[
https://issues.apache.org/jira/browse/QPID-7246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Keith Wall updated QPID-7246:
-----------------------------
Description:
Make the existing ACL module realm aware.
The parser will need to be adapted to accept realm qualified user/group names.
Currently some symbols, such as the {{=}} and {{/}} within X500 realms will
choke the parser. Perhaps insisting that the name is quoted will help?
Change RuleSet#isRelevant() so that applicability of the rule is considers
realm in addition to the Principal's name.
In order to ease upgrade, to allow existing ACL rules files to contain to work
without change, it may be better to allow an instance of AccessControl to be
associated with a default authentication provider and default group provider.
If the ACL rule is written in term of of the identity without realm, the
authorisation engine would fallback to either of the two associated providers,
thus a rule {{ACL ALLOW 'fred'...}} would be treated as if it were {{ACL ALLOW
'f...@ldap.example.com'}}. At configuration upgrade time, if there is a
singleton authentication provider and singleton group provider, these would be
associated with the Access Control Provider.
was:
Make the existing ACL module realm aware.
The parser will need to be adapted to accept realm qualified user/group names.
Currently some symbols, such as the {{=}} and {{/}} within X500 realms will
choke the parser. Perhaps insisting that the name is quoted will help?
To ease upgrade, to allow existing ACL rules files to contain to work without
change, it may be better to allow an ACL rule file to be associated with at
most one authentication provider and at most one group provider. If the ACL
rule is written in term of of the identity without realm, the authorisation
engine would fallback to either of the two associated providers. At
configuration upgrade time, if there is a singleton authentication provider and
singleton group provider, these would be associated with the Access Control
Provider.
> Make ACL module realm aware
> ---------------------------
>
> Key: QPID-7246
> URL: https://issues.apache.org/jira/browse/QPID-7246
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Keith Wall
> Fix For: qpid-java-6.1
>
>
> Make the existing ACL module realm aware.
> The parser will need to be adapted to accept realm qualified user/group
> names. Currently some symbols, such as the {{=}} and {{/}} within X500
> realms will choke the parser. Perhaps insisting that the name is quoted will
> help?
> Change RuleSet#isRelevant() so that applicability of the rule is considers
> realm in addition to the Principal's name.
> In order to ease upgrade, to allow existing ACL rules files to contain to
> work without change, it may be better to allow an instance of AccessControl
> to be associated with a default authentication provider and default group
> provider. If the ACL rule is written in term of of the identity without
> realm, the authorisation engine would fallback to either of the two
> associated providers, thus a rule {{ACL ALLOW 'fred'...}} would be treated
> as if it were {{ACL ALLOW 'f...@ldap.example.com'}}. At configuration
> upgrade time, if there is a singleton authentication provider and singleton
> group provider, these would be associated with the Access Control Provider.
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
