2008/9/24 Carl Trieloff <[EMAIL PROTECTED]>: > Martin Ritchie wrote: >> >> 2008/9/24 Carl Trieloff <[EMAIL PROTECTED]>: >> >>> >>> Martin Ritchie wrote: >>> >>>> >>>> 2008/9/17 Carl Trieloff <[EMAIL PROTECTED]>: >>>> >>>> >>>>> >>>>> http://cwiki.apache.org/qpid/acl.html >>>>> >>>>> I am going to replace bind/unbind with create/delete in ACL file >>>>> format. >>>>> >>>>> Mail to serve as FYI notification as they are equivalent. >>>>> Carl. >>>>> >>>>> >>>> >>>> Hi Carl, >>>> >>>> Just catching up on all my emails after a nice long break :) >>>> >>>> Are you also going to add a new object for bindings so you >>>> 'create/delete binding'? Can you give us an example of a before and >>>> after ACL entry? >>>> >>>> Also noticed your update to the ACL page: >>>> >>>> [EMAIL PROTECTED] >>>> >>>> is the '@QPID' some namespace definition? Currently the Java broker >>>> takes the username token to be the value provided by the client >>>> connection. IIRC you can't have an @ in the AMQP username. >>>> >>>> Cheers >>>> >>>> Martin >>>> >>>> >>>> >>>> >>> >>> Martin, >>> >>> I have not made that change yet as I was debating it a bit. But the idea >>> would be to add an >>> object called a binding. In thinking it through it is not entirely >>> functionally equivalent so >>> I backed out of the change. >>> >>> Have the operations on exchange means that you can generically lock down >>> an >>> exchange and >>> not have to apply ACL to all the binding objects. so unless I can figure >>> the >>> above use case >>> I think it is better to leave it as it is >>> >>> On the @ identifier, that is [EMAIL PROTECTED] /realm. So yes it is the >>> Userid >>> as supplied >>> when using SASL with the domain not stripped. (for Cyrus) >>> >>> You say you can't have an @, is that in the spec? If so that is a bug in >>> the >>> spec. It is needed >>> for kerberos or any domained security model. >>> >> >> My mistake.. just says it is a shortstr thought there was something >> else to it. Add in handling for the userid format if you can confirm >> this is correct >> >> userid = username[@<domain>[/<realm>]] >> username = >> domain = >> realm = >> >> Hopefully I'll get some time to finish off the new Java Broker ACL >> work. Testing is the hardest part so any suggestions on automating it >> would be greatly appreciated. >> >> > > For testing, I think I might have an approach... the idea is to create a > python client that will > run through all the combos of actions and objects, and test each action both > ways (allow & deny) by > having a set of ACL files that get reloaded via the mgnt commands from the > same client. > > Not written yet, but that is my current idea to automate it > > Carl.
Yeah I was working on something similar... though in java, autogenerated all the pairs of tests but wanted someway to generate the content. As the Java broker doesn't have a mgnt command to reload I was just gong to start a new broker. Will give it some more thought. Martin -- Martin Ritchie
