[
https://issues.apache.org/jira/browse/QPID-5890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14060118#comment-14060118
]
Chuck Rolke commented on QPID-5890:
-----------------------------------
Here are the Acl validation table dumps.
* In the authorization calls table the call site information is useful for
developers and maintainers but not necessarily for end users.
* in the property usage reference table it appears that 'name' and 'owner' are
unused. The 'name' property is special and is always used. 'owner' could be
deleted.
h2. AclValidator: authorization calls from broker:
||call site||action||object||associated properties||
|Broker::queryQueue|access|queue| |
|Broker::getTimestampConfig|access|broker| |
|Broker::setTimestampConfig|update|broker| |
|Broker::queueRedirect|redirect|queue| |
|Broker::queueMoveMessages|move|queue| |
|Broker::createQueue|create|queue| alternate durable exclusive autodelete
policytype paging maxpages maxpagefactor maxqueuecount maxqueuesize
maxfilecount maxfilesize |
|Broker::deleteQueue|delete|queue| alternate durable exclusive autodelete
policytype |
|Broker::createExchange|create|exchange| type alternate durable autodelete |
|Broker::deleteExchange|delete|exchange| type alternate durable |
|Broker::bind|bind|exchange| queuename routingkey |
|Broker::unbind|unbind|exchange| queuename routingkey |
|ConnectionHandler::Handler::open|create|link| |
|Queue::ManagementMethod|purge|queue| |
|Queue::ManagementMethod|reroute|queue| exchangename |
|SemanticState::route|publish|exchange| routingkey |
|ExchangeHandlerImpl::declare|access|exchange| type alternate durable
autodelete |
|ExchangeHandlerImpl::query|access|exchange| |
|ExchangeHandlerImpl::bound|access|exchange| queuename routingkey |
|QueueHandlerImpl::query|access|queue| |
|QueueHandlerImpl::declare|access|queue| alternate durable exclusive autodelete
policytype maxqueuecount maxqueuesize |
|QueueHandlerImpl::purge|purge|queue| |
|MessageHandlerImpl::subscribe|consume|queue| |
|Authorise::access|access|exchange| type durable |
|Authorise::access|access|queue| alternate durable exclusive autodelete
policytype maxqueuecount maxqueuesize |
|Authorise::incoming|publish|exchange| |
|Authorise::outgoing|bind|exchange| queuename routingkey |
|Authorise::outgoing|consume|queue| |
|Authorise::route|publish|exchange| routingkey |
|Authorise::interlink|create|link| |
|Authorise::access|access|exchange| |
|Authorise::access|access|queue| |
|ManagementAgent::handleMethodRequest|access|method| schemapackage schemaclass |
|ManagementAgent::handleGetQuery|access|query| schemaclass |
|ManagementAgent::authorizeAgentMessage|access|method| schemapackage
schemaclass |
h2. AclValidator: validation table:
* Rules marked 'Disallowed' are not ever checked by the broker and should not
be in Acl files.
