Re: vhost-level access control in Java broker

[Andrew Kennedy]

On 23 Mar 2011, at 17:53, Danushka Menikkumbura wrote:
Hi Marnie,
So, "properties" in "public Result authorise(Operation operation,  
ObjectType
objectType, ObjectProperties properties)" should include the vhost  
name?. I
do not see anything like that.

Thanks,
Danushka

On Wed, Mar 23, 2011 at 10:14 PM, Marnie McCormack <
marnie.mccorm...@googlemail.com> wrote:

Hi Danushka,

The ACLs (v2) on the java broker are specified per virtual host,  
so the
queue permissions already have a 'namepsace' effectively.

If you look at virtualhosts-systests-aclv2-settings.xml you'll see  
where
virtualhost level acl files get specified. Thus permissions for  
foo on
different vhosts get specified separately,and the call into  
authorise done
at the vhost level.

Danushka,

Here is an example showing what Marnie described. Suppose we have two  
virtualhosts, 'test' and 'dev', with *separate* ACL files specified  
in 'virtualhosts.xml' for each, contents as follows:

test ACL file:
        acl allow client create queue name="client.queue"
        acl allow guest create queue name="guest.queue"

dev ACL file:
        acl allow guest create queue name="client.queue"
        acl allow client create queue name="guest.queue"

This table shows the results of different users trying to create  
queues of various names on both virtualhosts:

        user    vhost   queueName       result
        ----    -----   ---------       ------
        client  test    client.queue    yes
        guest   test    guest.queue     yes
        client  test    guest.queue     no
        guest   test    client.queue    no
        client  dev     client.queue    no
        guest   dev     guest.queue     no
        client  dev     guest.queue     yes
        guest   dev     client.queue    yes

This works because the ACL file is associated with a virtualhost  
configuration, as are broker configured entities such as queues.  
However, it is also possible to specify a *global* ACL file, and the  
protections specified in that file will apply to all virtual hosts,  
regardless. The correct/only way to obtain the behaviour described  
above is by creating an ACL file per virtualhost.

Andrew.
--
-- andrew d kennedy ? do not fold, bend, spindle, or mutilate ;
-- http://grkvlt.blogspot.com/ ? edinburgh : +44 7582 293 255 ;

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscr...@qpid.apache.org