Author: chirino
Date: Fri Dec 17 20:13:06 2010
New Revision: 1050485
URL: http://svn.apache.org/viewvc?rev=1050485&view=rev
Log:
Better acl management and more doco.
Added:
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorAclDTO.java
- copied, changed from r1050421,
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java
Modified:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo-ssl.xml
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo.xml
activemq/activemq-apollo/trunk/apollo-cli/src/main/scala/org/apache/activemq/apollo/cli/commands/Run.scala
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerAclDTO.java
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorDTO.java
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/DestinationAclDTO.java
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueAclDTO.java
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java
activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml
activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md
Modified:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
Fri Dec 17 20:13:06 2010
@@ -16,10 +16,10 @@
*/
package org.apache.activemq.apollo.broker.security
-import org.apache.activemq.apollo.broker.{Destination, VirtualHost, Broker}
import scala.util.continuations._
import org.apache.activemq.apollo.util.path.Path
import org.apache.activemq.apollo.dto._
+import org.apache.activemq.apollo.broker.{Connector, Destination, VirtualHost,
Broker}
/**
* <p>
@@ -32,33 +32,33 @@ import org.apache.activemq.apollo.dto._
class AclAuthorizer(val default_kinds:List[String]) extends Authorizer {
import collection.JavaConversions._
- var allow_deafult = true
-
- def is_in(ctx: SecurityContext, allowed:java.util.Set[PrincipalDTO]):Boolean
= {
- ctx.intersects(allowed.toSet, default_kinds)
+ def is_in(ctx: SecurityContext,
allowed:java.util.List[PrincipalDTO]):Boolean = {
+ ctx.is_allowed(allowed.toList, default_kinds)
}
def can_admin(ctx: SecurityContext, broker: Broker) = {
if( broker.config.acl!=null ) {
is_in(ctx, broker.config.acl.admins)
} else {
- allow_deafult
+ true
}
}
- def can_connect_to(ctx: SecurityContext, host: VirtualHost) = {
- if( host.config.acl!=null ) {
- is_in(ctx, host.config.acl.connects)
- } else {
- allow_deafult
+ def can_connect_to(ctx: SecurityContext, host: VirtualHost,
connector:Connector):Boolean = {
+ if( host.config.acl!=null && !is_in(ctx, host.config.acl.connects) ) {
+ return false
+ }
+ if( connector.config.acl!=null && !is_in(ctx,
connector.config.acl.connects) ) {
+ return false
}
+ true
}
- private def can_dest(ctx: SecurityContext, host: VirtualHost, dest:
DestinationDTO)(func: DestinationAclDTO=>java.util.Set[PrincipalDTO]) = {
+ private def can_dest(ctx: SecurityContext, host: VirtualHost, dest:
DestinationDTO)(func: DestinationAclDTO=>java.util.List[PrincipalDTO]) = {
if( dest.acl!=null ) {
is_in(ctx, func(dest.acl))
} else {
- allow_deafult
+ true
}
}
@@ -75,11 +75,11 @@ class AclAuthorizer(val default_kinds:Li
can_dest(ctx, host, dest)(_.creates)
}
- private def can_queue(ctx: SecurityContext, host: VirtualHost, queue:
QueueDTO)(func: QueueAclDTO=>java.util.Set[PrincipalDTO]) = {
+ private def can_queue(ctx: SecurityContext, host: VirtualHost, queue:
QueueDTO)(func: QueueAclDTO=>java.util.List[PrincipalDTO]) = {
if( queue.acl!=null ) {
is_in(ctx, func(queue.acl))
} else {
- allow_deafult
+ true
}
}
Modified:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
Fri Dec 17 20:13:06 2010
@@ -16,7 +16,7 @@
*/
package org.apache.activemq.apollo.broker.security
import scala.util.continuations._
-import org.apache.activemq.apollo.broker.{VirtualHost, Broker, Destination}
+import org.apache.activemq.apollo.broker._
import org.apache.activemq.apollo.util.path.Path
import org.apache.activemq.apollo.dto.{DestinationDTO, QueueDTO, BindingDTO}
@@ -36,7 +36,7 @@ trait Authorizer {
/**
