[
https://issues.apache.org/jira/browse/QPID-7935?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Keith Wall updated QPID-7935:
-----------------------------
Fix Version/s: (was: qpid-java-broker-7.0.0)
> [Java Broker] [ACL] Allow legacy ACL rule set to specify a default result of
> defer
> ----------------------------------------------------------------------------------
>
> Key: QPID-7935
> URL: https://issues.apache.org/jira/browse/QPID-7935
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Keith Wall
>
> When access control providers are installed at both the Broker and
> VirtualHost, the one at the VirtualHost needs to DEFER if no decision is made
> about an access decision. This gives the Broker's access control provider
> the opportunity to make a decision instead.
> Currently, the legacy ACL file format supports a CONFIG directive that allows
> the default result of the ruleset to be configure to be {{ALLOW}} or
> {{DENY}}, but not {{DEFER}}. If no CONFIG directive is specified the default
> result is always {{DENY}}.
> If the user is using RuleBasedVirtualHostAccessControlProvider#loadFromFile
> to populate their virtualhost rule-set, the users has to additionally
> remember to reset the {{defaultResult}} to {{DEFER}} otherwise the
> co-operation between Broker/VirtualHost will be broken.
> If the legacy ACL file format were to allow a CONFIG value of DEFER, then
> this would eliminate the extra step.
> The suggested changes:
> # Change the legacy ACL file format to allow CONFIG to specify a default
> result of DEFER.
> # Improve AbstractCommonRuleBasedAccessControlProvider#extractRules to that
> it writes a CONFIG directive within the default result, if it is not the
> default.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
