You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by Martin Ritchie <ri...@apache.org> on 2009/01/23 16:46:22 UTC
ACLv2 domain and realm properties and file validation
Hi Carl and other C++ ACL people,
I'm planning on committing the work I have done so far on the new ACL
specification for the Java broker and there were a few questions I had
about some of the way C++ implements the ACLs as it would be great to
get both brokers operating in the same way.
I don't recall what the domani and realm values were used for in the
ACL spec or broker.
user = username[@domain[/realm]]
What does the C++ broker use domain and realm for?
Also what validation does the C++ broker do on the file?
Why do we need to declare the users in the ACL file?
Do you require all users to be specified in the ACL file before they are 'used'?
Are the objects that are referenced in the ACL file checked to ensure
they exist. i.e.
acl allow user consume queue name=ExampleQueue
Does the broker log an error or fail to start up if ExampleQueue
doesn't exist?
Regards
Martin
--
Martin Ritchie
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
Re: ACLv2 domain and realm properties and file validation
Posted by Martin Ritchie <ri...@apache.org>.
2009/1/26 Martin Ritchie <ri...@apache.org>:
> 2009/1/23 Rajith Attapattu <ra...@gmail.com>:
>> On Fri, Jan 23, 2009 at 11:14 AM, Carl Trieloff <cc...@redhat.com>wrote:
>>
>>> Martin Ritchie wrote:
>>>
>>>> Hi Carl and other C++ ACL people,
>>>>
>>>
>>> Also what validation does the C++ broker do on the file?
>>>>
>>>>
>>>
>>> See:
>>> http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h?view=markup
>>>
>>> The validation tree is mapped in this file.
>>
>>
>> In addition to the above the following maybe of help as well.
>> The logic for reading and validating the ACL file is contained in the
>> following code.
>> http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclReader.cpp?view=markup
>>
>> The following are some of the validations performed on an acl file.
>> The user names, groups names etc are checked for illegal characters.
>> checks if user names are properly defined with a realm.
>> Checked if group definitons are duplicated
>> Acl definitions are checked for format Ex,
>> - insuficient tokens in the definition
>> - malformed prop-value pair
>> - invalid combinations of objects/actions/properties
>> - valid acl perm,object.action or property type ..etc
>>
>> HTH.
>>
>> Regards,
>>
>> Rajith Attapattu
>> Red Hat
>> http://rajith.2rlabs.com/
>
> Thanks for the update guys, looks similar to what I've done. Will be
> good to see what tests we can share between implementations.
>
> Regards
>
> Martin
>
>
> --
> Martin Ritchie
Just thinking about virtualhosts and how they would work with the
ACLs. For example if you only wanted to grant publish to one user on
one vhost I don't see how we can do that just now. Adding a
virtualhost property seems like a way to go:
acl allow user publish routingkey=special exchange.amq.direct
virtualhost=primary
Allows the broker freedom to optimise as it sees fit rather whilst
having global rules rather than an acl file per virtualhost.
How is this dealt with in the C++ broker?
Martin
--
Martin Ritchie
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
Re: ACLv2 domain and realm properties and file validation
Posted by Rajith Attapattu <ra...@gmail.com>.
>
> Thanks for the update guys, looks similar to what I've done. Will be
> good to see what tests we can share between implementations.
>
> Regards
>
> Martin
>
> The test cases are integration type and written in python
https://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/src/tests/acl.py
https://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/src/tests/run_acl_tests
However it relies on the qpid management framework to reload the acl file,
allowing me to work with a single broker instance.
The management method also pass me any error string, allowing me to trap
error conditions.
Reusing the same infrastructure will be difficult as the java broker does
not have support for the same management functions.
But I believe the concept and the type of test cases could be used as a
series of tests under systests (which could also be run against the c++
broker).
Regards,
Rajith
Re: ACLv2 domain and realm properties and file validation
Posted by Martin Ritchie <ri...@apache.org>.
