You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Pavel Moravec (Created) (JIRA)" <ji...@apache.org> on 2012/03/09 15:40:57 UTC
[jira] [Created] (QPID-3892) ACLs shall support full regural
expressions in property values
ACLs shall support full regural expressions in property values
--------------------------------------------------------------
Key: QPID-3892
URL: https://issues.apache.org/jira/browse/QPID-3892
Project: Qpid
Issue Type: Improvement
Components: C++ Broker
Affects Versions: 0.14
Reporter: Pavel Moravec
Currently ACL syntax supports in a property value either direct match ("name=RequestQueue") or a substring match ("name=tmp.*").
That is not sufficient when authorizing access to topics. One particular example: amq.topic exchange receives messages with keys usa.sports, usa.news, europe.sports and europe.news. Currently we can not authorize access just to topics *.sports and to usa.*
As there exist different use cases where regular expressions are required in a, it is meaningful to support (full) regular expressions in ACL property values.
Since qpid C++ broker already relies on boost libraries a lot, I suggest (in a patch proposed) using boost::regex library.
I tested the attached patch on Fedora, not sure if other Linux distributions are familiar with the change in Makefile.am.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Commented] (QPID-3892) ACLs shall support full regural
expressions in property values
Posted by "Pavel Moravec (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13226112#comment-13226112 ]
Pavel Moravec commented on QPID-3892:
-------------------------------------
A comment to the description (did not know formatting syntax that expanded asterisks):
Current ACLs can't authorize just to <anything>.sports and to usa.<anything>
> ACLs shall support full regural expressions in property values
> --------------------------------------------------------------
>
> Key: QPID-3892
> URL: https://issues.apache.org/jira/browse/QPID-3892
> Project: Qpid
> Issue Type: Improvement
> Components: C++ Broker
> Affects Versions: 0.14
> Reporter: Pavel Moravec
> Labels: features
> Attachments: ACLs-full-regexp.patch
>
>
> Currently ACL syntax supports in a property value either direct match ("name=RequestQueue") or a substring match ("name=tmp.*").
> That is not sufficient when authorizing access to topics. One particular example: amq.topic exchange receives messages with keys usa.sports, usa.news, europe.sports and europe.news. Currently we can not authorize access just to topics *.sports and to usa.*
> As there exist different use cases where regular expressions are required in a, it is meaningful to support (full) regular expressions in ACL property values.
> Since qpid C++ broker already relies on boost libraries a lot, I suggest (in a patch proposed) using boost::regex library.
> I tested the attached patch on Fedora, not sure if other Linux distributions are familiar with the change in Makefile.am.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Resolved] (QPID-3892) ACLs shall support full regular
expressions in property values
Posted by "Chuck Rolke (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3892?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chuck Rolke resolved QPID-3892.
-------------------------------
Resolution: Fixed
Fix Version/s: 0.19
Fixed by r1361678 and r1362014.
Note that the fix does not use regex. Instead Acl code now uses the same Topic Exchange match code that the broker runtime uses. This avoids introducing new syntax (regex) in the Acl file and lets it use naturally expressed topic exchange syntax. Also this fix adds no new module to any distributions.
> ACLs shall support full regular expressions in property values
> --------------------------------------------------------------
>
> Key: QPID-3892
> URL: https://issues.apache.org/jira/browse/QPID-3892
> Project: Qpid
> Issue Type: Improvement
> Components: C++ Broker
> Affects Versions: 0.14
> Reporter: Pavel Moravec
> Assignee: Chuck Rolke
> Labels: features
> Fix For: 0.19
>
> Attachments: ACLs-full-regexp.patch
>
>
> Currently ACL syntax supports in a property value either direct match ("name=RequestQueue") or a substring match ("name=tmp.*").
> That is not sufficient when authorizing access to topics. One particular example: amq.topic exchange receives messages with keys usa.sports, usa.news, europe.sports and europe.news. Currently we can not authorize access just to topics **.sports* and to *usa.* *
> As there exist different use cases where regular expressions are required in a, it is meaningful to support (full) regular expressions in ACL property values.
> Since qpid C++ broker already relies on boost libraries a lot, I suggest (in a patch proposed) using boost::regex library.
> I tested the attached patch on Fedora, not sure if other Linux distributions are familiar with the change in Makefile.am.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Commented] (QPID-3892) ACLs shall support full regular
expressions in property values
Posted by "Chuck Rolke (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13229252#comment-13229252 ]
Chuck Rolke commented on QPID-3892:
-----------------------------------
Pavel Moravec has suggested changing the C++ Broker ACL syntax to use regular expressions. I think this is a great idea as it addresses a missing functionality in the current ACL wildcard syntax. I would like to elaborate on his proposal.
Plugging in his suggestion is not so straight forward:
1. It breaks the current ACL specifications.
name=tmp* would match "tm", "tmp", and "tmpp" but not "tmp2".
2. It requires a regex library such as boost::regex.
I propose to include regular expressions in the ACL property values match by:
1. Adding new keyword to the ACL file to control regex matching.
{noformat}
matchregex on
matchregex off
{noformat}
* This defaults to off and current ACL files are processed exactly as before.
* Whenever 'matchregex on' happens in the ACL file then subsequent rules are processed with the property value strings being regex match strings and not plain text strings.
* Regex matching can be turned off again with 'matchregex off'.
2. Boost_regex is added as a dependency for acl.so. I know that there has been activity not so long ago to get rid of boost_regex. However the need for more complex property value match specifications is acute.
My GCC 4.6.2 has a <tr1/regex> for compilation but it does not link so that's no good. Are there better alternatives?
Example:
An enterprise customer may wish to use:
{noformat}
acl allow dev bind exchange name=Price routingkey=Price.*.*.* queuename=TempQueue*
{noformat}
This is impossible to specify today. With regex processing the same customer could use:
{noformat}
matchregex on
acl allow dev bind exchange name=Price routingkey=Price\..*\..*\..* queuename=TempQueue.*
{noformat}
I'll complete these changes and put the up to Review Board.
-Chuck
> ACLs shall support full regular expressions in property values
> --------------------------------------------------------------
>
> Key: QPID-3892
> URL: https://issues.apache.org/jira/browse/QPID-3892
> Project: Qpid
> Issue Type: Improvement
> Components: C++ Broker
> Affects Versions: 0.14
> Reporter: Pavel Moravec
> Assignee: Chuck Rolke
> Labels: features
> Attachments: ACLs-full-regexp.patch
>
>
> Currently ACL syntax supports in a property value either direct match ("name=RequestQueue") or a substring match ("name=tmp.*").
> That is not sufficient when authorizing access to topics. One particular example: amq.topic exchange receives messages with keys usa.sports, usa.news, europe.sports and europe.news. Currently we can not authorize access just to topics **.sports* and to *usa.* *
> As there exist different use cases where regular expressions are required in a, it is meaningful to support (full) regular expressions in ACL property values.
> Since qpid C++ broker already relies on boost libraries a lot, I suggest (in a patch proposed) using boost::regex library.
> I tested the attached patch on Fedora, not sure if other Linux distributions are familiar with the change in Makefile.am.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Assigned] (QPID-3892) ACLs shall support full regural
expressions in property values
Posted by "Chuck Rolke (Assigned) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3892?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chuck Rolke reassigned QPID-3892:
---------------------------------
Assignee: Chuck Rolke
> ACLs shall support full regural expressions in property values
> --------------------------------------------------------------
>
> Key: QPID-3892
> URL: https://issues.apache.org/jira/browse/QPID-3892
> Project: Qpid
> Issue Type: Improvement
> Components: C++ Broker
> Affects Versions: 0.14
> Reporter: Pavel Moravec
> Assignee: Chuck Rolke
> Labels: features
> Attachments: ACLs-full-regexp.patch
>
>
> Currently ACL syntax supports in a property value either direct match ("name=RequestQueue") or a substring match ("name=tmp.*").
> That is not sufficient when authorizing access to topics. One particular example: amq.topic exchange receives messages with keys usa.sports, usa.news, europe.sports and europe.news. Currently we can not authorize access just to topics *.sports and to usa.*
> As there exist different use cases where regular expressions are required in a, it is meaningful to support (full) regular expressions in ACL property values.
> Since qpid C++ broker already relies on boost libraries a lot, I suggest (in a patch proposed) using boost::regex library.