* @returns true if the user is allowed to connect to the virtual host
*/
- def can_connect_to(ctx:SecurityContext, host:VirtualHost):Boolean
+ def can_connect_to(ctx:SecurityContext, host:VirtualHost,
connector:Connector):Boolean
/**
* @returns true if the user is allowed to send to the destination
Modified:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
Fri Dec 17 20:13:06 2010
@@ -39,7 +39,7 @@ class SecurityContext {
var login_context:LoginContext = _
- private val principles = new HashSet[PrincipalDTO]()
+ private var principles = Set[PrincipalDTO]()
private var _subject:Subject = _
@@ -47,27 +47,51 @@ class SecurityContext {
def subject_= (value:Subject) {
_subject = value
- principles.clear
+ principles = Set[PrincipalDTO]()
if( value!=null ) {
import collection.JavaConversions._
value.getPrincipals.foreach { x=>
- principles.add(new PrincipalDTO(x.getName, x.getClass.getName))
+ principles += new PrincipalDTO(x.getName, x.getClass.getName)
}
}
}
- def intersects(values:Set[PrincipalDTO], default_kinds:List[String]):Boolean
= {
- val (v1, v2) = values.partition(_.kind == null)
- if( !principles.intersect(v2).isEmpty ) {
- return true
+ def is_allowed(acl:List[PrincipalDTO], default_kinds:List[String]):Boolean =
{
+
+ def matches(p:PrincipalDTO):Boolean = {
+ if( p.kind==null ) {
+ default_kinds.foreach { kind=>
+ if( principles.contains(new PrincipalDTO(p.allow, kind)) ) {
+ return true;
+ }
+ }
+ return false;
+ } else {
+ return principles.contains(p)
+ }
}
- default_kinds.foreach { x=>
- val kinda_added = v1.map(y=> new PrincipalDTO(y.name, x))
- if( ! principles.intersect(kinda_added).isEmpty ) {
- return true
+
+ acl.foreach { p =>
+ p.deny match {
+ case null =>
+ case "*"=>
+ return false;
+ case id =>
+ if( matches(new PrincipalDTO(id, p.kind)) ) {
+ return false;
+ }
+ }
+ p.allow match {
+ case null =>
+ case "*"=>
+ return true;
+ case id =>
+ if( matches(new PrincipalDTO(id, p.kind)) ) {
+ return true
+ }
}
}
- false
+ return false
}
Modified:
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo-ssl.xml
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo-ssl.xml?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo-ssl.xml
(original)
+++
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo-ssl.xml
Fri Dec 17 20:13:06 2010
@@ -22,7 +22,7 @@
<!-- used to secure the web admin interface -->
<authentication domain="apollo"/>
<acl>
- <admin name="admins"/>
+ <admin allow="admins"/>
</acl>
<web-admin host="127.0.0.1" port="8080"/>
@@ -45,23 +45,23 @@
an object, then access is not restricted at all.
-->
<acl>
- <connect name="admins"/>
+ <connect allow="admins"/>
</acl>
<destination name="secure.**">
<acl>
- <create name="admins"/>
- <destroy name="admins"/>
- <send name="admins"/>
- <receive name="admins"/>
+ <create allow="admins"/>
+ <destroy allow="admins"/>
+ <send allow="admins"/>
+ <receive allow="admins"/>
</acl>
</destination>
<queue name="secure.**">
<acl>
- <create name="admins"/>
- <destroy name="admins"/>
- <send name="admins"/>
- <receive name="admins"/> <!-- queue browsers -->
- <consume name="admins"/> <!-- regular consumers -->
+ <create allow="admins"/>
+ <destroy allow="admins"/>
+ <send allow="admins"/>
+ <receive allow="admins"/> <!-- queue browsers -->
+ <consume allow="admins"/> <!-- regular consumers -->
</acl>
</queue>
Modified:
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo.xml
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo.xml?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo.xml
(original)
+++
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo.xml
Fri Dec 17 20:13:06 2010
@@ -23,7 +23,7 @@
<!-- used to secure the web admin interface -->
<authentication domain="apollo"/>
<acl>
- <admin name="admins"/>
+ <admin allow="admins"/>
</acl>
<web-admin host="127.0.0.1" port="8080"/>
@@ -47,23 +47,23 @@
an object, then access is not restricted at all.
