You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2016/01/11 18:22:39 UTC
[jira] [Created] (QPID-6986) Management: Users should not be able
to view an object to which they have no access
Keith Wall created QPID-6986:
--------------------------------
Summary: Management: Users should not be able to view an object to which they have no access
Key: QPID-6986
URL: https://issues.apache.org/jira/browse/QPID-6986
Project: Qpid
Issue Type: Improvement
Components: Java Broker
Reporter: Keith Wall
Fix For: qpid-java-6.1
In a managed service scenario, a single Broker may hosts applications belonging to different groups. For management purposes, an operator needs to be able to enter the management console and check on queues, messages, exchanges etc of his application.
However, the Broker should have the ability to restrict an operator from viewing the objects of a virtual host to which he has no access permission. Currently the Broker enforces CRUD permissions on all objects in the hierarchy, but this does not impose restrictions on *view*.
The view restriction needs to apply to the Web Management Console and the REST-API.
An interesting case is Connections. Connections are children on a Port but become associated with a Virtualhost. A management user with access permission a virtual host needs to be able to see the connections associated with that virtual host, even if he doesn't have permission to view the Broker or Port directly.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org