Hi Andrew/Marnie, Actually my question was, when SecurityPlugin.authorise() is hit for a given operation call, how do you identify the vhost?. That is how do you identify on which vhost this operation is carried out?. So, for an example when it gets called for Create, Bind, Publish, etc I need to know the corresponding vhost.
Thanks, Danushka On Fri, Mar 25, 2011 at 3:23 AM, Andrew Kennedy < [email protected]> wrote: > On 23 Mar 2011, at 17:53, Danushka Menikkumbura wrote: > >> Hi Marnie, >> >> So, "properties" in "public Result authorise(Operation operation, >> ObjectType >> objectType, ObjectProperties properties)" should include the vhost name?. >> I >> do not see anything like that. >> >> Thanks, >> Danushka >> >> On Wed, Mar 23, 2011 at 10:14 PM, Marnie McCormack < >> [email protected]> wrote: >> >> Hi Danushka, >>> >>> The ACLs (v2) on the java broker are specified per virtual host, so the >>> queue permissions already have a 'namepsace' effectively. >>> >>> If you look at virtualhosts-systests-aclv2-settings.xml you'll see where >>> virtualhost level acl files get specified. Thus permissions for foo on >>> different vhosts get specified separately,and the call into authorise >>> done >>> at the vhost level. >>> >> > Danushka, > > Here is an example showing what Marnie described. Suppose we have two > virtualhosts, 'test' and 'dev', with *separate* ACL files specified in > 'virtualhosts.xml' for each, contents as follows: > > test ACL file: > acl allow client create queue name="client.queue" > acl allow guest create queue name="guest.queue" > > dev ACL file: > acl allow guest create queue name="client.queue" > acl allow client create queue name="guest.queue" > > This table shows the results of different users trying to create queues of > various names on both virtualhosts: > > user vhost queueName result > ---- ----- --------- ------ > client test client.queue yes > guest test guest.queue yes > client test guest.queue no > guest test client.queue no > client dev client.queue no > guest dev guest.queue no > client dev guest.queue yes > guest dev client.queue yes > > This works because the ACL file is associated with a virtualhost > configuration, as are broker configured entities such as queues. However, it > is also possible to specify a *global* ACL file, and the protections > specified in that file will apply to all virtual hosts, regardless. The > correct/only way to obtain the behaviour described above is by creating an > ACL file per virtualhost. > > Andrew. > -- > -- andrew d kennedy ? do not fold, bend, spindle, or mutilate ; > -- http://grkvlt.blogspot.com/ ? edinburgh : +44 7582 293 255 ; >
