You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Alex Rudyy (JIRA)" <ji...@apache.org> on 2012/08/03 11:04:03 UTC
[jira] [Created] (QPID-4185) update ACL example not to use
ALLOW-LOG for 'ACCESS' level manager operations in order to reduce
extraneous logging
Alex Rudyy created QPID-4185:
--------------------------------
Summary: update ACL example not to use ALLOW-LOG for 'ACCESS' level manager operations in order to reduce extraneous logging
Key: QPID-4185
URL: https://issues.apache.org/jira/browse/QPID-4185
Project: Qpid
Issue Type: Bug
Components: Java Broker
Affects Versions: 0.16
Reporter: Alex Rudyy
Assignee: Alex Rudyy
Priority: Minor
Fix For: 0.19
The etc/broker_example.acl file currently contains an example of what users probably *dont* usually want to do with regards to logging ACL events for admin management users.
By using ALLOW-LOG or DENY-LOG for all of the rules, this will have the result of logging a lot of extraneous info to do with individual JMX calls to retrieve attributes, get mbeaninfo, perform instanceof checks etc. Just having managemetn consoles (our own, Jconsole, etc) will produce a lot of log spam as a result when they poll for new info.
What most users probably want typically is to allow 'read only' events by permissioning the 'ACCESS' operations using ALLOW and then seperately permission the others with ALLOW-LOG, thus removing the noise and ensuring only operations that can actually cause change are logged, e.g:
{noformat}
ACL ALLOW admin ACCESS METHOD
ACL ALLOW-LOG admin ALL METHOD
{noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Updated] (QPID-4185) update ACL example not to use
ALLOW-LOG for 'ACCESS' level manager operations in order to reduce
extraneous logging
Posted by "Alex Rudyy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-4185?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Rudyy updated QPID-4185:
-----------------------------
Attachment: 0001-QPID-4185-modified-broker_example.acl-to-give-more-r.patch
Attached a patch resolving the issue
> update ACL example not to use ALLOW-LOG for 'ACCESS' level manager operations in order to reduce extraneous logging
> -------------------------------------------------------------------------------------------------------------------
>
> Key: QPID-4185
> URL: https://issues.apache.org/jira/browse/QPID-4185
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: 0.16
> Reporter: Alex Rudyy
> Assignee: Alex Rudyy
> Priority: Minor
> Fix For: 0.19
>
> Attachments: 0001-QPID-4185-modified-broker_example.acl-to-give-more-r.patch
>
>
> The etc/broker_example.acl file currently contains an example of what users probably *dont* usually want to do with regards to logging ACL events for admin management users.
> By using ALLOW-LOG or DENY-LOG for all of the rules, this will have the result of logging a lot of extraneous info to do with individual JMX calls to retrieve attributes, get mbeaninfo, perform instanceof checks etc. Just having managemetn consoles (our own, Jconsole, etc) will produce a lot of log spam as a result when they poll for new info.
> What most users probably want typically is to allow 'read only' events by permissioning the 'ACCESS' operations using ALLOW and then seperately permission the others with ALLOW-LOG, thus removing the noise and ensuring only operations that can actually cause change are logged, e.g:
> {noformat}
> ACL ALLOW admin ACCESS METHOD
> ACL ALLOW-LOG admin ALL METHOD
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Assigned] (QPID-4185) update ACL example not to use
ALLOW-LOG for 'ACCESS' level manager operations in order to reduce
extraneous logging
Posted by "Alex Rudyy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-4185?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Rudyy reassigned QPID-4185:
--------------------------------
Assignee: Robbie Gemmell (was: Alex Rudyy)
Robbie,
Could you please review and commit the patch?
> update ACL example not to use ALLOW-LOG for 'ACCESS' level manager operations in order to reduce extraneous logging
> -------------------------------------------------------------------------------------------------------------------
>
> Key: QPID-4185
> URL: https://issues.apache.org/jira/browse/QPID-4185
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: 0.16
> Reporter: Alex Rudyy
> Assignee: Robbie Gemmell
> Priority: Minor
> Fix For: 0.19
>
> Attachments: 0001-QPID-4185-modified-broker_example.acl-to-give-more-r.patch
>
>
> The etc/broker_example.acl file currently contains an example of what users probably *dont* usually want to do with regards to logging ACL events for admin management users.