2009/1/23 Rajith Attapattu <ra...@gmail.com>:
> On Fri, Jan 23, 2009 at 11:14 AM, Carl Trieloff <cc...@redhat.com>wrote:
>
>> Martin Ritchie wrote:
>>
>>> Hi Carl and other C++ ACL people,
>>>
>>
>> Also what validation does the C++ broker do on the file?
>>>
>>>
>>
>> See:
>> http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h?view=markup
>>
>> The validation tree is mapped in this file.
>
>
> In addition to the above the following maybe of help as well.
> The logic for reading and validating the ACL file is contained in the
> following code.
> http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclReader.cpp?view=markup
>
> The following are some of the validations performed on an acl file.
> The user names, groups names etc are checked for illegal characters.
> checks if user names are properly defined with a realm.
> Checked if group definitons are duplicated
> Acl definitions are checked for format Ex,
> - insuficient tokens in the definition
> - malformed prop-value pair
> - invalid combinations of objects/actions/properties
> - valid acl perm,object.action or property type ..etc
>
> HTH.
>
> Regards,
>
> Rajith Attapattu
> Red Hat
> http://rajith.2rlabs.com/
Thanks for the update guys, looks similar to what I've done. Will be
good to see what tests we can share between implementations.
Regards
Martin
--
Martin Ritchie
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
Re: ACLv2 domain and realm properties and file validation
Posted by Rajith Attapattu <ra...@gmail.com>.
On Fri, Jan 23, 2009 at 11:14 AM, Carl Trieloff <cc...@redhat.com>wrote:
> Martin Ritchie wrote:
>
>> Hi Carl and other C++ ACL people,
>>
>
> Also what validation does the C++ broker do on the file?
>>
>>
>
> See:
> http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h?view=markup
>
> The validation tree is mapped in this file.
In addition to the above the following maybe of help as well.
The logic for reading and validating the ACL file is contained in the
following code.
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclReader.cpp?view=markup
The following are some of the validations performed on an acl file.
The user names, groups names etc are checked for illegal characters.
checks if user names are properly defined with a realm.
Checked if group definitons are duplicated
Acl definitions are checked for format Ex,
- insuficient tokens in the definition
- malformed prop-value pair
- invalid combinations of objects/actions/properties
- valid acl perm,object.action or property type ..etc
HTH.
Regards,
Rajith Attapattu
Red Hat
http://rajith.2rlabs.com/
Re: ACLv2 domain and realm properties and file validation
Posted by Carl Trieloff <cc...@redhat.com>.
Martin Ritchie wrote:
> Hi Carl and other C++ ACL people,
>
> I'm planning on committing the work I have done so far on the new ACL
> specification for the Java broker and there were a few questions I had
> about some of the way C++ implements the ACLs as it would be great to
> get both brokers operating in the same way.
>
> I don't recall what the domani and realm values were used for in the
> ACL spec or broker.
> user = username[@domain[/realm]]
>
> What does the C++ broker use domain and realm for?
>
yes, it uses them. What happens when you use a SASL, GSSAPI lib it will
add the domain
onto the id for you. So the first part is that we don't strip domains,
as that would break PMS
centralized security.
Second is it allows for cross domain systems, i.e. if I run Active
Directory for my windows
machines, and something else for my back-end in different realms.
> Also what validation does the C++ broker do on the file?
>
See:
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h?view=markup
The validation tree is mapped in this file.
> Why do we need to declare the users in the ACL file?
>
that is optional, i.e. if you don't have integration with a PMS, you
need to specify the groups and
users somewhere.
> Do you require all users to be specified in the ACL file before they are 'used'?
>
>
users that are handled via 'all' don't have to be listed.
> Are the objects that are referenced in the ACL file checked to ensure
> they exist. i.e.
> acl allow user consume queue name=ExampleQueue
> Does the broker log an error or fail to start up if ExampleQueue
> doesn't exist?
>
>
no, the object does not have to exist at time of reading the ACL. i.e.
it can be declared post fact and
ACL will be applied to it once it exists.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org