Martin Ritchie wrote:
Hi Carl and other C++ ACL people,
I'm planning on committing the work I have done so far on the new ACL
specification for the Java broker and there were a few questions I had
about some of the way C++ implements the ACLs as it would be great to
get both brokers operating in the same way.
I don't recall what the domani and realm values were used for in the
ACL spec or broker.
user = userna...@domain[/realm]]
What does the C++ broker use domain and realm for?
yes, it uses them. What happens when you use a SASL, GSSAPI lib it will
add the domain
onto the id for you. So the first part is that we don't strip domains,
as that would break PMS
centralized security.
Second is it allows for cross domain systems, i.e. if I run Active
Directory for my windows
machines, and something else for my back-end in different realms.
Also what validation does the C++ broker do on the file?
See:
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h?view=markup
The validation tree is mapped in this file.
Why do we need to declare the users in the ACL file?
that is optional, i.e. if you don't have integration with a PMS, you
need to specify the groups and
users somewhere.
Do you require all users to be specified in the ACL file before they are 'used'?
users that are handled via 'all' don't have to be listed.
Are the objects that are referenced in the ACL file checked to ensure
they exist. i.e.
acl allow user consume queue name=ExampleQueue
Does the broker log an error or fail to start up if ExampleQueue
doesn't exist?
no, the object does not have to exist at time of reading the ACL. i.e.
it can be declared post fact and
ACL will be applied to it once it exists.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