-->
<acl>
- <connect name="admins"/>
+ <connect allow="admins"/>
</acl>
<destination name="secure.**">
<acl>
- <create name="admins"/>
- <destroy name="admins"/>
- <send name="admins"/>
- <receive name="admins"/>
+ <create allow="admins"/>
+ <destroy allow="admins"/>
+ <send allow="admins"/>
+ <receive allow="admins"/>
</acl>
</destination>
<queue name="secure.**">
<acl>
- <create name="admins"/>
- <destroy name="admins"/>
- <send name="admins"/>
- <receive name="admins"/> <!-- queue browsers -->
- <consume name="admins"/> <!-- regular consumers -->
+ <create allow="admins"/>
+ <destroy allow="admins"/>
+ <send allow="admins"/>
+ <receive allow="admins"/> <!-- queue browsers -->
+ <consume allow="admins"/> <!-- regular consumers -->
</acl>
</queue>
Modified:
activemq/activemq-apollo/trunk/apollo-cli/src/main/scala/org/apache/activemq/apollo/cli/commands/Run.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-cli/src/main/scala/org/apache/activemq/apollo/cli/commands/Run.scala?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-cli/src/main/scala/org/apache/activemq/apollo/cli/commands/Run.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-cli/src/main/scala/org/apache/activemq/apollo/cli/commands/Run.scala
Fri Dec 17 20:13:06 2010
@@ -153,7 +153,7 @@ class Run extends Action with Logging {
val c = new org.eclipse.jetty.http.security.Constraint()
c.setName("BASIC")
val admins:Set[PrincipalDTO] = config.acl.admins.toSet
- c.setRoles(admins.map(_.name).toArray)
+ c.setRoles(admins.map(_.allow).toArray)
c.setAuthenticate(true)
cm.setConstraint(c)
cm.setPathSpec("/*")
Modified:
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerAclDTO.java
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerAclDTO.java?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerAclDTO.java
(original)
+++
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerAclDTO.java
Fri Dec 17 20:13:06 2010
@@ -31,6 +31,7 @@ import java.util.*;
public class BrokerAclDTO {
@XmlElement(name="admin")
- public Set<PrincipalDTO> admins = new HashSet<PrincipalDTO>();
+ public List<PrincipalDTO> admins = new ArrayList<PrincipalDTO>();
+
}
Copied:
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorAclDTO.java
(from r1050421,
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java)
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorAclDTO.java?p2=activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorAclDTO.java&p1=activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java&r1=1050421&r2=1050485&rev=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java
(original)
+++
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorAclDTO.java
Fri Dec 17 20:13:06 2010
@@ -19,8 +19,10 @@ package org.apache.activemq.apollo.dto;
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
-import javax.xml.bind.annotation.XmlRootElement;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
/**
* <p>
@@ -29,9 +31,9 @@ import java.util.*;
* @author <a href="http://hiramchirino.com";>Hiram Chirino</a>
*/
@XmlAccessorType(XmlAccessType.FIELD)
-public class VirtualHostAclDTO {
+public class ConnectorAclDTO {
@XmlElement(name="connect")
- public Set<PrincipalDTO> connects = new HashSet<PrincipalDTO>();
+ public List<PrincipalDTO> connects = new ArrayList<PrincipalDTO>();
}
Modified:
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorDTO.java
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorDTO.java?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorDTO.java
(original)
+++
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorDTO.java
Fri Dec 17 20:13:06 2010
@@ -57,5 +57,7 @@ public class ConnectorDTO extends Servic
@XmlElementRef
public List<ProtocolDTO> protocols = new ArrayList<ProtocolDTO>();
-
+ @XmlElement(name="acl")
+ public ConnectorAclDTO acl;
+
}
\ No newline at end of file
Modified:
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/DestinationAclDTO.java
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/DestinationAclDTO.java?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/DestinationAclDTO.java
(original)
+++
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/DestinationAclDTO.java
Fri Dec 17 20:13:06 2010
@@ -31,15 +31,15 @@ import java.util.*;
public class DestinationAclDTO {
@XmlElement(name="create")
