing filter class and use abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need to be editted and then the broker restarted. This avoids the necessity to consider what happens to existing connections which would be excluded by a new rule. Errors in configuration would prevent broker startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket.
> ---
> We may need to reconsider allowing changes to the lists while the broker is running. It would probably imply storing these outwith the main configuration file and instead having something else, potentially a properties file, which could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-1583) IP White/Black lists for virtual
hosts
Posted by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12666170#action_12666170 ]
Aidan Skinner commented on QPID-1583:
-------------------------------------
Knowing about all brokers on the server is kind of hard, they could all share the same file though. We could allow multiple files to be specified in the config file so you could have one for the server and one for the specific broker.
> IP White/Black lists for virtual hosts
> --------------------------------------
>
> Key: QPID-1583
> URL: https://issues.apache.org/jira/browse/QPID-1583
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Affects Versions: M5
> Reporter: Aidan Skinner
> Assignee: Aidan Skinner
> Fix For: M5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this list
> - should consider what to do if there file/props etc for this are corrupt/format wrong
> - if possible, the security filtering this provides should be part of a potential chain of access REDUCING plugins so that this is easy to drop in and teams can potentially write their own reducing filter class and use abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need to be editted and then the broker restarted. This avoids the necessity to consider what happens to existing connections which would be excluded by a new rule. Errors in configuration would prevent broker startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket.
> ---
> We may need to reconsider allowing changes to the lists while the broker is running. It would probably imply storing these outwith the main configuration file and instead having something else, potentially a properties file, which could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-1583) IP White/Black lists for virtual
hosts
Posted by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12681332#action_12681332 ]
Aidan Skinner commented on QPID-1583:
-------------------------------------
This is all done
> IP White/Black lists for virtual hosts
> --------------------------------------
>
> Key: QPID-1583
> URL: https://issues.apache.org/jira/browse/QPID-1583
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Affects Versions: M5
> Reporter: Aidan Skinner
> Assignee: Martin Ritchie
> Fix For: M5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this list
> - should consider what to do if there file/props etc for this are corrupt/format wrong
> - if possible, the security filtering this provides should be part of a potential chain of access REDUCING plugins so that this is easy to drop in and teams can potentially write their own reducing filter class and use abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need to be editted and then the broker restarted. This avoids the necessity to consider what happens to existing connections which would be excluded by a new rule. Errors in configuration would prevent broker startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket.
> ---
> We may need to reconsider allowing changes to the lists while the broker is running. It would probably imply storing these outwith the main configuration file and instead having something else, potentially a properties file, which could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Assigned: (QPID-1583) IP White/Black lists for virtual hosts
Posted by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aidan Skinner reassigned QPID-1583:
-----------------------------------
Assignee: Martin Ritchie (was: Aidan Skinner)
> IP White/Black lists for virtual hosts
> --------------------------------------
>
> Key: QPID-1583
> URL: https://issues.apache.org/jira/browse/QPID-1583
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Affects Versions: M5
> Reporter: Aidan Skinner
> Assignee: Martin Ritchie
> Fix For: M5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this list
> - should consider what to do if there file/props etc for this are corrupt/format wrong
> - if possible, the security filtering this provides should be part of a potential chain of access REDUCING plugins so that this is easy to drop in and teams can potentially write their own reducing filter class and use abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need to be editted and then the broker restarted. This avoids the necessity to consider what happens to existing connections which would be excluded by a new rule. Errors in configuration would prevent broker startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket.
> ---
> We may need to reconsider allowing changes to the lists while the broker is running. It would probably imply storing these outwith the main configuration file and instead having something else, potentially a properties file, which could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-1583) IP White/Black lists for virtual
hosts
Posted by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12672602#action_12672602 ]
Aidan Skinner commented on QPID-1583:
-------------------------------------
I've comitted a first cut of this. There needs to be more tests written, and the following are currently unimplemented:
config file reloading (uses commons configuration)
external configuration files
comma seperated lists of netmasks and hostnames in rules.
> IP White/Black lists for virtual hosts
> --------------------------------------
>
> Key: QPID-1583
> URL: https://issues.apache.org/jira/browse/QPID-1583
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Affects Versions: M5
> Reporter: Aidan Skinner
> Assignee: Aidan Skinner
> Fix For: M5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this list
> - should consider what to do if there file/props etc for this are corrupt/format wrong
> - if possible, the security filtering this provides should be part of a potential chain of access REDUCING plugins so that this is easy to drop in and teams can potentially write their own reducing filter class and use abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need to be editted and then the broker restarted. This avoids the necessity to consider what happens to existing connections which would be excluded by a new rule. Errors in configuration would prevent broker startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket.
> ---
> We may need to reconsider allowing changes to the lists while the broker is running. It would probably imply storing these outwith the main configuration file and instead having something else, potentially a properties file, which could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Resolved: (QPID-1583) IP White/Black lists for virtual hosts
Posted by "Martin Ritchie (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Ritchie resolved QPID-1583.
