[
https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12666194#action_12666194
]
Aidan Skinner commented on QPID-1583:
-------------------------------------
OK, a simpler approach which aovids problems with rule precedence could be
adding a <whitelist default-action="[allow|deny]"></whitelist> element to the
config file.
Elements inside <whitelist> would be <rule> or <include file="[path"]/>.
<include> would read the file specified at path, which would contain an
<external-whitelist host="hostname"/>. <external-whitelist> would validate it's
hostname against the host attribute and cause a fatal error on startup if it
did not match. <external-whitelist> would contain further <rule> entries, but
not <include>.
<rule> would have action, virtualhost, hostname and network attributes. Action
and one of host or network would be mandatory. Virtualhost would be optional,
if specified it would match one of the virtualhosts. The action attribute would
be either allow or deny. host would be a regexp against which it would match
the reverse dns lookup of the connecting IP. network would be a CIDR against
which the IP would be matched.
The first <rule> which matched the connection would apply. If no rules applied,
the default-action would apply.
Example:
<whitelist default-action="deny">
<rule action="allow" hostname="*.qpid.apache.org" virtualhost="dev"/>
<include file="/path/to/file" />
<rule action="allow" network="192.168.1.0/24" />
<rule action="allow" network="10.0.0.0/8" />
</whitelist>
<external-whitelist> <!-- in /path/to/file -->
<rule action="deny" newtork="192.168.1.0/24" virtualhost="prod"/>
</external-whitelist>
any machine in the qpid.apache.org domain could access dev.
Any machine in the 192.168.1.0/24 network would be allowed access to any
virtualhost other than prod
Any machine in the 10.0.0.0/8 network would be allowed access to any virtual
host
Any other machine would be denied access.
> IP White/Black lists for virtual hosts
> --------------------------------------
>
> Key: QPID-1583
> URL: https://issues.apache.org/jira/browse/QPID-1583
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Affects Versions: M5
> Reporter: Aidan Skinner
> Assignee: Aidan Skinner
> Fix For: M5
>
>
> Having white/black lists for connecting to a virtual host would be useful.
> Questions:
> - need to provide an easy way for operate to maintain, secure & backup this
> list
> - should consider what to do if there file/props etc for this are
> corrupt/format wrong
> - if possible, the security filtering this provides should be part of a
> potential chain of access REDUCING plugins so that this is easy to drop in
> and teams can potentially write their own reducing filter class and use
> abstraction to define in config for broker
> - needs to be at vhost level, and potentially at queue level ?
> ------------
> Explicit allow/deny lists of connection patterns on virtualhosts in
> config.xml, existing ACL infrastructure for entities below that.
> Pattern would be one of:
> IP address
> CIDR mask
> regexp on hostname
> Changes would not be possible while broker was running, the file would need
> to be editted and then the broker restarted. This avoids the necessity to
> consider what happens to existing connections which would be excluded by a
> new rule. Errors in configuration would prevent broker startup.
> Implementation wise, a new IPRestriction class would extend ACLPlugin which
> listens for ConnectionOpen and checks against the list of rules.
> AMQProtocolSession needs to expose access to the underlying socket.
> ---
> We may need to reconsider allowing changes to the lists while the broker is
> running. It would probably imply storing these outwith the main configuration
> file and instead having something else, potentially a properties file, which
> could be editted by the broker as it runs.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscr...@qpid.apache.org
