You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by Carl Trieloff <cc...@redhat.com> on 2011/12/06 16:59:31 UTC
Re: svn commit: r1210989 - in /qpid/trunk/qpid/cpp: rubygen/ src/
src/qpid/ src/qpid/broker/ src/qpid/client/ src/qpid/cluster/ src/tests/
xml/
On 12/06/2011 10:56 AM, aconway@apache.org wrote:
> NOTE 1: If you are using an ACL, the cluster-username must be allowed to
> publish to the qpid.cluster-credentials exchange. E.g. in your ACL file:
>
> acl allow foo@QPID publish exchange name=qpid.cluster-credentials
Alan,
Why require this in ACL, seems fragile. Why not if the cluster in
active explicitly Add this rule to the ACL from the cluster model to
prevent every use starting with a broken cluster and trying to figure
out what is wrong!
Seems unfriendly and error prone, we should do this automagically.
Carl.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
Re: svn commit: r1210989 - in /qpid/trunk/qpid/cpp: rubygen/ src/
src/qpid/ src/qpid/broker/ src/qpid/client/ src/qpid/cluster/ src/tests/ xml/
Posted by Rajith Attapattu <ra...@gmail.com>.
On Tue, Dec 6, 2011 at 11:02 AM, Alan Conway <ac...@redhat.com> wrote:
> On 12/06/2011 10:59 AM, Carl Trieloff wrote:
>>
>> On 12/06/2011 10:56 AM, aconway@apache.org wrote:
>>>
>>> NOTE 1: If you are using an ACL, the cluster-username must be allowed to
>>> publish to the qpid.cluster-credentials exchange. E.g. in your ACL file:
>>>
>>> acl allow foo@QPID publish exchange name=qpid.cluster-credentials
One point that I want to highlight here is that, even though the qpid
user does not want to use "publish" acl, this change will force all
publishing to do an ACL lookup.
I haven't really done much testing to see how much of an overhead this imposes.
Unfortunately I don't have enough context/knowledge about Alan's work
to see if we could use a different approach to get around this.
If we go ahead with this, we should definitely release note this
prominently, as the user will have ACL lookups for publish even
thought they don't have any explicit rules in the ACL file.
(Note: There is an optimization in the current ACL code to not do any
ACL lookups for publishing unless there are explicit rules around
publishing).
Regards,
Rajith
>>
>> Alan,
>>
>> Why require this in ACL, seems fragile. Why not if the cluster in
>> active explicitly Add this rule to the ACL from the cluster model to
>> prevent every use starting with a broken cluster and trying to figure
>> out what is wrong!
>>
>>
>> Seems unfriendly and error prone, we should do this automagically.
>>
>
> Fair point. I'll do that.
>
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project: http://qpid.apache.org
> Use/Interact: mailto:dev-subscribe@qpid.apache.org
>
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
Re: svn commit: r1210989 - in /qpid/trunk/qpid/cpp: rubygen/ src/
src/qpid/ src/qpid/broker/ src/qpid/client/ src/qpid/cluster/ src/tests/
xml/
Posted by Alan Conway <ac...@redhat.com>.
On 12/06/2011 10:59 AM, Carl Trieloff wrote:
> On 12/06/2011 10:56 AM, aconway@apache.org wrote:
>> NOTE 1: If you are using an ACL, the cluster-username must be allowed to
>> publish to the qpid.cluster-credentials exchange. E.g. in your ACL file:
>>
>> acl allow foo@QPID publish exchange name=qpid.cluster-credentials
>
> Alan,
>
> Why require this in ACL, seems fragile. Why not if the cluster in
> active explicitly Add this rule to the ACL from the cluster model to
> prevent every use starting with a broken cluster and trying to figure
> out what is wrong!
>
>
> Seems unfriendly and error prone, we should do this automagically.
>
Fair point. I'll do that.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org