So - personally I'd not be happy releasing the Java Broker without the first change (or some other remediation for the defect) in. I'd consider the defect a blocker for the release given the sort of changes that can now be made through the management GUI.
The other changes (which I made) I can take or leave... the GUI change is obviously trivial, but clearly not a blocker. The SASL for AMQP 1.0 would be nice to have in terms of improving 1.0 support, but again clearly not a blocker. As an aside, do we have a document somewhere describing our policy for what is or is not acceptable in each RC version? -- Rob On 8 April 2013 19:17, Justin Ross <[email protected]> wrote: > These are all improvements, even the first one. No doubt it's an > important security enhancement, but it's not a regression, and it > seems reasonable to release note that you should enable acls if you > wish to use the web console. I'd be more inclined to accept it if the > change were small, but it isn't. > > It's hard for me to reconcile these changes with the goals for a > second release candidate. I hope you can tell that I ordinarily try > to be very flexible, but this doesn't make sense. > > Honest question: if you have a compelling reason to introduce these > changes into a stable stream before 0.24, should we have a distinct > branch for that purpose? > > Justin > > On Mon, Apr 8, 2013 at 9:45 AM, Oleksandr Rudyy <[email protected]> wrote: > > Hi Justin, > > > > Could you please approve the inclusion of the following into 0.22: > > > > JIRA: QPID-4705 > > Revision: http://svn.apache.org/r1465590 > > Description: > > It fixes the potential security hole with an access to the web management > > console and rest interfaces. Without the fix if ACL is not configured (by > > default no ACL is configured) it is possible to access the web management > > console anonymously and do any configuration changes including password > > change, configure authentication providers etc. The commit in revision > > r1465590 <http://svn.apache.org/r1465590> stops this from happening by > > adding functionality to check whether the request is authenticated or > > authorised and send the redirect to the login page (for web management > > console) or send the error status codes (401,403) for rest requests. The > > changes are isolated to the http management plugin and do not affect the > > broker core functionality. > > > > > > JIRA: QPID-4725 <https://issues.apache.org/jira/browse/QPID-4725> > > Revision: http://svn.apache.org/r1465457 > > Description: Enhances the web management console to display a principal > > associated with a connection on connection and virtualhost tabs. The > > changes are isolated to web console UI and of low risk. > > > > > > JIRA: QPID-4726 <https://issues.apache.org/jira/browse/QPID-4726> > > Revision: http://svn.apache.org/r1465459 > > Description: Improves SASL support for AMQP 1.0 client. The changes > affect > > only 1.0 AMQP functionality and of low risk. > > > > Kind Regards, > > Alex > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
