[
https://issues.apache.org/jira/browse/QPID-4947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14041154#comment-14041154
]
Chuck Rolke commented on QPID-4947:
-----------------------------------
h1. Address specification
{noformat}
<address-spec> ::= <address> ["-"<address>]
<address> ::= <addr>["/"<int>"] (int >0, <128)
<addr> ::= <hostname> | <domainname> |
<literal IPv4> |
"["<literal IPv6>"]"
{noformat}
Users may construct a broad range of host addresses and ranges.
h1. ACL command
{noformat}
acl allow|deny create connection address=<address-spec>|* [user=<user-spec>]
{noformat}
h1. Two different limit checks.
The two forms of the command are used at two different places in the connection
creation process.
h2. No user name
The command without a user name spec are used at the socket level to stop the
socket accept. This is a highly efficient way to block a node or set of nodes
from any connection attempt.
This is a new point at which connections will be blocked and mechanisms to
implement it must be added.
The use case for this check is a simple and efficient black list or white list
of allowed client host addresses.
h2. With user name
The command with a user name spec is used much later in the connection process:
the socket is accepted and the AMQP protocol runs far enough to determine the
authenticated user name.
ACL is already called from the connection process to count connections and
possibly to block connections if a user has too many open. This test will be a
new limit to block a user at the same place that counted connections are
rejected.
The use case for this check is to limit the hosts from which a user is allowed
to connect. For example
h3. Example with specified user name
Company example.com administers a broker. Some customers from CompanyA and
others from CompanyB have user accounts on the system. The broker ACL may be
configured with the following limits:
{noformat}
acl allow create connection address=corp.example.com user=admin*
acl allow create connection address=10.0.0.0/8 user=admin*
acl allow create connection address=192.168.0.0/16 user=admin*
acl allow create connection address=[fc00::]/7 user=admin*
acl deny create connection address=* user=admin*
acl allow create connection address=companya.com user=companyA*
acl deny create connection address=* user=companyA*
acl allow create connection address=companyb.com user=companyB*
acl deny create connection address=* user=companyB*
{noformat}
Now admin users may log in ony from systems on the corporate network or local
subnet; companyA users must create connections from companya.com; and companyB
users must log in from companyb.com.
> C++ Broker could use ACL to restrict hosts from which a user may connect
> ------------------------------------------------------------------------
>
> Key: QPID-4947
> URL: https://issues.apache.org/jira/browse/QPID-4947
> Project: Qpid
> Issue Type: Improvement
> Components: C++ Broker
> Affects Versions: 0.20
> Reporter: Chuck Rolke
>
> Currently users can connect to the broker from anywhere. This feature would
> add administrative restrictions to allow or deny connections from individual
> hosts or subnets.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
