Keith Wall created QPID-7935:
--------------------------------
Summary: [Java Broker] [ACL] Allow legacy ACL rule set to specify
a default result of defer
Key: QPID-7935
URL: https://issues.apache.org/jira/browse/QPID-7935
Project: Qpid
Issue Type: Improvement
Components: Java Broker
Reporter: Keith Wall
Fix For: qpid-java-broker-7.0.0
When access control providers are installed at both the Broker and VirtualHost,
the one at the VirtualHost needs to DEFER if no decision is made about an
access decision. This gives the Broker's access control provider the
opportunity to make a decision instead.
Currently, the legacy ACL file format supports a CONFIG directive that allows
the default result of the ruleset to be configure to be {{ALLOW}} or {{DENY}},
but not {{DEFER}}. If no CONFIG directive is specified the default result is
always {{DENY}}.
If the user is using RuleBasedVirtualHostAccessControlProvider#loadFromFile to
populate their virtualhost rule-set, the users has to additionally remember to
reset the {{defaultResult}} to {{DEFER}} otherwise the co-operation between
Broker/VirtualHost will be broken.
If the legacy ACL file format were to allow a CONFIG value of DEFER, then this
would eliminate the extra step.
The suggested changes:
# Change the legacy ACL file format to allow CONFIG to specify a default result
of DEFER.
# Improve AbstractCommonRuleBasedAccessControlProvider#extractRules to that it
writes a CONFIG directive within the default result, if it is not the default.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
