[
https://issues.apache.org/jira/browse/QPID-2539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12866158#action_12866158
]
Rajith Attapattu commented on QPID-2539:
----------------------------------------
1. What is the purpose of CONNECT ?
ADK: An ACL that allows access to a virtual host, but no more. Only CONNECT
VIRTUALHOST makes sense for this operation.
RA: In that case why not use "ACCESS" which is already there ?
2. What is the purpose of ADMIN ?
2. What is the purpose of LOG, CONFIG and ACL ?
I think CONFIG is probably a good addition, but I'd like to understand
what exactly you had in mind.
3. Also how is LOG different from "allow-log" and "deny-log" in the current
format ?
ADK: An ACL that allows JMX (or QMF) administration to take place, where the
object being administered is either the BROKER (i.e. to retrieve queue names,
statistics, read-only attributes and so on) or CONFIG, LOG or USER. These three
are only modifiable using the admin interface, wheras the other ACL entries
apply (like CREATE QUEUE) no matter how the queue is created.
RA: We already have a BROKER object.
And we already have "METHOD" for QMF, which I think nicely covers JMX
as well.
If you need to query a queue name, then that is protected by the QUEUE
object.
In ACL, each object defines it's own access control list. So I didn't
really understand the role of the "ACL" object. in the context you described.
Besides ACL module does not add/modify users. That is the responsibility
of the authentication mechanism defined using SASL.
So not sure what the "USER" object is supposed to do.
CONFIG grants permission to reload the security config, or edit ACL lines,
RA: We need to have a mechanism to allow reloading of config files. This may
include the ACL file, security config, log config etc..
However I am wondering how much of config is going to overlap with QMF.
For example the C++ broker is using QMF to reload the ACL file.
So reloading of the ACL file is actually protected under the "METHOD"
object.
As I mentioned before, METHOD can cover both QMF and JMX. However I
really dislike the name :)
Perhaps we can have a meaningful name here. Maybe ADMIN (or MGT) instead
of METHOD ?
LOG allows changing the log4j levels and USER grants the ability to add/delete
users.
RA: Instead of using a separate top level object can we not have this under the
purview of the MGT or ADMIN (previously METHOD) object and the properties to
define the file name, log level etc..
But I am also not really opposed to having a top level LOG object
either.
I'd be interested to hear opinions from a wider audience as well.
> Update ACL file syntax to be clearer and add extra operations
> -------------------------------------------------------------
>
> Key: QPID-2539
> URL: https://issues.apache.org/jira/browse/QPID-2539
> Project: Qpid
> Issue Type: Sub-task
> Components: Java Broker
> Reporter: Andrew Kennedy
> Fix For: 0.7
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
