I think the proposal makes sense and I'd like to see it common to all brokers.
To date the C++ broker ACL code has used only literal text strings for host names as defined by the connection agent. Resolving network names and/or subnets adds new code. Your proposed syntax is basically OK. The C++ broker supports IPv4, IPv6, and RDMA. Could you specify the "--from-network xxxx" property more fully? Do you think this can make it in the next release? -Chuck ----- Original Message ----- > From: "Phil Harvey" <[email protected]> > To: [email protected] > Sent: Monday, September 24, 2012 11:14:48 AM > Subject: Java broker proposal: move firewall rules into ACL file (QPID-4334) > > I'm working on https://issues.apache.org/jira/browse/QPID-4334 > ("[Java > broker] move the Firewall functionality into the ACL plugin") and > want to > gather opinions on the desired behaviour. > > My main questions are: > - Are we happy to make this change to the Java Broker? > - If so, what is the nicest ACL syntax for firewall rules? > > The motivation for this work is to: > > (1) rationalise our set of plugins, thus making the implementation of > QPID-4335 ("[java broker] replace current plugin system with a > simplified > system") easier; > (2) make life simpler for our users. > > I expect the second point will be more contentious, hence this email. > > Putting myself in the user's shoes, I believe it makes sense for > access > control and firewall configuration to be done in one place, using > rules > such as: > > ACL ALLOW all ACCESS VIRTUALHOST FROM-NETWORK="123.456.789/24" > ACL DENY-LOG all ACCESS VIRTUALHOST > FROM-HOSTNAME=".*\.uat.mycompany\.com" > > I therefore propose to enhance the "ACCESS VIRTUALHOST" ACL rule to > support > the same network and hostname predicates that are currently supported > by > the firewall Java broker plugin. This will make the firewall plugin > redundant, so it will be deleted. > > The objections I'm anticipating are: > > - This will break require users to modify their config when they > upgrade. > I think this minor inconvenience is outweighed by the motivations > stated > above. > > - This will cause the Java and C++ ACL syntax to diverge further. I > don't > know if this is a showstopper. I understand that this enhancement > was > previously discussed for the C++ broker, and I'd be particularly > interested > to hear current views on this from the C++ folks. > > Let me know what you think. > > Thanks > Phil > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
