[ https://issues.apache.org/jira/browse/QPID-6986?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keith Wall closed QPID-6986. ---------------------------- Resolution: Duplicate > Management: Users should not be able to view an object to which they have no > access > ----------------------------------------------------------------------------------- > > Key: QPID-6986 > URL: https://issues.apache.org/jira/browse/QPID-6986 > Project: Qpid > Issue Type: Improvement > Components: Java Broker > Reporter: Keith Wall > Fix For: qpid-java-6.2 > > > In a managed service scenario, a single Broker may hosts applications > belonging to different groups. For management purposes, an operator needs > to be able to enter the management console and check on queues, messages, > exchanges etc of his application. > However, the Broker should have the ability to restrict an operator from > viewing the objects of a virtual host to which he has no access permission. > Currently the Broker enforces CRUD permissions on all objects in the > hierarchy, but this does not impose restrictions on *view*. > The view restriction needs to apply to the Web Management Console and the > REST-API. > An interesting case is Connections. Connections are children on a Port but > become associated with a Virtualhost. A management user with access > permission a virtual host needs to be able to see the connections associated > with that virtual host, even if he doesn't have permission to view the Broker > or Port directly. > -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org