You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ch...@apache.org on 2018/05/16 20:14:10 UTC

[12/12] qpid-dispatch git commit: DISPATCH-990: Document name pattern match feature in old book.

DISPATCH-990: Document name pattern match feature in old book.

Rename and touch up configuration settings to make docs read better.


Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/63a56d60
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/63a56d60
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/63a56d60

Branch: refs/heads/master
Commit: 63a56d6052e747a0043df621a67805989de5d255
Parents: 8712cab
Author: Chuck Rolke <cr...@redhat.com>
Authored: Tue May 15 10:43:44 2018 -0400
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Tue May 15 10:43:44 2018 -0400

----------------------------------------------------------------------
 doc/book/policy.adoc                            | 59 ++++++++++++++++++++
 python/qpid_dispatch/management/qdrouter.json   |  4 +-
 .../qpid_dispatch_internal/management/config.py |  2 +-
 src/policy.c                                    |  6 +-
 tests/system_tests_policy.py                    |  2 +-
 5 files changed, 66 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/63a56d60/doc/book/policy.adoc
----------------------------------------------------------------------
diff --git a/doc/book/policy.adoc b/doc/book/policy.adoc
index c2be257..888611c 100644
--- a/doc/book/policy.adoc
+++ b/doc/book/policy.adoc
@@ -90,6 +90,64 @@ xref:example2[Example 2] illustrates how the default vhost feature can
 be used to apply a single vhost policy set of restrictions to any
 number of vhost connections.
 
+=== Vhost Patterns
+
+Policy vhost names may be interpreted as literal host names or 
+as host name patterns. Vhost name patterns are a convenience
+for letting a single policy rule cover a wide range of vhosts.
+
+Host name patterns consist of a series of host and domain name
+labels and one or more tokens all concatenated with periods or dots.
+A token can be one of the following:
+
+[options="header"]
+|====
+| Token character | Match rule
+| asterisk *      | matches a single hostname label
+| hash #          | matches zero or more hostname labels
+|====
+
+Some simple examples show how given policy name patterns match
+incoming connection vhost names.
+
+[options="header"]
+|====
+| Policy pattern         | Connection vhost           | Policy match
+| *.example.com          | example.com                | no
+| *.example.com          | www.example.com            | yes
+| *.example.com          | srv2.www.example.com       | no
+| #.example.com          | example.com                | yes
+| #.example.com          | www.example.com            | yes
+| #.example.com          | a.b.c.d.example.com        | yes
+| #.example.com          | bighost.com                | no
+| www.*.test.example.com | www.test.example.com       | no
+| www.*.test.example.com | www.a.test.example.com     | yes
+| www.*.test.example.com | www.a.b.c.test.example.com | no
+| www.#.test.example.com | www.test.example.com       | yes
+| www.#.test.example.com | www.a.test.example.com     | yes
+| www.#.test.example.com | www.a.b.c.test.example.com | yes
+|====
+
+Pattern matching applies the following precedence rules.
+
+[options="header"]
+|====
+| Policy pattern      | Precedence
+| exact match         | high
+| asterisk *          | medium
+| hash #              | low
+|====
+
+Policy vhost name patterns are optimised before they are used 
+in connection vhost name matching. As a result of this
+optimisation the names stored for pattern match lookups are
+not necessarily the same as the patterns specified in the 
+vhost policy hostname. The policy agent disallows vhost
+name patterns that reduce to the same pattern as an existing name 
+pattern. For instance, name pattern _pass:[#.#.#.#.com]_ is reduced to _pass:[#.com]_.
+Attempts to create a vhost name pattern whose optimised
+name conflicts with an existing optimised name will be denied.
+
 == Policy Schema
 
 Policy configuration is specified in two schema objects.
@@ -123,6 +181,7 @@ created as needed.
 | enableVhostPolicy   | false      | Enable vhost policy connection denial, and resource limit enforcement.
 | policyDir           | ""         | Absolute path to a directory that holds vhost definition .json files. All vhost definitions in all .json files in this directory are processed.
 | defaultVhost        | "$default" | Vhost rule set name to use for connections with a vhost that is otherwise not defined. Default vhost processing may be disabled either by erasing the definition of _defaultVhost_ or by not defining a _vhost_ object named _$default_.
+| enableVhostNamePatterns | false  | Enable vhost name patterns. When false vhost hostnames are treated as literal strings. When true vhost hostnames are treated as match patterns.
 |====
 