||action-object||allowed properties||
|( consume)( queue)| |
|( consume)(exchange)|Disallowed|
|( consume)( broker)|Disallowed|
|( consume)( link)|Disallowed|
|( consume)( method)|Disallowed|
|( consume)( query)|Disallowed|
|( publish)( queue)|Disallowed|
|( publish)(exchange)| routingkey |
|( publish)( broker)|Disallowed|
|( publish)( link)|Disallowed|
|( publish)( method)|Disallowed|
|( publish)( query)|Disallowed|
|( create)( queue)| durable autodelete exclusive alternate policytype paging
queuemaxsizelowerlimit queuemaxsizeupperlimit queuemaxcountlowerlimit
queuemaxcountupperlimit filemaxsizelowerlimit filemaxsizeupperlimit
filemaxcountlowerlimit filemaxcountupperlimit pageslowerlimit pagesupperlimit
pagefactorlowerlimit pagefactorupperlimit |
|( create)(exchange)| durable autodelete type alternate |
|( create)( broker)|Disallowed|
|( create)( link)| |
|( create)( method)|Disallowed|
|( create)( query)|Disallowed|
|( access)( queue)| durable autodelete exclusive alternate policytype
queuemaxsizelowerlimit queuemaxsizeupperlimit queuemaxcountlowerlimit
queuemaxcountupperlimit |
|( access)(exchange)| durable routingkey autodelete type alternate queuename |
|( access)( broker)| |
|( access)( link)|Disallowed|
|( access)( method)| schemapackage schemaclass |
|( access)( query)| schemaclass |
|( bind)( queue)|Disallowed|
|( bind)(exchange)| routingkey queuename |
|( bind)( broker)|Disallowed|
|( bind)( link)|Disallowed|
|( bind)( method)|Disallowed|
|( bind)( query)|Disallowed|
|( unbind)( queue)|Disallowed|
|( unbind)(exchange)| routingkey queuename |
|( unbind)( broker)|Disallowed|
|( unbind)( link)|Disallowed|
|( unbind)( method)|Disallowed|
|( unbind)( query)|Disallowed|
|( delete)( queue)| durable autodelete exclusive alternate policytype |
|( delete)(exchange)| durable type alternate |
|( delete)( broker)|Disallowed|
|( delete)( link)|Disallowed|
|( delete)( method)|Disallowed|
|( delete)( query)|Disallowed|
|( purge)( queue)| |
|( purge)(exchange)|Disallowed|
|( purge)( broker)|Disallowed|
|( purge)( link)|Disallowed|
|( purge)( method)|Disallowed|
|( purge)( query)|Disallowed|
|( update)( queue)|Disallowed|
|( update)(exchange)|Disallowed|
|( update)( broker)| |
|( update)( link)|Disallowed|
|( update)( method)|Disallowed|
|( update)( query)|Disallowed|
|( move)( queue)| |
|( move)(exchange)|Disallowed|
|( move)( broker)|Disallowed|
|( move)( link)|Disallowed|
|( move)( method)|Disallowed|
|( move)( query)|Disallowed|
|(redirect)( queue)| |
|(redirect)(exchange)|Disallowed|
|(redirect)( broker)|Disallowed|
|(redirect)( link)|Disallowed|
|(redirect)( method)|Disallowed|
|(redirect)( query)|Disallowed|
|( reroute)( queue)| exchangename |
|( reroute)(exchange)|Disallowed|
|( reroute)( broker)|Disallowed|
|( reroute)( link)|Disallowed|
|( reroute)( method)|Disallowed|
|( reroute)( query)|Disallowed|
h2. AclValidator: property usage reference:
||Property||allowed by action-object||
|name||
|durable|(create queue)(create exchange)(access queue)(access exchange)(delete
queue)(delete exchange)|
|owner||
|routingkey|(publish exchange)(access exchange)(bind exchange)(unbind exchange)|
|autodelete|(create queue)(create exchange)(access queue)(access
exchange)(delete queue)|
|exclusive|(create queue)(access queue)(delete queue)|
|type|(create exchange)(access exchange)(delete exchange)|
|alternate|(create queue)(create exchange)(access queue)(access
exchange)(delete queue)(delete exchange)|
|queuename|(access exchange)(bind exchange)(unbind exchange)|
|exchangename|(reroute queue)|
|schemapackage|(access method)|
|schemaclass|(access method)(access query)|
|policytype|(create queue)(access queue)(delete queue)|
|paging|(create queue)|
|queuemaxsizelowerlimit|(create queue)(access queue)|
|queuemaxsizeupperlimit|(create queue)(access queue)|
|queuemaxcountlowerlimit|(create queue)(access queue)|
|queuemaxcountupperlimit|(create queue)(access queue)|
|filemaxsizelowerlimit|(create queue)|
|filemaxsizeupperlimit|(create queue)|
|filemaxcountlowerlimit|(create queue)|
|filemaxcountupperlimit|(create queue)|
|pageslowerlimit|(create queue)|
|pagesupperlimit|(create queue)|
|pagefactorlowerlimit|(create queue)|
|pagefactorupperlimit|(create queue)|
> C++ Broker AclModule.h compiles static code dozens of times
> -----------------------------------------------------------
>
> Key: QPID-5890
> URL: https://issues.apache.org/jira/browse/QPID-5890
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.15
> Reporter: Chuck Rolke
> Assignee: Chuck Rolke
>
> AclModule needs to be refactored.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
