Martin,
I found the permissions etc and that seems fine. I agree with that negative
permissions would be nice to add.
One thing I did not like at first sight was the ACL in XML file. It is
very verbose
and hard to read to do very little. That would be the one thing I would
be highly
tempted to change to a more editable/readable format. (no ideas yet)
I was thinking to create an ACL plugin interface, we could support the
same rules. I would
like to have a more compact file format for the file plug-in, and then
would also
like to write a plug-in for centralized ACL management (from IPA / AD etc)
thoughts on trying for a more readable/compact ACL format?
Carl.
Martin Ritchie wrote:
Hi Carl,
Have been out on holiday the last few days. I've been trying to find
some time to put up some documentation about the ACLs that have been
started on the Java Broker.
The various permissions in the Java broker
(server.security.access.Permission) have not all been implemented. The
focus was to provide a business friendly configuration so that end
users did not need to know if someone should have bind or unbind
permissions.
One thing that is currently missing from the configuration is the
ability to have 'Negative Permissions', It would be good to be able to
state that user X is not allowed ACCESS to Virtualhost Y, rather than
specifying all the users that ARE allowed ACCESS to Virtualhost Y.
It would be good if we could co-ordinate to ensure we have
interoperable configuration between the Qpid brokers. This would be
beneficial for our users as they would not need to worry about
converting any config between brokers. It would also make testing a
lot easier as we can write an ACL test in a client along with a
configuration which we can then instruct the target broker to run
with. Currently the Java SimpleACLTest only provides the configuration
to the InVM broker but it would be a logical next step to convert it
to use the QpidTestCase model. For this to work however we would need
to provide the ACL configuration hence if it was the same config for
all Qpid Brokers then it would make that testing much simpler.
Having looked through what the Java does do you have any comments /
feedback? I don't know of anyone that is using this functionality yet
so before it is documented and then potentially used it would be good
to come to a solution that we are all happy to use in the Qpid
Brokers.
Regards
Martin
2008/7/22 Carl Trieloff <[EMAIL PROTECTED]>:
I have worked through the Java code and it looks like we can just re-use
what it does for C++ broker
also for ACL. Those that worked on it, was there anything lacking or you
wish was different?
Carl Trieloff wrote:
I understand that the Java broker has some sort of RBAC implemented. Are
there any notes
so that we can copy / extend / crib ... the scheme for C++ broker.
Thanks
Carl.