- public Set<PrincipalDTO> creates = new HashSet<PrincipalDTO>();
+ public List<PrincipalDTO> creates = new ArrayList<PrincipalDTO>();
@XmlElement(name="destroy")
- public Set<PrincipalDTO> destroys = new HashSet<PrincipalDTO>();
+ public List<PrincipalDTO> destroys = new ArrayList<PrincipalDTO>();
@XmlElement(name="send")
- public Set<PrincipalDTO> sends = new HashSet<PrincipalDTO>();
+ public List<PrincipalDTO> sends = new ArrayList<PrincipalDTO>();
@XmlElement(name="receive")
- public Set<PrincipalDTO> receives = new HashSet<PrincipalDTO>();
+ public List<PrincipalDTO> receives = new ArrayList<PrincipalDTO>();
}
Modified:
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java
(original)
+++
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java
Fri Dec 17 20:13:06 2010
@@ -27,8 +27,11 @@ import javax.xml.bind.annotation.*;
@XmlAccessorType(XmlAccessType.FIELD)
public class PrincipalDTO {
- @XmlAttribute(required = true)
- public String name;
+ @XmlAttribute
+ public String allow;
+
+ @XmlAttribute
+ public String deny;
@XmlAttribute
public String kind;
@@ -37,12 +40,12 @@ public class PrincipalDTO {
public PrincipalDTO() {
}
- public PrincipalDTO(String name) {
- this.name = name;
+ public PrincipalDTO(String allow) {
+ this.allow = allow;
}
- public PrincipalDTO(String name, String kind) {
- this.name = name;
+ public PrincipalDTO(String allow, String kind) {
+ this.allow = allow;
this.kind = kind;
}
@@ -53,18 +56,18 @@ public class PrincipalDTO {
PrincipalDTO that = (PrincipalDTO) o;
+ if (allow != null ? !allow.equals(that.allow) : that.allow != null)
return false;
+ if (deny != null ? !deny.equals(that.deny) : that.deny != null) return
false;
if (kind != null ? !kind.equals(that.kind) : that.kind != null) return
false;
- if (name != null ? !name.equals(that.name) : that.name != null) return
false;
return true;
}
@Override
public int hashCode() {
- int result = name != null ? name.hashCode() : 0;
+ int result = allow != null ? allow.hashCode() : 0;
+ result = 31 * result + (deny != null ? deny.hashCode() : 0);
result = 31 * result + (kind != null ? kind.hashCode() : 0);
return result;
}
-
-
}
Modified:
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueAclDTO.java
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueAclDTO.java?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueAclDTO.java
(original)
+++
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueAclDTO.java
Fri Dec 17 20:13:06 2010
@@ -32,7 +32,6 @@ import java.util.*;
public class QueueAclDTO extends DestinationAclDTO {
@XmlElement(name="consume")
- public Set<PrincipalDTO> consumes = new HashSet<PrincipalDTO>();
-
+ public List<PrincipalDTO> consumes = new ArrayList<PrincipalDTO>();
}
Modified:
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java
(original)
+++
activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java
Fri Dec 17 20:13:06 2010
@@ -32,6 +32,6 @@ import java.util.*;
public class VirtualHostAclDTO {
@XmlElement(name="connect")
- public Set<PrincipalDTO> connects = new HashSet<PrincipalDTO>();
+ public List<PrincipalDTO> connects = new ArrayList<PrincipalDTO>();
}
Modified:
activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml
(original)
+++
activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml
Fri Dec 17 20:13:06 2010
@@ -18,9 +18,9 @@
<broker basedir="./activemq-data/default" rev="0" enabled="true" id="default"
xmlns="http://activemq.apache.org/schema/activemq/apollo";>
<acl>
- <admin name="hiram"/>
- <admin name="james"/>
- <admin name="admins" kind="org.apache.activemq.jaas.GroupPrincipal"/>
+ <admin allow="hiram"/>
+ <admin allow="james"/>
+ <admin allow="admins" kind="org.apache.activemq.jaas.GroupPrincipal"/>
</acl>
<virtual-host enabled="true" id="vh-local">
Modified:
activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
Fri Dec 17 20:13:06 2010
@@ -593,7 +593,7 @@ class StompProtocolHandler extends Proto
if( !host.authenticator.authenticate(security_context) ) {
async_die("Authentication failed.")
noop // to make the cps compiler plugin happy.
- } else if( !host.authorizer.can_connect_to(security_context, host) )
{
+ } else if( !host.authorizer.can_connect_to(security_context, host,
connection.connector) ) {
async_die("Connect not authorized.")
noop // to make the cps compiler plugin happy.
