You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Chuck Rolke (JIRA)" <ji...@apache.org> on 2012/08/14 16:51:38 UTC

[jira] [Created] (QPID-4230) C++ Broker could use username substitution keyword strings in Acl rules

Chuck Rolke created QPID-4230:
---------------------------------

             Summary: C++ Broker could use username substitution keyword strings in Acl rules
                 Key: QPID-4230
                 URL: https://issues.apache.org/jira/browse/QPID-4230
             Project: Qpid
          Issue Type: Improvement
          Components: C++ Broker
    Affects Versions: 0.19
            Reporter: Chuck Rolke
            Assignee: Chuck Rolke


Acl processing in the broker could perform username substitution into Acl rules. This would provide an easy and flexible way to constrain users.

1. Let the literal string ${user} be the keyword placed into Acl files.
2. When expanded ${user} will become the full authenticated userId such as 'bob@QPID'. Note that simply using 'bob' leads to issues distinguishing between 'bob@QPID' and 'bob@EXAMPLE.COM'.
3. Username keyword substitution is performed only on object names and in routing keys.

Acl rule file examples:

 acl allow all create  exchange name=temp-${user}
 acl allow all access  exchange name=temp-${user}
 acl allow all bind    exchange name=temp-${user}
 acl allow all unbind  exchange name=temp-${user}
 acl allow all delete  exchange name=temp-${user}
 acl allow all publish exchange name=temp-${user} routingkey=temp.${user}

 acl allow all create  queue name=temp-${user}
 acl allow all access  queue name=temp-${user}
 acl allow all purge   queue name=temp-${user}
 acl allow all consume queue name=temp-${user}
 acl allow all delete  queue name=temp-${user}

Using a rule set like this would allow all users to create a private temp- exchange and a private temp- queue bound to their user names.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

[jira] [Resolved] (QPID-4230) C++ Broker could use username substitution keyword strings in Acl rules

Posted by "Chuck Rolke (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/QPID-4230?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chuck Rolke resolved QPID-4230.
-------------------------------

       Resolution: Fixed
    Fix Version/s: 0.19

Fixed with checkins r1375195 and r1375583
                
> C++ Broker could use username substitution keyword strings in Acl rules
> -----------------------------------------------------------------------
>
>                 Key: QPID-4230
>                 URL: https://issues.apache.org/jira/browse/QPID-4230
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Broker
>    Affects Versions: 0.19
>            Reporter: Chuck Rolke
>            Assignee: Chuck Rolke
>             Fix For: 0.19
>
>
> Acl processing in the broker could perform username substitution into Acl rules. This would provide an easy and flexible way to constrain users.
> 1. Let the literal string ${user} be the keyword placed into Acl files.
> 2. When expanded ${user} will become the full authenticated userId such as 'bob@QPID'. Note that simply using 'bob' leads to issues distinguishing between 'bob@QPID' and 'bob@EXAMPLE.COM'.
> 3. Username keyword substitution is performed only on object names and in routing keys.
> Acl rule file examples:
>  acl allow all create  exchange name=temp-${user}
>  acl allow all access  exchange name=temp-${user}
>  acl allow all bind    exchange name=temp-${user}
>  acl allow all unbind  exchange name=temp-${user}
>  acl allow all delete  exchange name=temp-${user}
>  acl allow all publish exchange name=temp-${user} routingkey=temp.${user}
>  acl allow all create  queue name=temp-${user}
>  acl allow all access  queue name=temp-${user}
>  acl allow all purge   queue name=temp-${user}
>  acl allow all consume queue name=temp-${user}
>  acl allow all delete  queue name=temp-${user}
> Using a rule set like this would allow all users to create a private temp- exchange and a private temp- queue bound to their user names.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

[jira] [Commented] (QPID-4230) C++ Broker could use username substitution keyword strings in Acl rules

Posted by "Chuck Rolke (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/QPID-4230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13438039#comment-13438039 ] 

Chuck Rolke commented on QPID-4230:
-----------------------------------

https://reviews.apache.org/r/6645/ is the proposed implementation of this feature.

