The qpid-dispatch network security model is connection based. The connection over which a user connects to the network determines that user's policy restrictions. Once a user has connected and performed an allowed operation at the ingress connection then the rest of the network passes the request through without checking permissions again. [1]
Link routes are meant to be shared with requests from across the network. A single connection hosting the link route serves the address to any number of users on the network. The router does not create a new connection for each link route request and does not renegotiate with new user credentials. --Chuck [1] An exception for multiple policy checks: policy for max-message-size is enforced at edge router ingress and again at interior router ingress if the message is forwarded to an interior router. ----- Original Message ----- > From: "André van der Heijden" <[email protected]> > To: [email protected] > Sent: Friday, March 12, 2021 6:05:07 AM > Subject: Re: Passthrough authentication with linkrouting > > All right, thanks, good to know. I read in this Protocol Guide from > Microsoft / Redhat > <https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/service-bus-messaging/service-bus-amqp-protocol-guide.md#claims-based-authorization> > about claims-based authorisation. This seems more or less in line with what > I referred to in my original question. Do you know if there are plans to > support this via qpid routers? Thanks already. > > Kind regards, > > André van der Heijden > > > Op vr 12 mrt. 2021 om 11:27 schreef Gordon Sim <[email protected]>: > > > On 12/03/2021 07:50, André van der Heijden wrote: > > > *The Question* > > > Is there a way to pass the authentication of the initial consumer all the > > > way through the link-route down to the end-station? This could be either > > > username/password or something like an OAuth token or so. The point for > > us > > > is that we would want a way to authenticate/authorize the consumer at the > > > source of the data (Broker zone B) rather than at the gate (Edge Router > > > Zone A). Would be valuable to hear your perspective/take on this. > > > > No, there is no way to do that for link routes. > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