----------------------------------
Resolution: Fixed
Looked at this a while ago. Looked fine then so clicking the button now.
> IP White/Black lists for virtual hosts
> --------------------------------------
>
> Key: QPID-1583
> URL: https://issues.apache.org/jira/browse/QPID-1583
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Affects Versions: 0.5
> Reporter: Aidan Skinner
> Assignee: Martin Ritchie
> Fix For: 0.5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this list
> - should consider what to do if there file/props etc for this are corrupt/format wrong
> - if possible, the security filtering this provides should be part of a potential chain of access REDUCING plugins so that this is easy to drop in and teams can potentially write their own reducing filter class and use abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need to be editted and then the broker restarted. This avoids the necessity to consider what happens to existing connections which would be excluded by a new rule. Errors in configuration would prevent broker startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket.
> ---
> We may need to reconsider allowing changes to the lists while the broker is running. It would probably imply storing these outwith the main configuration file and instead having something else, potentially a properties file, which could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-1583) IP White/Black lists for virtual
hosts
Posted by "Marnie McCormack (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12666165#action_12666165 ]
Marnie McCormack commented on QPID-1583:
----------------------------------------
The whitelist should not be in the virtual hosts file as I think it likely that these config details may be owned by different teams. It should also be possible to specify an IP address once in the config and apply it to a) all brokers on this server b) all vhs on this broker c) ultimately all brokers in this cluster etc.
Commons config will sort out the listening for updates out of the box, so no need to introduce anything new from that pov (http://commons.apache.org/configuration/userguide/howto_events.html)
> IP White/Black lists for virtual hosts
> --------------------------------------
>
> Key: QPID-1583
> URL: https://issues.apache.org/jira/browse/QPID-1583
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Affects Versions: M5
> Reporter: Aidan Skinner
> Assignee: Aidan Skinner
> Fix For: M5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this list
> - should consider what to do if there file/props etc for this are corrupt/format wrong
> - if possible, the security filtering this provides should be part of a potential chain of access REDUCING plugins so that this is easy to drop in and teams can potentially write their own reducing filter class and use abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need to be editted and then the broker restarted. This avoids the necessity to consider what happens to existing connections which would be excluded by a new rule. Errors in configuration would prevent broker startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket.
> ---
> We may need to reconsider allowing changes to the lists while the broker is running. It would probably imply storing these outwith the main configuration file and instead having something else, potentially a properties file, which could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-1583) IP White/Black lists for virtual
hosts
Posted by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12666161#action_12666161 ]
Aidan Skinner commented on QPID-1583:
-------------------------------------
The downside to adding this to the virtualhost file is that it wouldn't be dynamically reloaded, or modified with the management console.
It would be possible to teach Qpid about kill -HUP to re-read it's config files, although this raises questions about what to do with things like the store directory if that changes.
Other options include:
seperate out the access file to something akin to postgresql's pg_hba.conf
allow JMX to add or remove rules, but not persist these to disk
all of the above
I don't think rewriting the virtualhosts file is a great idea, it means the brokers config has to be writable by the user the broker is running as.
> IP White/Black lists for virtual hosts
> --------------------------------------
>
> Key: QPID-1583
> URL: https://issues.apache.org/jira/browse/QPID-1583
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Affects Versions: M5
> Reporter: Aidan Skinner
> Assignee: Aidan Skinner
> Fix For: M5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this list
> - should consider what to do if there file/props etc for this are corrupt/format wrong
> - if possible, the security filtering this provides should be part of a potential chain of access REDUCING plugins so that this is easy to drop in and teams can potentially write their own reducing filter class and use abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need to be editted and then the broker restarted. This avoids the necessity to consider what happens to existing connections which would be excluded by a new rule. Errors in configuration would prevent broker startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket.
> ---
> We may need to reconsider allowing changes to the lists while the broker is running. It would probably imply storing these outwith the main configuration file and instead having something else, potentially a properties file, which could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Updated: (QPID-1583) IP White/Black lists for virtual hosts
Posted by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aidan Skinner updated QPID-1583:
--------------------------------
Status: Ready To Review (was: In Progress)
> IP White/Black lists for virtual hosts
> --------------------------------------
>
> Key: QPID-1583
> URL: https://issues.apache.org/jira/browse/QPID-1583
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Affects Versions: M5
> Reporter: Aidan Skinner
> Assignee: Aidan Skinner
> Fix For: M5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this list
> - should consider what to do if there file/props etc for this are corrupt/format wrong
> - if possible, the security filtering this provides should be part of a potential chain of access REDUCING plugins so that this is easy to drop in and teams can potentially write their own reducing filter class and use abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in config.xml, existing ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need to be editted and then the broker restarted. This avoids the necessity to consider what happens to existing connections which would be excluded by a new rule. Errors in configuration would prevent broker startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which listens for ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket.
> ---
> We may need to reconsider allowing changes to the lists while the broker is running. It would probably imply storing these outwith the main configuration file and instead having something else, potentially a properties file, which could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org