You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by Danushka Menikkumbura <da...@gmail.com> on 2011/03/23 15:32:13 UTC
vhost-level access control in Java broker
Hi devs,
Do we have $subject?
Danushka
Re: vhost-level access control in Java broker
Posted by Andrew Kennedy <an...@gmail.com>.
On 26 Mar 2011, at 00:58, Danushka Menikkumbura wrote:
> Hi Andrew/Marnie,
>
> Actually my question was, when SecurityPlugin.authorise() is hit
> for a given operation call, how do you identify the vhost?. That is
> how do you identify on which vhost this operation is carried out?.
> So, for an example when it gets called for Create, Bind, Publish,
> etc I need to know the corresponding vhost.
Right, I understand what you're asking now.
The SecurityPlugin classes are managed by the SecurityManager, which
is instantiated per virtualhost. So, in VirtualHostImpl the
constructor creates a new SecurityManager that is a child of the
global (broker) SecurityManager (for plugin chaining and global
defaults) and initialises it with the virtualhost configuration,
similar to this:
private VirtualHostImpl(IApplicationRegistry registry,
VirtualHostConfiguration config, MessageStore store)
{
// ...
_securityManager = new SecurityManager
(registry.getSecurityManager());
_securityManager.configureHostPlugins(config);
// ...
}
Than, when a Queue, for eaxmple, needs to check the ACLs it looks up
the SecurityManager for its virtiualhost, like this:
if (!virtualHost.getSecurityManager().authoriseCreateQueue( /
* ... */ )) {
// exception ...
}
The security managers know which virtual host they are responsible
for, and also have a reference to the global manager so they can
delegate to it. The plugin itself has no knowledge of the
virtualhost, it just checks the ACL rules it was given when it was
initialised. Also, the security plugins only receive a subset of the
configuration file XML, taken from either //broker/virtualhosts/
virtualhost/name/security or //broker/security and then presented as
simply <security>...</security> so they do not know if they are
global or host plugins based on the configuration.
If you are writing a new plugin and want it to behave differently,
you would currently have to add an element to the XML configuration
that specified the part of the broker it is responsible for.
Hope this is useful...
Andrew.
--
-- andrew d kennedy ? do not fold, bend, spindle, or mutilate ;
-- http://grkvlt.blogspot.com/ ? edinburgh : +44 7582 293 255 ;
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
Re: vhost-level access control in Java broker
Posted by Danushka Menikkumbura <da...@gmail.com>.
Hi Andrew/Marnie,
Actually my question was, when SecurityPlugin.authorise() is hit for a given
operation call, how do you identify the vhost?. That is how do you identify
on which vhost this operation is carried out?. So, for an example when it
gets called for Create, Bind, Publish, etc I need to know the corresponding
vhost.
Thanks,
Danushka
On Fri, Mar 25, 2011 at 3:23 AM, Andrew Kennedy <
andrewinternational@gmail.com> wrote:
> On 23 Mar 2011, at 17:53, Danushka Menikkumbura wrote:
>
>> Hi Marnie,
>>
>> So, "properties" in "public Result authorise(Operation operation,
>> ObjectType
>> objectType, ObjectProperties properties)" should include the vhost name?.
>> I
>> do not see anything like that.
>>
>> Thanks,
>> Danushka
>>
>> On Wed, Mar 23, 2011 at 10:14 PM, Marnie McCormack <
>> marnie.mccormack@googlemail.com> wrote:
>>
>> Hi Danushka,
>>>
>>> The ACLs (v2) on the java broker are specified per virtual host, so the
>>> queue permissions already have a 'namepsace' effectively.
>>>
>>> If you look at virtualhosts-systests-aclv2-settings.xml you'll see where
>>> virtualhost level acl files get specified. Thus permissions for foo on
>>> different vhosts get specified separately,and the call into authorise
>>> done
>>> at the vhost level.
>>>
>>
> Danushka,
>
> Here is an example showing what Marnie described. Suppose we have two
> virtualhosts, 'test' and 'dev', with *separate* ACL files specified in
> 'virtualhosts.xml' for each, contents as follows:
>
> test ACL file:
> acl allow client create queue name="client.queue"
> acl allow guest create queue name="guest.queue"
>
> dev ACL file:
> acl allow guest create queue name="client.queue"
> acl allow client create queue name="guest.queue"
>
> This table shows the results of different users trying to create queues of
> various names on both virtualhosts:
>
> user vhost queueName result
> ---- ----- --------- ------
> client test client.queue yes
> guest test guest.queue yes
> client test guest.queue no
> guest test client.queue no
> client dev client.queue no
> guest dev guest.queue no
> client dev guest.queue yes
> guest dev client.queue yes
>
> This works because the ACL file is associated with a virtualhost
> configuration, as are broker configured entities such as queues. However, it
> is also possible to specify a *global* ACL file, and the protections
> specified in that file will apply to all virtual hosts, regardless. The
> correct/only way to obtain the behaviour described above is by creating an
> ACL file per virtualhost.
>
> Andrew.
> --
> -- andrew d kennedy ? do not fold, bend, spindle, or mutilate ;
> -- http://grkvlt.blogspot.com/ ? edinburgh : +44 7582 293 255 ;
>
Re: vhost-level access control in Java broker
Posted by Andrew Kennedy <an...@gmail.com>.
On 23 Mar 2011, at 17:53, Danushka Menikkumbura wrote:
> Hi Marnie,
>
> So, "properties" in "public Result authorise(Operation operation,
> ObjectType
> objectType, ObjectProperties properties)" should include the vhost
> name?. I
> do not see anything like that.
>
> Thanks,
> Danushka
>
> On Wed, Mar 23, 2011 at 10:14 PM, Marnie McCormack <
> marnie.mccormack@googlemail.com> wrote:
>
>> Hi Danushka,
>>
>> The ACLs (v2) on the java broker are specified per virtual host,
>> so the
>> queue permissions already have a 'namepsace' effectively.
>>
>> If you look at virtualhosts-systests-aclv2-settings.xml you'll see
>> where
>> virtualhost level acl files get specified. Thus permissions for
>> foo on
>> different vhosts get specified separately,and the call into
>> authorise done
>> at the vhost level.
Danushka,
Here is an example showing what Marnie described. Suppose we have two
virtualhosts, 'test' and 'dev', with *separate* ACL files specified
in 'virtualhosts.xml' for each, contents as follows:
test ACL file:
acl allow client create queue name="client.queue"
acl allow guest create queue name="guest.queue"
dev ACL file:
acl allow guest create queue name="client.queue"
acl allow client create queue name="guest.queue"
This table shows the results of different users trying to create
queues of various names on both virtualhosts:
user vhost queueName result
---- ----- --------- ------
client test client.queue yes
guest test guest.queue yes
client test guest.queue no
guest test client.queue no
client dev client.queue no
guest dev guest.queue no
client dev guest.queue yes
guest dev client.queue yes
This works because the ACL file is associated with a virtualhost
configuration, as are broker configured entities such as queues.
However, it is also possible to specify a *global* ACL file, and the
protections specified in that file will apply to all virtual hosts,
regardless. The correct/only way to obtain the behaviour described
above is by creating an ACL file per virtualhost.
Andrew.
--
-- andrew d kennedy ? do not fold, bend, spindle, or mutilate ;
-- http://grkvlt.blogspot.com/ ? edinburgh : +44 7582 293 255 ;
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
Re: vhost-level access control in Java broker
Posted by Danushka Menikkumbura <da...@gmail.com>.
Hi Marnie,
So, "properties" in "public Result authorise(Operation operation, ObjectType
objectType, ObjectProperties properties)" should include the vhost name?. I
do not see anything like that.
Thanks,
Danushka
On Wed, Mar 23, 2011 at 10:14 PM, Marnie McCormack <
marnie.mccormack@googlemail.com> wrote:
> Hi Danushka,
>
> The ACLs (v2) on the java broker are specified per virtual host, so the
> queue permissions already have a 'namepsace' effectively.
>
> If you look at virtualhosts-systests-aclv2-settings.xml you'll see where
> virtualhost level acl files get specified. Thus permissions for foo on
> different vhosts get specified separately,and the call into authorise done
> at the vhost level.
>
> Hth,
> Marnie
>
> On Wed, Mar 23, 2011 at 3:27 PM, Danushka Menikkumbura <
> danushka.menikkumbura@gmail.com> wrote:
>
>> Hi Marnie,
>>
>> What I meant was having different access control settings for queue "foo"
>> under vhost "vh1" and queue with the same name under vhost "vh2". I do not
>> see vhost name as a parameter in authorize call.
>>
>> Thanks,
>> Danushka
>>
>> On Wed, Mar 23, 2011 at 8:41 PM, Marnie McCormack <
>> marnie.mccormack@googlemail.com> wrote:
>>
>>> Hi Danushka,
>>> Yes - if you mean can we control virtualhost level access ?
>>>
>>> Details and examples are available here:
>>> *
>>>
>>> https://issues.apache.org/jira/secure/attachment/12448750/Security-Plugins.pdf
>>> * <https://cwiki.apache.org/confluence/display/qpid/andrew+acl+proposal>
>>>
>>>
>>>
>>> The XML for the docbook for this is in svn but doesn't seem to have been
>>> rednered into the docbook for some reason.
>>>
>>> Thanks,
>>> Marnie
>>>
>>>
>>> On Wed, Mar 23, 2011 at 2:32 PM, Danushka Menikkumbura <
>>> danushka.menikkumbura@gmail.com> wrote:
>>>
>>> > Hi devs,
>>> >
>>> > Do we have $subject?
>>> >
>>> > Danushka
>>> >
>>>
>>
>>
>
Re: vhost-level access control in Java broker
Posted by Danushka Menikkumbura <da...@gmail.com>.
Hi Marnie,
What I meant was having different access control settings for queue "foo"
under vhost "vh1" and queue with the same name under vhost "vh2". I do not
see vhost name as a parameter in authorize call.
Thanks,
Danushka
On Wed, Mar 23, 2011 at 8:41 PM, Marnie McCormack <
marnie.mccormack@googlemail.com> wrote:
> Hi Danushka,
> Yes - if you mean can we control virtualhost level access ?
>
> Details and examples are available here:
> *
>
> https://issues.apache.org/jira/secure/attachment/12448750/Security-Plugins.pdf
> * <https://cwiki.apache.org/confluence/display/qpid/andrew+acl+proposal>
>
> The XML for the docbook for this is in svn but doesn't seem to have been
> rednered into the docbook for some reason.
>
> Thanks,
> Marnie
>
>
> On Wed, Mar 23, 2011 at 2:32 PM, Danushka Menikkumbura <
> danushka.menikkumbura@gmail.com> wrote:
>
> > Hi devs,
> >
> > Do we have $subject?
> >
> > Danushka
> >
>
Re: vhost-level access control in Java broker
Posted by Marnie McCormack <ma...@googlemail.com>.
Hi Danushka,
Yes - if you mean can we control virtualhost level access ?
Details and examples are available here:
*
https://issues.apache.org/jira/secure/attachment/12448750/Security-Plugins.pdf
* <https://cwiki.apache.org/confluence/display/qpid/andrew+acl+proposal>
The XML for the docbook for this is in svn but doesn't seem to have been
rednered into the docbook for some reason.
Thanks,
Marnie
On Wed, Mar 23, 2011 at 2:32 PM, Danushka Menikkumbura <
danushka.menikkumbura@gmail.com> wrote:
> Hi devs,
>
> Do we have $subject?
>
> Danushka
>