[jira] Commented: (QPID-2539) Update ACL file syntax to be clearer and add extra operations

Tue, 11 May 2010 08:20:02 -0700 

    [ 
https://issues.apache.org/jira/browse/QPID-2539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12866177#action_12866177
 ] 

Carl Trieloff commented on QPID-2539:
-------------------------------------

RA: We need to have a mechanism to allow reloading of config files. This may 
include the ACL file, security config, log config etc..
       However I am wondering how much of config is going to overlap with QMF. 

On C++ side is is done like this:

  <class name="Acl">
    <property name="brokerRef"     type="objId"   
references="org.apache.qpid.broker:Broker" access="RO" index="y" parentRef="y"/>
    <property name="policyFile"    type="sstr"    access="RO"    desc="Name of 
the policy file"/>
    <property name="enforcingAcl"  type="bool"    access="RO"    
desc="Currently Enforcing ACL"/>
    <property name="transferAcl"   type="bool"    access="RO"    desc="Any 
transfer ACL rules in force"/>
    <property name="lastAclLoad"   type="absTime" access="RO"    
desc="Timestamp of last successful load of ACL"/>
    <statistic name="aclDenyCount" type="count64" unit="request" desc="Number 
of ACL requests denied"/>

    <method name="reloadACLFile" desc="Reload the ACL file"/>
  </class>

Then the normal ACL action perissions are applied to the method, allowing you 
to set permissions of who may reload the ACL's.  Reason it is 'METHOD' is that 
it ACL's applied to QMF methods....

-->

I don't have any preference between ADMIN or MANGE, but I prefer both of those 
to METHOD. Also, to me this is an operation and the object types I suggested 
would then allow ACL lines like this:

    ACL ALLOW admin ADMIN BROKER # allow JMX/QMF access to read-only management 
attributes on the broker
    ACL ALLOW admin ADMIN CONFIG # allow JMX/QMF administration of 
configuration file reloading
    ACL ALLOW admin ADMIN LOG # allow JMX/QMF log level administration
    ACL ALLOW admin ADMIN USER # allow JMX/QMF user administration 

<--

For example

group admin (......)
acl allow admin method all  # allow admin group access to all QMF / JMX methods.
acl allow admin access all  #  equivalent of your LOG level statement.
acl allow admin update method reloadACLFile # allow admin group to update acl 
file.

I believe they are all covered already.

Carl.






> Update ACL file syntax to be clearer and add extra operations
> -------------------------------------------------------------
>
>                 Key: QPID-2539
>                 URL: https://issues.apache.org/jira/browse/QPID-2539
>             Project: Qpid
>          Issue Type: Sub-task
>          Components: Java Broker
>            Reporter: Andrew Kennedy
>             Fix For: 0.7
>
>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:[email protected]

Reply via email to