[ 
https://issues.apache.org/jira/browse/QPID-4712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13693063#comment-13693063
 ] 

Gordon Sim commented on QPID-4712:
----------------------------------

The goal is to ensure that enabling AMQP 1.0 doesn't allow any existing 
authorisation policy to be circumvented. The existing rules are heavily 
influenced (distorted?) by AMQP 0-10 without directly following the that 
version in full. A redesign of the permissioning model to be more generic would 
make things more intuitive for AMQP 1.0 users, but is considered out of scope 
for the time being.

Link attachment (i.e. creating a sender or receiver) will always require access 
permission to the node in question (i.e. the queue or exchange). Generally 
there will be other permissions required as well.

To attach as a sender to a queue, publish permission is required for the 
default exchange (amq.default keyword in ACL file) with the queue name as the 
routing key. For a sending link to an exchange the publish permission cannot be 
checked on attach since the routing key is unknown at that point. This is 
similar to 0-10 and the publish permission will be checked (if and only if 
there are any publish rules) for each message (again, exactly like 0-10).

To attach as a receiver from a queue, consume permission is also required for 
the queue in question. To attach as a receiver from an exchange, create and 
consume permission will be required for the subscription queue. The name of 
this is chosen by the broker, but it uses the container id (which can be set as 
a connection option in qpid::messaging) and the link name (which can be set as 
the name proerty in link properties of address in qpid::messaging). In addition 
bind permission is required for the exchange in question. Note however that 
unbind permission is not required in order to detach, as that permission is 
implied (it will happen anyway).

In the 1.0 codepath, the properties used in checking access etc are those of 
the node (queue or exchange). In AMQP 0-10 by contrast the fields of the 
command being checked are used instead (which leads to some anomalies in my 
view since e.g. queue-query doesn't involve any test for autodelete, exclusive 
etc as would a passive declare). 
                
> [AMQP 1.0] ACL support
> ----------------------
>
>                 Key: QPID-4712
>                 URL: https://issues.apache.org/jira/browse/QPID-4712
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.22
>            Reporter: Gordon Sim
>            Assignee: Gordon Sim
>             Fix For: 0.23
>
>
> Though e.g. creation of queues and exchanges is governed by ACL rules, 
> creation of connections is not and this should be rectified.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to