2009/1/26 Martin Ritchie <[email protected]>: > 2009/1/23 Rajith Attapattu <[email protected]>: >> On Fri, Jan 23, 2009 at 11:14 AM, Carl Trieloff <[email protected]>wrote: >> >>> Martin Ritchie wrote: >>> >>>> Hi Carl and other C++ ACL people, >>>> >>> >>> Also what validation does the C++ broker do on the file? >>>> >>>> >>> >>> See: >>> http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h?view=markup >>> >>> The validation tree is mapped in this file. >> >> >> In addition to the above the following maybe of help as well. >> The logic for reading and validating the ACL file is contained in the >> following code. >> http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclReader.cpp?view=markup >> >> The following are some of the validations performed on an acl file. >> The user names, groups names etc are checked for illegal characters. >> checks if user names are properly defined with a realm. >> Checked if group definitons are duplicated >> Acl definitions are checked for format Ex, >> - insuficient tokens in the definition >> - malformed prop-value pair >> - invalid combinations of objects/actions/properties >> - valid acl perm,object.action or property type ..etc >> >> HTH. >> >> Regards, >> >> Rajith Attapattu >> Red Hat >> http://rajith.2rlabs.com/ > > Thanks for the update guys, looks similar to what I've done. Will be > good to see what tests we can share between implementations. > > Regards > > Martin > > > -- > Martin Ritchie
Just thinking about virtualhosts and how they would work with the ACLs. For example if you only wanted to grant publish to one user on one vhost I don't see how we can do that just now. Adding a virtualhost property seems like a way to go: acl allow user publish routingkey=special exchange.amq.direct virtualhost=primary Allows the broker freedom to optimise as it sees fit rather whilst having global rules rather than an acl file per virtualhost. How is this dealt with in the C++ broker? Martin -- Martin Ritchie --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:[email protected]