} else {
Modified:
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
(original)
+++
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
Fri Dec 17 20:13:06 2010
@@ -23,36 +23,36 @@
<host-name>localhost</host-name>
<acl>
- <connect name="connect_group"/>
+ <connect allow="connect_group"/>
</acl>
<!-- queue security -->
<queue name="**" kind="ptp">
<acl>
- <create name="can_send_create_queue"/>
- <send name="can_send_create_queue"/>
- <send name="can_send_queue"/>
- <receive name="can_receive_queue"/>
- <consume name="can_consume_queue"/>
+ <create allow="can_send_create_queue"/>
+ <send allow="can_send_create_queue"/>
+ <send allow="can_send_queue"/>
+ <receive allow="can_receive_queue"/>
+ <consume allow="can_consume_queue"/>
</acl>
</queue>
<!-- topic security -->
<destination name="**">
<acl>
- <create name="can_send_create_topic"/>
- <send name="can_send_create_topic"/>
- <send name="can_send_topic"/>
- <receive name="can_recieve_topic"/>
+ <create allow="can_send_create_topic"/>
+ <send allow="can_send_create_topic"/>
+ <send allow="can_send_topic"/>
+ <receive allow="can_recieve_topic"/>
</acl>
</destination>
<!-- durable sub security -->
<queue name="**" kind="ds">
<acl>
- <create name="can_consume_create_ds"/>
- <consume name="can_consume_create_ds"/>
- <consume name="can_consume_ds"/>
+ <create allow="can_consume_create_ds"/>
+ <consume allow="can_consume_create_ds"/>
+ <consume allow="can_consume_ds"/>
</acl>
</queue>
</virtual-host>
Modified:
activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
Fri Dec 17 20:13:06 2010
@@ -774,6 +774,16 @@ class StompSecurityTest extends StompTes
super.beforeAll
}
+ test("Connect with valid id password but can't connect") {
+
+ val frame = connect_request("1.1", client,
+ "login:can_not_connect\n" +
+ "passcode:can_not_connect\n")
+ frame should startWith("ERROR\n")
+ frame should include("message:Connect not authorized.\n")
+
+ }
+
test("Connect with no id password") {
val frame = connect_request("1.1", client)
frame should startWith("ERROR\n")
@@ -789,16 +799,6 @@ class StompSecurityTest extends StompTes
}
- test("Connect with valid id password but can't connect") {
-
- val frame = connect_request("1.1", client,
- "login:can_not_connect\n" +
- "passcode:can_not_connect\n")
- frame should startWith("ERROR\n")
- frame should include("message:Connect not authorized.\n")
-
- }
-
test("Connect with valid id password that can connect") {
connect("1.1", client,
"login:can_only_connect\n" +
Modified:
activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md
(original)
+++
activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md
Fri Dec 17 20:13:06 2010
@@ -168,9 +168,7 @@ destination being created. The attribute
A `destination` element may be configured with the following attributes:
* `unified` : If set to true, then routing then there is no difference
- between sending to a queue or topic of the same name. The first time a
- queue subscriptions is created, it will act like if a durable subscription
- was created on the topic.
+ between sending to a queue or topic of the same name.
* `slow_consumer_policy` : Valid values are `block` and `queue`. Defaults to
`block`. This setting defines how topic subscriptions are handled which
@@ -221,6 +219,19 @@ memory.
from the store at a time. Note that Flushed entires are just reference
pointers to the actual messages. When not loaded, the batch is referenced
as sequence range to conserve memory.
+
+##### Unified Destinations
+
+Unified destinations can be used so that you can mix queue and topic
+behavior on one logical destination. For example, lets assumed `foo`
+is configured as a unified destination and you have 2 subscribers
+on queue `foo` and 2 subscribers on topic `foo`, then when you publish to
+queue `foo` or topic `foo`, the 2 queue subscribers will load balance
+their messages and the 2 topic subscribers will each get a copy of the message.
+
+It is important to note that the unified subscription will not start
+retaining it's messages in a queue until a queue subscriber subscribes from
+it.
##### Message Stores
@@ -384,7 +395,7 @@ The `wine.com` host will use the externa
host will use the internal domain and the `test` host will not authenticate
users.
-##### Changing the Login Modules
+##### Using Custom Login Modules
${project_name} uses JAAS to control against which systems users
authenticate. The default ${project_name} configurations use file based
@@ -426,67 +437,98 @@ Example of customizing the principal kin
#### Authorization
-User authorization to broker resources is accomplished by configuring access
-control lists (ACLs) to the `broker`, `virtual-host`, `destination`, and
-`queue` elements. The ACL define which principals are allowed to perform
-actions against the resources.
-
-Bellow you will find an example which:
-
-* only allows `admins` to use the broker's management interface.
-* only `app1` and `app2` users are allowed to connect to the host.
-* All users are allowed to create and send messages to the app1.*
- queues and destination, but only admins can destroy them and
- only app1 users can subscribe to them.
+User authorization to broker resources is accomplished by configuring an
+access control list using an `acl` element on the `broker`, `connector`,
+`virtual-host`, `destination`, or `queue` resources. The acl defines which
+principals are allowed or denied access to perform actions against the
+resources. An example of `acl` is shown below:
{pygmentize:: xml}
-<broker ...>
- ...
