IP White/Black lists for virtual hosts
--------------------------------------
Key: QPID-1583
URL: https://issues.apache.org/jira/browse/QPID-1583
Project: Qpid
Issue Type: New Feature
Components: Java Broker
Affects Versions: M5
Reporter: Aidan Skinner
Assignee: Aidan Skinner
Fix For: M5
Having white/black lists for connecting to a virtual host would be useful.
Questions:
- need to provide an easy way for operate to maintain, secure & backup this list
- should consider what to do if there file/props etc for this are
corrupt/format wrong
- if possible, the security filtering this provides should be part of a
potential chain of access REDUCING plugins so that this is easy to drop in and
teams can potentially write their own reducing filter class and use abstraction
to define in config for broker
- needs to be at vhost level, and potentially at queue level ?
------------
Explicit allow/deny lists of connection patterns on virtualhosts in config.xml,
existing ACL infrastructure for entities below that.
Pattern would be one of:
IP address
CIDR mask
regexp on hostname
Changes would not be possible while broker was running, the file would need to
be editted and then the broker restarted. This avoids the necessity to consider
what happens to existing connections which would be excluded by a new rule.
Errors in configuration would prevent broker startup.
Implementation wise, a new IPRestriction class would extend ACLPlugin which
listens for ConnectionOpen and checks against the list of rules.
AMQProtocolSession needs to expose access to the underlying socket.
---
We may need to reconsider allowing changes to the lists while the broker is
running. It would probably imply storing these outwith the main configuration
file and instead having something else, potentially a properties file, which
could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