> By using ALLOW-LOG or DENY-LOG for all of the rules, this will have the result of logging a lot of extraneous info to do with individual JMX calls to retrieve attributes, get mbeaninfo, perform instanceof checks etc. Just having managemetn consoles (our own, Jconsole, etc) will produce a lot of log spam as a result when they poll for new info.
> What most users probably want typically is to allow 'read only' events by permissioning the 'ACCESS' operations using ALLOW and then seperately permission the others with ALLOW-LOG, thus removing the noise and ensuring only operations that can actually cause change are logged, e.g:
> {noformat}
> ACL ALLOW admin ACCESS METHOD
> ACL ALLOW-LOG admin ALL METHOD
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Resolved] (QPID-4185) update example ACL example to be
clearer and reduce extraneous logging from management operations
Posted by "Robbie Gemmell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-4185?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robbie Gemmell resolved QPID-4185.
----------------------------------
Resolution: Fixed
Patch applied with some minor changes (left the DENY-LOG setting instead of DENY, for consistency with the default policy at the end, removed the pre-existing 'dead rule' example).
> update example ACL example to be clearer and reduce extraneous logging from management operations
> -------------------------------------------------------------------------------------------------
>
> Key: QPID-4185
> URL: https://issues.apache.org/jira/browse/QPID-4185
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: 0.16
> Reporter: Alex Rudyy
> Assignee: Robbie Gemmell
> Priority: Minor
> Fix For: 0.19
>
> Attachments: 0001-QPID-4185-modified-broker_example.acl-to-give-more-r.patch
>
>
> The etc/broker_example.acl file currently contains an example of what users probably *dont* usually want to do with regards to logging ACL events for admin management users.
> By using ALLOW-LOG or DENY-LOG for all of the rules, this will have the result of logging a lot of extraneous info to do with individual JMX calls to retrieve attributes, get mbeaninfo, perform instanceof checks etc. Just having managemetn consoles (our own, Jconsole, etc) will produce a lot of log spam as a result when they poll for new info.
> What most users probably want typically is to allow 'read only' events by permissioning the 'ACCESS' operations using ALLOW and then seperately permission the others with ALLOW-LOG, thus removing the noise and ensuring only operations that can actually cause change are logged, e.g:
> {noformat}
> ACL ALLOW admin ACCESS METHOD
> ACL ALLOW-LOG admin ALL METHOD
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Updated] (QPID-4185) update example ACL example to be
clearer and reduce extraneous logging from management operations
Posted by "Robbie Gemmell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-4185?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robbie Gemmell updated QPID-4185:
---------------------------------
Summary: update example ACL example to be clearer and reduce extraneous logging from management operations (was: update ACL example not to use ALLOW-LOG for 'ACCESS' level manager operations in order to reduce extraneous logging)
> update example ACL example to be clearer and reduce extraneous logging from management operations
> -------------------------------------------------------------------------------------------------
>
> Key: QPID-4185
> URL: https://issues.apache.org/jira/browse/QPID-4185
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: 0.16
> Reporter: Alex Rudyy
> Assignee: Robbie Gemmell
> Priority: Minor
> Fix For: 0.19
>
> Attachments: 0001-QPID-4185-modified-broker_example.acl-to-give-more-r.patch
>
>
> The etc/broker_example.acl file currently contains an example of what users probably *dont* usually want to do with regards to logging ACL events for admin management users.
> By using ALLOW-LOG or DENY-LOG for all of the rules, this will have the result of logging a lot of extraneous info to do with individual JMX calls to retrieve attributes, get mbeaninfo, perform instanceof checks etc. Just having managemetn consoles (our own, Jconsole, etc) will produce a lot of log spam as a result when they poll for new info.
> What most users probably want typically is to allow 'read only' events by permissioning the 'ACCESS' operations using ALLOW and then seperately permission the others with ALLOW-LOG, thus removing the noise and ensuring only operations that can actually cause change are logged, e.g:
> {noformat}
> ACL ALLOW admin ACCESS METHOD
> ACL ALLOW-LOG admin ALL METHOD
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org