1. This patch does not change the syntax for the Acl file. It adds keyword interpretation to the Acl file content.

2. The substitution keywords are: "$\{user\}", "$\{domain\}", and "$\{userdomain\}".

3. User and domain names are normalized by replacing period "." and ampersand "@" with underscore "_".

4. For user bob.user@QPID.COM the run-time substitution values would be
{noformat}
 Keyword       Value
 ============= =================
 ${user}       bob_user
 ${domain}     QPID_COM
 ${userdomain} bob_user_QPID_COM
{noformat}

5. Keyword substitution is allowed for
* Any object name: exchange, queue, link, broker, method
* Routing keys
* Alternate exchange name
* Queue name

6. For routing key lookups the $\{userdomain\} keyword is found before either $\{user\} or $\{domain\}.
If the user presents a routing key lookup of "bob_user_QPID_COM" then it will match an Acl rule with $\{userdomain\} and not with $\{user\}_$\{domain\}.

7. Example Acl file. This example allows any user to create a private queue and exchange to which only that user may bind. The queue and exchange may have a private backup exchange and queue to which only that user may bind.

{noformat}
# Create primary queue and exchange:
#   allow predefined alternate
#   deny  any other alternate
#   allow no alternate
acl allow all create  queue    name=${userdomain}-work alternate=${userdomain}-work2
acl deny  all create  queue    name=${userdomain}-work alternate=*
acl allow all create  queue    name=${userdomain}-work
acl allow all create  exchange name=${userdomain}-work alternate=${userdomain}-work2
acl deny  all create  exchange name=${userdomain}-work alternate=*
acl allow all create  exchange name=${userdomain}-work
# Create backup queue and exchange
#   Deny any alternate
acl deny  all create  queue    name=${userdomain}-work2 alternate=*
acl allow all create  queue    name=${userdomain}-work2
acl deny  all create  exchange name=${userdomain}-work2 alternate=*
acl allow all create  exchange name=${userdomain}-work2
# Bind/unbind primary exchange
#  Use only predefined routingkey and queuename
acl allow all bind    exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work
acl allow all unbind  exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work
# Bind/unbind backup exchange
#  Use only predefined routingkey and queuename
acl allow all bind    exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2
acl allow all unbind  exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2
# Access primary exchange
#  Use only predefined routingkey and queuename
acl allow all access  exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work
# Access backup exchange
#  Use only predefined routingkey and queuename
acl allow all access  exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2
# Publish primary exchange
#  Use only predefined routingkey
acl allow all publish exchange name=${userdomain}-work routingkey=${userdomain}
# Publish backup exchange
#  Use only predefined routingkey
acl allow all publish exchange name=${userdomain}-work2 routingkey=${userdomain}
# deny mode
acl deny all all
{noformat}

                
> C++ Broker could use username substitution keyword strings in Acl rules
> -----------------------------------------------------------------------
>
>                 Key: QPID-4230
>                 URL: https://issues.apache.org/jira/browse/QPID-4230
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Broker
>    Affects Versions: 0.19
>            Reporter: Chuck Rolke
>            Assignee: Chuck Rolke
>
> Acl processing in the broker could perform username substitution into Acl rules. This would provide an easy and flexible way to constrain users.
> 1. Let the literal string ${user} be the keyword placed into Acl files.
> 2. When expanded ${user} will become the full authenticated userId such as 'bob@QPID'. Note that simply using 'bob' leads to issues distinguishing between 'bob@QPID' and 'bob@EXAMPLE.COM'.
> 3. Username keyword substitution is performed only on object names and in routing keys.
> Acl rule file examples:
>  acl allow all create  exchange name=temp-${user}
>  acl allow all access  exchange name=temp-${user}
>  acl allow all bind    exchange name=temp-${user}
>  acl allow all unbind  exchange name=temp-${user}
>  acl allow all delete  exchange name=temp-${user}
>  acl allow all publish exchange name=temp-${user} routingkey=temp.${user}
>  acl allow all create  queue name=temp-${user}
>  acl allow all access  queue name=temp-${user}
>  acl allow all purge   queue name=temp-${user}
>  acl allow all consume queue name=temp-${user}
>  acl allow all delete  queue name=temp-${user}
> Using a rule set like this would allow all users to create a private temp- exchange and a private temp- queue bound to their user names.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org