Sorry to come late to this discussion... Just thought that I'd add that in addition to Marnie's points below wrt virtual hosts (which in themselves should be considered compelling), it is not completely true to say that AMQP1-0 removes Virtual Hosts, it is just that we say that if you do them, you should do them in a more "httpd" like way (i.e. the notion of virtual host is tied into the host name that you believe you have connected to).
It is still envisioned that in AMQP1-0 a single broker "process" may be acting as if it were several independent hosts - as to whether you would wish to manage all the ACLs for the independent hosts in the same file... that is a different question. The reason for doing so in an AMQP0-x broker is that authentication is done *before* selecting the vhost. In 1-0 the host would potentially be selected prior to authentication. -- Rob On 14 May 2010 22:33, Marnie McCormack <[email protected]> wrote: > We have real customer requirements for both the virtual host level ACLs, > where prod deployments restrict incoming clients to one vh only, but allow > all artifacts on that vh for that user. We also need to retain the firewall, > or at least the config/features, since that was a priority feature > enhancement which we need to continue supporting, > > Hth, > Marnie > > On Tue, May 11, 2010 at 3:37 PM, Rajith Attapattu (JIRA) < > [email protected]> wrote: > >> >> [ >> https://issues.apache.org/jira/browse/QPID-2539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12866162#action_12866162] >> >> Rajith Attapattu commented on QPID-2539: >> ---------------------------------------- >> >> 1. I can see the value of virtual host for the current setup, but going >> forward do we have virtual hosts in AMQP 1.0 ? So it worth it doing so late >> in the game? >> >> I am not opposed to having a virtual host object in the ACL file as the >> Java broker is using that. >> The c++ broker can easily ignore it. >> My question was more about whether it's really worth spending effort on >> something that we know want be there for long. >> If you have customer requests for protecting virtual hosts with ACL then it >> is fine (All though I think this is redundant as the objects within a >> virtual host is covered anyways). >> But if there is no interest from the users, then I'd say don't bother. >> >> ADK: This is required for the Firewall plugin. Whether the Firewall plugin >> is required is another question entirely. >> >> RA: Good question, Aidan and I had discussed on the qpid dev list about >> using ACL to validate the IP addresses instead of maintaining a separate >> firewall plugin. >> The C++ broker does have an outstanding JIRA for something similar >> to the firewall plugin which we hope to implement using ACL. >> We were planning to have that as an optional feature to ensure >> backwards compatibility. >> >> So if you want ACL to restrict IP address you need to explicitly >> enable it in the ACL module. >> The config option (Not the CONFIG object) you talked about is going >> to be handy here. >> >> I am bit swamped these days, hopefully when I get some free time, I will >> try to put my thoughts into a wiki page to capture the requirements and >> share some ideas with you. >> Perhaps then we can open some more concrete JIRA's to focus on those >> individual areas. >> >> > Update ACL file syntax to be clearer and add extra operations >> > ------------------------------------------------------------- >> > >> > Key: QPID-2539 >> > URL: https://issues.apache.org/jira/browse/QPID-2539 >> > Project: Qpid >> > Issue Type: Sub-task >> > Components: Java Broker >> > Reporter: Andrew Kennedy >> > Fix For: 0.7 >> > >> > >> >> >> -- >> This message is automatically generated by JIRA. >> - >> You can reply to this email to add a comment to the issue online. >> >> >> --------------------------------------------------------------------- >> Apache Qpid - AMQP Messaging Implementation >> Project: http://qpid.apache.org >> Use/Interact: mailto:[email protected] >> >> > --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:[email protected]
