[jira] Commented: (QPID-2541) Separate Group an ACL configuration and make group sources pluggable
[ https://issues.apache.org/jira/browse/QPID-2541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12866562#action_12866562 ] Andrew Kennedy commented on QPID-2541: -- Understood, and this is what I would like - If we are going to use LDAP, it would be for both authentication and group membership. Having groups defined and included in only the ACL file parser was what I was wanting to change. This could easily fit in with the existing authentication mechanisms, and that is probably the best place for it, yes. The notion of separate user and group mechanisms was meant to describe the current situation, and obviously it makes no sense to have a group file delivering the groups when authentication is done via active directory, say. I believe there is a need for this when external authentication mechanisms are used for precisely the reason above - it is a possible security issue! The external group file mechanism is meant to work in combination with the current external password file, decoupling groups from ACLs. Hope that explains things better, Andrew. Separate Group an ACL configuration and make group sources pluggable Key: QPID-2541 URL: https://issues.apache.org/jira/browse/QPID-2541 Project: Qpid Issue Type: Sub-task Components: Java Broker Reporter: Andrew Kennedy Fix For: 0.7 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Commented: (QPID-2541) Separate Group an ACL configuration and make group sources pluggable
[ https://issues.apache.org/jira/browse/QPID-2541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12866573#action_12866573 ] Rajith Attapattu commented on QPID-2541: Thanks for the explanation. As long as the group mechanism is tied to the authentication I am fine with it. I would also like to retain the ability to specify groups in the ACL file as well. Separate Group an ACL configuration and make group sources pluggable Key: QPID-2541 URL: https://issues.apache.org/jira/browse/QPID-2541 Project: Qpid Issue Type: Sub-task Components: Java Broker Reporter: Andrew Kennedy Fix For: 0.7 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Commented: (QPID-2541) Separate Group an ACL configuration and make group sources pluggable
[ https://issues.apache.org/jira/browse/QPID-2541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12866252#action_12866252 ] Rajith Attapattu commented on QPID-2541: Continuing the discussion from QPID-2539, I think there absolutely no value in a group mechanism that is not tied to authentication. Infact I think it's a security loophole that can be exploited. Also we need to be careful when adding features. Unless there is a demonstrable need for such changes we shouldn't be just adding features for the sake of it. This is not say that we shouldn't allow a pluggable group mechanism, but to stress the point that it's not useful if it's not tied to the authentication mechanism. Separate Group an ACL configuration and make group sources pluggable Key: QPID-2541 URL: https://issues.apache.org/jira/browse/QPID-2541 Project: Qpid Issue Type: Sub-task Components: Java Broker Reporter: Andrew Kennedy Fix For: 0.7 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Commented: (QPID-2541) Separate Group an ACL configuration and make group sources pluggable
[
https://issues.apache.org/jira/browse/QPID-2541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12861328#action_12861328
]
Andrew Kennedy commented on QPID-2541:
--
a suggested api for the plugin is shown below (although only the first method
is needed) followed by an example of how various group plugins would be
configured in the main java broker XML configuration file. see the
authentication mechanisms in the Java broker for an example of how this could
be implemented.
== groups plugin api ==
/** Check if a user is in a group? */
boolean checkMembership(String userName, String groupName);
/** Get the users that are members of a group. */
ListString getMembership(String groupName);
/** Get the groups that a user is a member of. */
ListString getGroups(String userName);
==
== config.xml ==
broker
security
!-- group file configuration --
groups
plugin
org.apache.qpid.server.security.groups.plugin.UnixFile
/plugin
file${QPID_HOME}/etc/group/file
/groups
!-- widows active directory configuration --
groups
plugin
org.apache.qpid.server.security.groups.plugin.ActiveDirectory
/plugin
root
server name=192.168.0.1
config name=key value=data /
config name=key value=data /
config name=key value=data /
/server
/root
/groups
!-- LDAP / JNDI servers --
groups
plugin
org.apache.qpid.server.security.groups.plugin.LDAPServer
org.apache.qpid.server.security.groups.plugin.JNDIServer
/plugin
server username=user password=pass ip=192.168.0.2 /
/groups
/security
/broker
==
Separate Group an ACL configuration and make group sources pluggable
Key: QPID-2541
URL: https://issues.apache.org/jira/browse/QPID-2541
Project: Qpid
Issue Type: Sub-task
Components: Java Broker
Reporter: Andrew Kennedy
Fix For: 0.7
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
-
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Commented: (QPID-2541) Separate Group an ACL configuration and make group sources pluggable
[ https://issues.apache.org/jira/browse/QPID-2541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12861400#action_12861400 ] Rajith Attapattu commented on QPID-2541: Excellent ! I agree that both brokers needs to have the groups mechanism pluggable. However we also need to think about how these groups will correspond to the users handled via the authentication mechanism. Here are some questions. 1. If we use LDAP, unix file or active directory, is that only used to manage the groups? will they be also used with authentication via the SASL EXTERNAL mechanism? 2. If we are not going to use the above mechanisms for authentication, then how do propose to tie in them? (I'd question the value of using them for just managing groups, but perhaps I may have missed something) The authentication and authorization mechanisms work hand in hand and any grouping has to be thought in the context of both. Separate Group an ACL configuration and make group sources pluggable Key: QPID-2541 URL: https://issues.apache.org/jira/browse/QPID-2541 Project: Qpid Issue Type: Sub-task Components: Java Broker Reporter: Andrew Kennedy Fix For: 0.7 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
