[jira] [Commented] (QPID-4947) C++ Broker could use ACL to restrict hosts from which a user may connect

Tue, 25 Jun 2013 07:33:06 -0700 

    [ 
https://issues.apache.org/jira/browse/QPID-4947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13693070#comment-13693070
 ] 

Chuck Rolke commented on QPID-4947:
-----------------------------------

The existing code has a per-IP-address ACL connection quota specified by a 
single value in the command line or by specification of individual users in the 
ACL file. The proposed new feature would add a new Action/Object pair to the 
ACL rule file:
{noformat}
acl allow create connection address=<address spec> [user=<user spec>]
{noformat}
Impact assessment:

||Design consideration||Proposed feature||
|Threading model|multithread - ACL structures need locks|
|Memory management|Per-IPaddress counters kept in new instance of existing 
structure|
|Automated testing approach|Existing ACL test scheme could prove this feature|
|Impact on public API|Changes ACL file syntax|
|- Interoperability with implementations in other languages|n/a|
|- Backwards compatibility|not backward compatible|
|Performance implications|Insignificant|
|Security implications|This feature is a security enhancement|
|Platform support|n/a|
|Logging|Logs in 'usual' ACL log format|
|Monitoring|Count of denied connections already exists|
|Management|no changes|

Specifying network addresses
{noformat}
individual address : 10.1.1.1
{noformat}
{noformat}
simple wildcard : 10.1.*
{noformat}
{noformat}
CIDR : 10.1.0.0/16
{noformat}

IPv6 - TBD

                
> C++ Broker could use ACL to restrict hosts from which a user may connect
> ------------------------------------------------------------------------
>
>                 Key: QPID-4947
>                 URL: https://issues.apache.org/jira/browse/QPID-4947
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Broker
>    Affects Versions: 0.20
>            Reporter: Chuck Rolke
>
> Currently users can connect to the broker from anywhere. This feature would 
> add administrative restrictions to allow or deny connections from individual 
> hosts or subnets.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to