> I tested the attached patch on Fedora, not sure if other Linux distributions are familiar with the change in Makefile.am.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Updated] (QPID-3892) ACLs shall support full regular
expressions in property values
Posted by "Chuck Rolke (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3892?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chuck Rolke updated QPID-3892:
------------------------------
Description:
Currently ACL syntax supports in a property value either direct match ("name=RequestQueue") or a substring match ("name=tmp.*").
That is not sufficient when authorizing access to topics. One particular example: amq.topic exchange receives messages with keys usa.sports, usa.news, europe.sports and europe.news. Currently we can not authorize access just to topics **.sports* and to *usa.* *
As there exist different use cases where regular expressions are required in a, it is meaningful to support (full) regular expressions in ACL property values.
Since qpid C++ broker already relies on boost libraries a lot, I suggest (in a patch proposed) using boost::regex library.
I tested the attached patch on Fedora, not sure if other Linux distributions are familiar with the change in Makefile.am.
was:
Currently ACL syntax supports in a property value either direct match ("name=RequestQueue") or a substring match ("name=tmp.*").
That is not sufficient when authorizing access to topics. One particular example: amq.topic exchange receives messages with keys usa.sports, usa.news, europe.sports and europe.news. Currently we can not authorize access just to topics *.sports and to usa.*
As there exist different use cases where regular expressions are required in a, it is meaningful to support (full) regular expressions in ACL property values.
Since qpid C++ broker already relies on boost libraries a lot, I suggest (in a patch proposed) using boost::regex library.
I tested the attached patch on Fedora, not sure if other Linux distributions are familiar with the change in Makefile.am.
Summary: ACLs shall support full regular expressions in property values (was: ACLs shall support full regural expressions in property values)
> ACLs shall support full regular expressions in property values
> --------------------------------------------------------------
>
> Key: QPID-3892
> URL: https://issues.apache.org/jira/browse/QPID-3892
> Project: Qpid
> Issue Type: Improvement
> Components: C++ Broker
> Affects Versions: 0.14
> Reporter: Pavel Moravec
> Assignee: Chuck Rolke
> Labels: features
> Attachments: ACLs-full-regexp.patch
>
>
> Currently ACL syntax supports in a property value either direct match ("name=RequestQueue") or a substring match ("name=tmp.*").
> That is not sufficient when authorizing access to topics. One particular example: amq.topic exchange receives messages with keys usa.sports, usa.news, europe.sports and europe.news. Currently we can not authorize access just to topics **.sports* and to *usa.* *
> As there exist different use cases where regular expressions are required in a, it is meaningful to support (full) regular expressions in ACL property values.
> Since qpid C++ broker already relies on boost libraries a lot, I suggest (in a patch proposed) using boost::regex library.
> I tested the attached patch on Fedora, not sure if other Linux distributions are familiar with the change in Makefile.am.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Updated] (QPID-3892) ACLs shall support full regural
expressions in property values
Posted by "Pavel Moravec (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3892?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pavel Moravec updated QPID-3892:
--------------------------------
Attachment: ACLs-full-regexp.patch
> ACLs shall support full regural expressions in property values
> --------------------------------------------------------------
>
> Key: QPID-3892
> URL: https://issues.apache.org/jira/browse/QPID-3892
> Project: Qpid
> Issue Type: Improvement
> Components: C++ Broker
> Affects Versions: 0.14
> Reporter: Pavel Moravec
> Labels: features
> Attachments: ACLs-full-regexp.patch
>
>
> Currently ACL syntax supports in a property value either direct match ("name=RequestQueue") or a substring match ("name=tmp.*").
> That is not sufficient when authorizing access to topics. One particular example: amq.topic exchange receives messages with keys usa.sports, usa.news, europe.sports and europe.news. Currently we can not authorize access just to topics *.sports and to usa.*
> As there exist different use cases where regular expressions are required in a, it is meaningful to support (full) regular expressions in ACL property values.
> Since qpid C++ broker already relies on boost libraries a lot, I suggest (in a patch proposed) using boost::regex library.
> I tested the attached patch on Fedora, not sure if other Linux distributions are familiar with the change in Makefile.am.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org