 === Vhost Policy

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/63a56d60/python/qpid_dispatch/management/qdrouter.json
----------------------------------------------------------------------
diff --git a/python/qpid_dispatch/management/qdrouter.json b/python/qpid_dispatch/management/qdrouter.json
index ee8a943..42f501f 100644
--- a/python/qpid_dispatch/management/qdrouter.json
+++ b/python/qpid_dispatch/management/qdrouter.json
@@ -1678,10 +1678,10 @@
                     "required": false,
                     "create": true
                 },
-                "useVhostNamePatterns": {
+                "enableVhostNamePatterns": {
                     "type": "boolean",
                     "default": false,
-                    "description": "Use Vhost name patterns.",
+                    "description": "Enable vhost name patterns. When false vhost hostnames are treated as literal strings. When true vhost hostnames are treated as match patterns.",
                     "required": false,
                     "create": true
                 },

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/63a56d60/python/qpid_dispatch_internal/management/config.py
----------------------------------------------------------------------
diff --git a/python/qpid_dispatch_internal/management/config.py b/python/qpid_dispatch_internal/management/config.py
index aad6bd2..82814b5 100644
--- a/python/qpid_dispatch_internal/management/config.py
+++ b/python/qpid_dispatch_internal/management/config.py
@@ -178,7 +178,7 @@ def configure_dispatch(dispatch, lib_handle, filename):
     # Configure policy and policy manager before vhosts
     policyDir           = config.by_type('policy')[0]['policyDir']
     policyDefaultVhost  = config.by_type('policy')[0]['defaultVhost']
-    useHostnamePatterns = config.by_type('policy')[0]['useVhostNamePatterns']
+    useHostnamePatterns = config.by_type('policy')[0]['enableVhostNamePatterns']
     for a in config.by_type("policy"):
         configure(a)
     agent.policy.set_default_vhost(policyDefaultVhost)

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/63a56d60/src/policy.c
----------------------------------------------------------------------
diff --git a/src/policy.c b/src/policy.c
index 9c99c88..697ec1b 100644
--- a/src/policy.c
+++ b/src/policy.c
@@ -67,7 +67,7 @@ struct qd_policy_t {
     int                   max_connection_limit;
     char                 *policyDir;
     bool                  enableVhostPolicy;
-    bool                  useVhostNamePatterns;
+    bool                  enableVhostNamePatterns;
                           // live statistics
     int                   connections_processed;
     int                   connections_denied;
@@ -115,7 +115,7 @@ qd_error_t qd_entity_configure_policy(qd_policy_t *policy, qd_entity_t *entity)
     policy->policyDir =
         qd_entity_opt_string(entity, "policyDir", 0); CHECK();
     policy->enableVhostPolicy = qd_entity_opt_bool(entity, "enableVhostPolicy", false); CHECK();
-    policy->useVhostNamePatterns = qd_entity_opt_bool(entity, "useVhostNamePatterns", false); CHECK();
+    policy->enableVhostNamePatterns = qd_entity_opt_bool(entity, "enableVhostNamePatterns", false); CHECK();
     qd_log(policy->log_source, QD_LOG_INFO,
            "Policy configured maxConnections: %d, "
            "policyDir: '%s',"
@@ -124,7 +124,7 @@ qd_error_t qd_entity_configure_policy(qd_policy_t *policy, qd_entity_t *entity)
            policy->max_connection_limit,
            policy->policyDir,
            (policy->enableVhostPolicy ? "true" : "false"),
-           (policy->useVhostNamePatterns ? "true" : "false"));
+           (policy->enableVhostNamePatterns ? "true" : "false"));
     return QD_ERROR_NONE;
 
 error:

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/63a56d60/tests/system_tests_policy.py
----------------------------------------------------------------------
diff --git a/tests/system_tests_policy.py b/tests/system_tests_policy.py
index e2f2797..92555d0 100644
--- a/tests/system_tests_policy.py
+++ b/tests/system_tests_policy.py
@@ -758,7 +758,7 @@ class PolicyHostamePatternTest(TestCase):
         config = Qdrouterd.Config([
             ('router', {'mode': 'standalone', 'id': 'QDR.Policy8'}),
             ('listener', {'port': listen_port}),
-            ('policy', {'maxConnections': 2, 'policyDir': policy_config_path, 'enableVhostPolicy': 'true', 'useVhostNamePatterns': 'true'})
+            ('policy', {'maxConnections': 2, 'policyDir': policy_config_path, 'enableVhostPolicy': 'true', 'enableVhostNamePatterns': 'true'})
         ])
 
         cls.router = cls.tester.qdrouterd('PolicyVhostNamePatternTest', config, wait=True)


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org