[ https://issues.apache.org/jira/browse/QPID-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aidan Skinner reassigned QPID-1583: ----------------------------------- Assignee: Martin Ritchie (was: Aidan Skinner) > IP White/Black lists for virtual hosts > -------------------------------------- > > Key: QPID-1583 > URL: https://issues.apache.org/jira/browse/QPID-1583 > Project: Qpid > Issue Type: New Feature > Components: Java Broker > Affects Versions: M5 > Reporter: Aidan Skinner > Assignee: Martin Ritchie > Fix For: M5 > > > Having white/black lists for connecting to a virtual host would be useful. > Questions: > - need to provide an easy way for operate to maintain, secure & backup this > list > - should consider what to do if there file/props etc for this are > corrupt/format wrong > - if possible, the security filtering this provides should be part of a > potential chain of access REDUCING plugins so that this is easy to drop in > and teams can potentially write their own reducing filter class and use > abstraction to define in config for broker > - needs to be at vhost level, and potentially at queue level ? > ------------ > Explicit allow/deny lists of connection patterns on virtualhosts in > config.xml, existing ACL infrastructure for entities below that. > Pattern would be one of: > IP address > CIDR mask > regexp on hostname > Changes would not be possible while broker was running, the file would need > to be editted and then the broker restarted. This avoids the necessity to > consider what happens to existing connections which would be excluded by a > new rule. Errors in configuration would prevent broker startup. > Implementation wise, a new IPRestriction class would extend ACLPlugin which > listens for ConnectionOpen and checks against the list of rules. > AMQProtocolSession needs to expose access to the underlying socket. > --- > We may need to reconsider allowing changes to the lists while the broker is > running. It would probably imply storing these outwith the main configuration > file and instead having something else, potentially a properties file, which > could be editted by the broker as it runs. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org