This is an automated email from the ASF dual-hosted git repository. chug pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
The following commit(s) were added to refs/heads/master by this push: new ab66570 DISPATCH-1388: Clarify policy restrictions defined by vhost objects ab66570 is described below commit ab665701376e34b0a1bc213010f902e778aa7028 Author: Chuck Rolke <c...@apache.org> AuthorDate: Fri Jul 19 14:23:34 2019 -0400 DISPATCH-1388: Clarify policy restrictions defined by vhost objects State more clearly that policy restrictions are applied to client requests at network ingress only. As I read the document now it is unclear if a policy restriction defined by a vhost would be applied to a request originated at a distant point in the network. Suppose I have two vhosts, vhost1 and vhost2, and two users, Alice and Bob. Vhost policy is enabled for address "orders": |"orders" | vhost1 | vhost2 | +---------+--------+--------+ | Alice | allow | deny | | Bob | deny | allow | If Alice creates a receiver for "orders" on vhost1 and Bob creates a sender for "orders" on vhost2 then the router network will Bob's sender to send messages to Alice's receiver. This is allowed even though user Alice is denied access to that address on vhost2 and user Bob is denied access on vhost1. There are separate namespaces for users on each vhost. What user Alice does on vhost1 is unaffected by the namespace restrictions applied to vhost2. Alice's identity is not propagated to vhost2 for subsequent authorization checks. This closes #540 --- docs/books/user-guide/authorization.adoc | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/docs/books/user-guide/authorization.adoc b/docs/books/user-guide/authorization.adoc index 7e10614..c0516e8 100644 --- a/docs/books/user-guide/authorization.adoc +++ b/docs/books/user-guide/authorization.adoc @@ -28,10 +28,12 @@ Global policies:: Settings for the router. A global policy defines the maximum number of incoming user connections for the router (across all messaging endpoints), and defines how the router should use vhost policies. Vhost policies:: -Connection and AMQP resource limits for a messaging endpoint (called an AMQP virtual host, or vhost). A vhost policy defines what a client can access on a messaging endpoint over a particular connection. +Connection and AMQP resource limits for a router ingress port (called an AMQP virtual host, or vhost). A vhost policy defines what a client using a particular connection can access on any messaging endpoint in the router network. The resource limits defined in global and vhost policies are applied to user connections only. The limits do not affect inter-router connections or router connections that are outbound to waypoints. +Access to an AMQP resource allowed by policy for a given user connection to a given vhost is granted across the entire router network. Access restrictions are applied only at the router port to which a client is connected and only to resource requests originated by the client. + == How {RouterName} Enforces Connection and Resource Limits {RouterName} uses policies to determine whether to permit a connection, and if it is permitted, to apply the appropriate resource limits. @@ -407,13 +409,13 @@ Vhost hostname pattern matching applies the following precedence rules: If you want to allow or deny access to multiple addresses on a vhost, there are several methods you can use to match multiple addresses without having to specify each address individually. -The following table describes the methods you can use to specify multiple source and target addresses for a vhost: +The following table describes the methods a vhost policy can use to specify multiple source and target addresses: [cols="33,67",options="header"] |=== | To... | Do this... -| Allow all users in the user group to access all source or target addresses on the vhost +| Allow all users in the user group to access all source or target addresses a| Use a `*` wildcard character. .Receive from Any Address @@ -424,7 +426,7 @@ sources: * ---- ==== -| Prevent all users in the user group from accessing all source or target addresses on the vhost +| Prevent all users in the user group from accessing all source or target addresses a| Do not specify a value. .Prohibit Message Transfers to All Addresses @@ -518,9 +520,9 @@ In this example, a vhost policy defines resource limits for clients connecting t <5> Users in the `admin` user group must connect from localhost. If the admin user attempts to connect from any other host, the connection will be denied. -<6> Users in the admin user group can receive from any address offered by the vhost. +<6> Users in the admin user group can receive from any address. -<7> Users in the admin user group can send to any address offered by the vhost. +<7> Users in the admin user group can send to any address. <8> Any non-admin user is permitted to connect from any host. --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org