You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Andrew Kennedy (JIRA)" <qp...@incubator.apache.org> on 2010/04/23 13:52:51 UTC
[jira] Created: (QPID-2538) Add XML configuration syntax for ACLs
in Java broker
Add XML configuration syntax for ACLs in Java broker
----------------------------------------------------
Key: QPID-2538
URL: https://issues.apache.org/jira/browse/QPID-2538
Project: Qpid
Issue Type: Task
Components: Java Broker
Reporter: Andrew Kennedy
Fix For: 0.7
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-2538) Add XML configuration syntax for ACLs
in Java broker
Posted by "Andrew Kennedy (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12861322#action_12861322 ]
Andrew Kennedy commented on QPID-2538:
--------------------------------------
this is an example of a mapping between xml and c++ acl syntax.
== virtualhosts.xml ==
<virtualhosts>
<virtualhost>
<localhost>
<security>
<!-- access control list (plain text AND xml) configuration -->
<access>
<plugin>
org.apache.qpid.server.security.access.plugin.AccessControl
</plugin>
<config>
<!-- plain text -->
<plain file="${conf}/access-control" />
<!-- external xml c.f. firewall -->
<xml file="${conf}/access.xml" />
<!-- internal xml (alternative) -->
<rules>
<!-- acl entries ... -->
</rules>
</config>
</accses>
</security>
</localhost>
</virtualhost>
</virtualhosts>
==
== access.xml ==
<rules>
<!-- allow adk access to this virtual host -->
<acl permission="ALLOW" identity="adk" operation="ACCESS" object="VIRTUALHOST" />
<!-- allow creating temporary queues and queues with names matching adk.* -->
<acl permission="ALLOW-LOG" identity="adk" operation="BIND" object="EXCHANGE">
<properties>
<property key="routingKey" value="adk.*" />
<property key="name" value="amq.direct" />
</properties>
</acl>
<acl permission="ALLOW-LOG" identity="adk" operation="BIND" object="EXCHANGE">
<properties>
<property key="routingKey" value="tmp.*" />
<property key="name" value="amq.direct" />
</properties>
</acl>
<acl permission="ALLOW" identity="adk" operation="CREATE" object="QUEUE">
<properties>
<property key="name" value="adk.*" />
<property key="owner" value="adk" />
</properties>
</acl>
<acl permission="ALLOW" identity="adk" operation="CREATE" object="QUEUE">
<properties>
<property key="temporary" value="true" />
<property key="owner" value="adk" />
</properties>
</acl>
<!-- allow publish and consume of messages on the queues -->
<acl permission="ALLOW" identity="adk" operation="CONSUME" object="QUEUE">
<properties>
<property key="name" value="adk.*" />
</properties>
</acl>
<acl permission="ALLOW" identity="adk" operation="PUBLISH" object="QUEUE">
<properties>
<property key="name" value="adk.*" />
</properties>
</acl>
<!-- default deny -->
<acl permission="DENY" identity="ANY"
operation="ALL" object="ALL" />
</rules>
==
== access-control ==
# allow adk access to this virtual host
ALLOW "adk@iterator" ACCESS VIRTUALHOST
# allow creating temporary queues and queues with names matching adk.*
ALLOW-LOG adk BIND EXCHANGE routingKey=adk.* name=amq.direct
ALLOW-LOG adk BIND EXCHANGE routingKey=tmp.*" name=amq.direct
ALLOW adk CREATE QUEUE name=adk.* owner=adk
ALLOW adk CREATE QUEUE temporary=true owner=adk
# allow publish and consume of messages on the queues
ALLOW adk CONSUME QUEUE name=adk.*
ALLOW adk PUBLISH QUEUE name=adk.*
# default deny
DENY ANY ALL ALL
==
> Add XML configuration syntax for ACLs in Java broker
> ----------------------------------------------------
>
> Key: QPID-2538
> URL: https://issues.apache.org/jira/browse/QPID-2538
> Project: Qpid
> Issue Type: Sub-task
> Components: Java Broker
> Reporter: Andrew Kennedy
> Fix For: 0.7
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-2538) Add XML configuration syntax for ACLs
in Java broker
Posted by "Rajith Attapattu (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12860277#action_12860277 ]
Rajith Attapattu commented on QPID-2538:
----------------------------------------
I'd question the value of having an XML based format.
Is there a specific reason for this?
> Add XML configuration syntax for ACLs in Java broker
> ----------------------------------------------------
>
> Key: QPID-2538
> URL: https://issues.apache.org/jira/browse/QPID-2538
> Project: Qpid
> Issue Type: Sub-task
> Components: Java Broker
> Reporter: Andrew Kennedy
> Fix For: 0.7
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-2538) Add XML configuration syntax for ACLs
in Java broker
Posted by "Rajith Attapattu (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12861395#action_12861395 ]
Rajith Attapattu commented on QPID-2538:
----------------------------------------
Andrew,
If you think we'd make administrators life easy by having an XML incarnation of the ACL format then I am fine with it, all though I am not convinced.
Also I am not really convinced that you need XML based config to make it look enterpricy either :)
To me the current file format is very simple, compact and less error prone than an equivalent in XML.
However I'm not going to stand in your way of supporting an XML version if you think the following is reasonable.
1. The current ACL file format is not C++ specific. We should have that as the Qpid ACL file format and supported by both brokers.
2. The XML based version is an alternative file format.
> Add XML configuration syntax for ACLs in Java broker
> ----------------------------------------------------
>
> Key: QPID-2538
> URL: https://issues.apache.org/jira/browse/QPID-2538
> Project: Qpid
> Issue Type: Sub-task
> Components: Java Broker
> Reporter: Andrew Kennedy
> Fix For: 0.7
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Updated: (QPID-2538) Add XML configuration syntax for ACLs
in Java broker
Posted by "Andrew Kennedy (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Kennedy updated QPID-2538:
---------------------------------
Parent: QPID-2476
Issue Type: Sub-task (was: Task)
> Add XML configuration syntax for ACLs in Java broker
> ----------------------------------------------------
>
> Key: QPID-2538
> URL: https://issues.apache.org/jira/browse/QPID-2538
> Project: Qpid
> Issue Type: Sub-task
> Components: Java Broker
> Reporter: Andrew Kennedy
> Fix For: 0.7
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org