You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2016/05/02 16:03:12 UTC

[jira] [Updated] (QPID-7242) Make existing authentication/group providers produce realm qualified principals

     [ https://issues.apache.org/jira/browse/QPID-7242?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Keith Wall updated QPID-7242:
-----------------------------
    Description: 
Change all existing authentication and group providers to produce realm qualified principals.

Each authentication and group provider will have a {{realm}} attribute.  Validation ({{#onValidate}}) must ensure that the realm name used by each provider is unique.

For some providers, the realm name may be default-able: authentication/group backends can default to the domain name (the host portion of a URI) of the authentication/group server e.g. directory.example.com in the case of an Directory (LDAP).  For non-server backed providers, an realm can be constructed using the other realm suggested by RFC-4120 (e.g. {{qpid:SCRAM-SHA256/myscramprovider}}).  For some providers, such as Kerberos, the realm must be supplied by the user.

The Principals produced by the authentication and group providers must carry the realm.  The serialised form of the Principal will be a string where the {{uriEscape(name) + '@' + domain}}.  Principal equality must include the realm too.

For this change. ConfiguredObject#createdBy/lastUpdatedBy remain Strings (for now).

Existing ACL rules consider only a principal's name, so existing ACL behaviour should be unchanged by this change.





  was:
Change all existing authentication and group providers to produce realm qualified principals.

Each authentication and group provider will have a {{realm}} attribute.  Validation ({{#onValidate}}) must ensure that the realm name used by each provider is unique.

For some providers, the realm name may be default-able: authentication/group backends can default to the domain name (the host portion of a URI) of the authentication/group server e.g. directory.example.com in the case of an Directory (LDAP).  For non-server backed providers, an realm can be constructed using the other realm suggested by RFC-4120 (e.g. {{qpid:SCRAM-SHA256/myscramprovider}}).  For some providers, such as Kerberos, the realm must be supplied by the user.

The Principals produced by the authentication and group providers must carry the realm.  The serialised form of the Principal will be a string where the {{uriEscape(name) + '@' + domain}}.  Principal equality must include the realm too.

For this change. ConfiguredObject#createdBy/lastUpdatedBy remain Strings (for now)






> Make existing authentication/group providers produce realm qualified principals 
> --------------------------------------------------------------------------------
>
>                 Key: QPID-7242
>                 URL: https://issues.apache.org/jira/browse/QPID-7242
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>            Reporter: Keith Wall
>             Fix For: qpid-java-6.1
>
>
> Change all existing authentication and group providers to produce realm qualified principals.
> Each authentication and group provider will have a {{realm}} attribute.  Validation ({{#onValidate}}) must ensure that the realm name used by each provider is unique.
> For some providers, the realm name may be default-able: authentication/group backends can default to the domain name (the host portion of a URI) of the authentication/group server e.g. directory.example.com in the case of an Directory (LDAP).  For non-server backed providers, an realm can be constructed using the other realm suggested by RFC-4120 (e.g. {{qpid:SCRAM-SHA256/myscramprovider}}).  For some providers, such as Kerberos, the realm must be supplied by the user.
> The Principals produced by the authentication and group providers must carry the realm.  The serialised form of the Principal will be a string where the {{uriEscape(name) + '@' + domain}}.  Principal equality must include the realm too.
> For this change. ConfiguredObject#createdBy/lastUpdatedBy remain Strings (for now).
> Existing ACL rules consider only a principal's name, so existing ACL behaviour should be unchanged by this change.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org