On Tue, Dec 6, 2011 at 11:02 AM, Alan Conway <acon...@redhat.com> wrote: > On 12/06/2011 10:59 AM, Carl Trieloff wrote: >> >> On 12/06/2011 10:56 AM, acon...@apache.org wrote: >>> >>> NOTE 1: If you are using an ACL, the cluster-username must be allowed to >>> publish to the qpid.cluster-credentials exchange. E.g. in your ACL file: >>> >>> acl allow foo@QPID publish exchange name=qpid.cluster-credentials
One point that I want to highlight here is that, even though the qpid user does not want to use "publish" acl, this change will force all publishing to do an ACL lookup. I haven't really done much testing to see how much of an overhead this imposes. Unfortunately I don't have enough context/knowledge about Alan's work to see if we could use a different approach to get around this. If we go ahead with this, we should definitely release note this prominently, as the user will have ACL lookups for publish even thought they don't have any explicit rules in the ACL file. (Note: There is an optimization in the current ACL code to not do any ACL lookups for publishing unless there are explicit rules around publishing). Regards, Rajith >> >> Alan, >> >> Why require this in ACL, seems fragile. Why not if the cluster in >> active explicitly Add this rule to the ACL from the cluster model to >> prevent every use starting with a broken cluster and trying to figure >> out what is wrong! >> >> >> Seems unfriendly and error prone, we should do this automagically. >> > > Fair point. I'll do that. > > > --------------------------------------------------------------------- > Apache Qpid - AMQP Messaging Implementation > Project: http://qpid.apache.org > Use/Interact: mailto:dev-subscr...@qpid.apache.org > --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