- <acl>
- <admin name="admins"/>
- </acl>
+<acl>
+ <send allow="*"/>
+ <send deny="guest"/>
+ <receive allow="app1"/>
+</acl>
+{pygmentize}
- <virtual-host id="default">
- ...
- <acl>
- <connect name="app1"/>
- <connect name="app2"/>
- </acl>
-
- <destination path="app1.**">
- <acl>
- <create name="all"/>
- <destroy name="admins"/>
- <send name="all"/>
- <receive name="app1"/>
- </acl>
- </destination>
-
- <queue path="app1.**">
- <acl>
- <create name="all"/>
- <destroy name="admins"/>
- <send name="all"/>
- <receive name="app1"/>
- <consume name="app1"/>
- </acl>
- </queue>
- ...
- </virtual-host>
- ...
-</broker>
+If a configuration resource does not have an `acl` element defined within
+it, then the resource allows anyone to access all it's actions. The `acl`
+is made up of a list of authorization rule entries. Each entry defines
+that action the rule applies to and if the rule is allowing or denying
+access to a user principal. The special `*` value matches all users.
+
+Users can have many principals of many different kinds associated with
+them. The rules will only match up against principals of type
+`org.apache.activemq.jaas.GroupPrincipal` since that is the default
+setting of the `acl-principal-kind` of the `authentication` domain.
+
+If you want the rule to match against more/different kinds of principals,
+you should update the `authentication` element's configuration or you
+explicitly state the kind you want to match against in your rule
+definition. Example:
+
+{pygmentize:: xml}
+<acl>
+ <send allow="*"/>
+ <send deny="chirino" kind="org.apache.activemq.jaas.UserPrincipal"/>
+</acl>
{pygmentize}
+The order in which rule entries are defined are significant when the user
+matches multiple entries. The first entry the user matches determines if he
+will have access to the action. For example, lets say a user is groups
+'blue' and 'red', and you are matching against an ACL list defined as:
+
+{pygmentize:: xml}
+<acl>
+ <send deny="blue"/>
+ <send allow="red"/>
+</acl>
+{pygmentize}
+
+Then the user would not be allowed to send since `<send deny="blue"/>` was
+defined first. If the order in the ACL list were reversed, like
+so:
+
+{pygmentize:: xml}
+<acl>
+ <send allow="red"/>
+ <send deny="blue"/>
+</acl>
+{pygmentize}
+
+Then the user would be allowed access to the resource since the first rule
+which matches the user is `<send allow="red"/>`.
+
+The type of resource being secured determines the types of actions that
+can be secured by the acl rule entries. Here is listing of which actions
+can be secured on which resources:
+
+* `broker`
+ * `admin` : use of the administrative web interface
+* `connector` and `virtual-host`
+ * `connect` : allows connections to the connector or virtual host
+* `destination` and `queue`
+ * `create` : allows the destination or queue to be created.
+ * `destroy` : allows the destination or queue to be created.
+ * `send` : allows the user to send to the destination or queue
+ * `receive` : allows the user to send to do non-destructive read
+ from the destination or queue
+* `queue`
+ * `consume` : allows the user to do destructive reads against the queue.
+
#### Encrypting Passwords in the Configuration
-The `etc/apollo.xml` file supports using `${<property-name>}` style syntax.
-You can use any system properties and if the `etc/apollo.xml.properties` file
-exists, then any of the properties defined there. Any of the properties
-values in the `etc/apollo.xml.properties` can be replaced with encrypted
-versions by using the `apollo encrypt` command.
+The `etc/apollo.xml` file supports using `${<property-name>}` style
+syntax. You can use any system properties and if the
+`etc/apollo.xml.properties` file exists, then any of the properties
+defined there. Any of the properties values in the
+`etc/apollo.xml.properties` can be replaced with encrypted versions by
+using the `apollo encrypt` command.
Lets say you your current `key-storage` contains plain text passwords that
need to be replaced with encrypted versions:
+
{pygmentize:: xml}
...
<key-storage
@@ -498,7 +540,7 @@ need to be replaced with encrypted versi
Lets first find out what the encrypted versions of the passwords would be.
${project_name} encrypts and decrypts values using the password stored in
-the `APOLLO_ENCRYPTION_PASSWORD` environment variable.
+the `APOLLO_ENCRYPTION_PASSWORD` environment variable.
The following is an example of how you can encrypt the previous
passwords:
