You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2014/07/23 19:03:38 UTC

[jira] [Commented] (QPID-4123) C++ Broker Acl creates too many run-time rules

    [ https://issues.apache.org/jira/browse/QPID-4123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14071965#comment-14071965 ] 

ASF subversion and git services commented on QPID-4123:
-------------------------------------------------------

Commit 1612874 from chug@apache.org in branch 'qpid/trunk'
[ https://svn.apache.org/r1612874 ]

QPID-4123: C++ Broker ACL creates too many rules

Recent changes have added new tables to define what
are ACL lookups and their properties. This commit
finishes that work by not propagating rules that
will never match. Also, it completes the scaffolding
for allowed and denied host lists to be fully 
integrated. This commit:

* Adds startup logging of ACL validation tables
  with cross references to possible rule matches.
* Hooks the ACL host allow/deny connection lists
  into self test.
* Fixes self tests that get broken by proper rule
  table handling.
* Introduces a 'create connection' decision mode
  similar to ACL rule decision mode.
* Describes it all in doc book.

> C++ Broker Acl creates too many run-time rules
> ----------------------------------------------
>
>                 Key: QPID-4123
>                 URL: https://issues.apache.org/jira/browse/QPID-4123
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Broker
>    Affects Versions: 0.16
>            Reporter: Chuck Rolke
>            Assignee: Chuck Rolke
>            Priority: Minor
>             Fix For: Future
>
>
> The Acl module creates a table rules in a two dimensional array. The typical reference to this table is: actionList[action][objType].
> When an Acl rule from the file is processed and the action or objType is '*' then the rule is propagated into the actionList table at every row or column even when the action/object pair will never be references.
> For example a rule such as
>  acl allow bob publish * name=X routingkey=a.b.c
> will put the rule into publish/queue, publish/exchange, publish/broker, etc. even when only publish/exchange will ever be referenced.
> In AclModule.h a validationMap is created that identifies which intersections in the actionList are ever used but this map is not used.
> With 5 objects and 9 actions there are 45 actionList entries. Of these only 13 are ever referenced for authorise lookups.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org