Martin Ritchie wrote:
2008/9/24 Carl Trieloff <[EMAIL PROTECTED]>:
Martin Ritchie wrote:
2008/9/17 Carl Trieloff <[EMAIL PROTECTED]>:
http://cwiki.apache.org/qpid/acl.html
I am going to replace bind/unbind with create/delete in ACL file format.
Mail to serve as FYI notification as they are equivalent.
Carl.
Hi Carl,
Just catching up on all my emails after a nice long break :)
Are you also going to add a new object for bindings so you
'create/delete binding'? Can you give us an example of a before and
after ACL entry?
Also noticed your update to the ACL page:
[EMAIL PROTECTED]
is the '@QPID' some namespace definition? Currently the Java broker
takes the username token to be the value provided by the client
connection. IIRC you can't have an @ in the AMQP username.
Cheers
Martin
Martin,
I have not made that change yet as I was debating it a bit. But the idea
would be to add an
object called a binding. In thinking it through it is not entirely
functionally equivalent so
I backed out of the change.
Have the operations on exchange means that you can generically lock down an
exchange and
not have to apply ACL to all the binding objects. so unless I can figure the
above use case
I think it is better to leave it as it is
On the @ identifier, that is [EMAIL PROTECTED] /realm. So yes it is the Userid
as supplied
when using SASL with the domain not stripped. (for Cyrus)
You say you can't have an @, is that in the spec? If so that is a bug in the
spec. It is needed
for kerberos or any domained security model.
My mistake.. just says it is a shortstr thought there was something
else to it. Add in handling for the userid format if you can confirm
this is correct
userid = username[@<domain>[/<realm>]]
username =
domain =
realm =
Hopefully I'll get some time to finish off the new Java Broker ACL
work. Testing is the hardest part so any suggestions on automating it
would be greatly appreciated.
For testing, I think I might have an approach... the idea is to create a
python client that will
run through all the combos of actions and objects, and test each action
both ways (allow & deny) by
having a set of ACL files that get reloaded via the mgnt commands from
the same client.
Not written yet, but that is my current idea to automate it
Carl.
