[jira] [Commented] (QPID-8619) Easier ACL interface for REST management (JSON output?)

Thu, 26 Jan 2023 05:53:05 -0800 


    [ 
https://issues.apache.org/jira/browse/QPID-8619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17680996#comment-17680996
 ] 

Kyrre commented on QPID-8619:
-----------------------------

Hi,

 

We use the url 
"/api/latest/virtualhostaccesscontrolprovider/default/<virtualhost>/default/extractRules".
 This gives us the ACL as documented at 
[https://qpid.apache.org/releases/qpid-broker-j-9.0.0/book/Java-Broker-Security-AccessControlProviders.html]

As for the config.json, here's a snippet from our initial config:

 
{code:java}
"virtualhostaccesscontrolproviders": [
    {
      "name": "default",
      "type": "RuleBased",
      "defaultResult": "DENIED",
      "rules": [
        {
          "objectType": "EXCHANGE",
          "identity": "service-providers",
          "operation": "PUBLISH",
          "outcome": "ALLOW_LOG",
          "attributes": {
            "ROUTING_KEY": "onramp",
            "NAME": ""
          }
        },
        {
          "objectType": "VIRTUALHOST",
          "identity": "service-providers",
          "operation": "ACCESS",
          "outcome": "ALLOW_LOG",
          "attributes": {
            "NAME": "localhost"
          }
        },
        {
          "objectType": "VIRTUALHOST",
          "identity": "clients-private-channels",
          "operation": "ACCESS",
          "outcome": "ALLOW_LOG",
          "attributes": {
            "NAME": "localhost"
          }
        },
        {
          "objectType": "QUEUE",
          "identity": "ALL",
          "operation": "CONSUME",
          "outcome": "ALLOW_LOG",
          "attributes": {
            "NAME": "bi-queue"
          }
        },
        {
          "objectType": "ALL",
          "identity": "ALL",
          "operation": "ALL",
          "outcome": "DENY_LOG",
          "attributes": {}
        }
      ]
    }
  ] {code}
The config.json format is much easier for a client to parse, as it is a 
well-known format.

> Easier ACL interface for REST management (JSON output?)
> -------------------------------------------------------
>
>                 Key: QPID-8619
>                 URL: https://issues.apache.org/jira/browse/QPID-8619
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>    Affects Versions: qpid-java-broker-9.0.0
>            Reporter: Kyrre
>            Priority: Minor
>
> We use the management interface over HTTPS to create queues and exchanges, as 
> well as managing ACLs to give and remove access to said queues and exchanges. 
> We have lots of extra code to parse ACLs from the management interface, which 
> is brittle and prone to braking. The ACLs are stored in the config.json as 
> JSON, and then transformed to a bespoke format returned to the client, which 
> then has to parse this format for manipulation. Would it not be much easier 
> to just return the JSON, which is a lot easier to parse?
> If there's code/clients that require the bespoke format, maybe return JSON on 
> a parameter/request header?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to