You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2016/01/11 18:22:39 UTC

[jira] [Created] (QPID-6986) Management: Users should not be able to view an object to which they have no access

Keith Wall created QPID-6986:
--------------------------------

             Summary: Management: Users should not be able to view an object to which they have no access
                 Key: QPID-6986
                 URL: https://issues.apache.org/jira/browse/QPID-6986
             Project: Qpid
          Issue Type: Improvement
          Components: Java Broker
            Reporter: Keith Wall
             Fix For: qpid-java-6.1


In a managed service scenario, a single Broker may hosts applications belonging to different groups.   For management purposes, an operator needs to be able to enter the management console and check on queues, messages, exchanges etc of his application.

However, the Broker should have the ability to restrict an operator from viewing the objects of a virtual host to which he has no access permission.  Currently the Broker enforces CRUD permissions on all objects in the hierarchy, but this does not impose restrictions on *view*.

The view restriction needs to apply to the Web Management Console and the REST-API.

An interesting case is Connections.  Connections are children on a Port but become associated with a Virtualhost.  A management user with access permission a virtual host needs to be able to see the connections associated with that virtual host, even if he doesn't have permission to view the Broker or Port directly.


 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org