[
https://issues.apache.org/jira/browse/QPID-4123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14071965#comment-14071965
]
ASF subversion and git services commented on QPID-4123:
-------------------------------------------------------
Commit 1612874 from [email protected] in branch 'qpid/trunk'
[ https://svn.apache.org/r1612874 ]
QPID-4123: C++ Broker ACL creates too many rules
Recent changes have added new tables to define what
are ACL lookups and their properties. This commit
finishes that work by not propagating rules that
will never match. Also, it completes the scaffolding
for allowed and denied host lists to be fully
integrated. This commit:
* Adds startup logging of ACL validation tables
with cross references to possible rule matches.
* Hooks the ACL host allow/deny connection lists
into self test.
* Fixes self tests that get broken by proper rule
table handling.
* Introduces a 'create connection' decision mode
similar to ACL rule decision mode.
* Describes it all in doc book.
> C++ Broker Acl creates too many run-time rules
> ----------------------------------------------
>
> Key: QPID-4123
> URL: https://issues.apache.org/jira/browse/QPID-4123
> Project: Qpid
> Issue Type: Improvement
> Components: C++ Broker
> Affects Versions: 0.16
> Reporter: Chuck Rolke
> Assignee: Chuck Rolke
> Priority: Minor
> Fix For: Future
>
>
> The Acl module creates a table rules in a two dimensional array. The typical
> reference to this table is: actionList[action][objType].
> When an Acl rule from the file is processed and the action or objType is '*'
> then the rule is propagated into the actionList table at every row or column
> even when the action/object pair will never be references.
> For example a rule such as
> acl allow bob publish * name=X routingkey=a.b.c
> will put the rule into publish/queue, publish/exchange, publish/broker, etc.
> even when only publish/exchange will ever be referenced.
> In AclModule.h a validationMap is created that identifies which intersections
> in the actionList are ever used but this map is not used.
> With 5 objects and 9 actions there are 45 actionList entries. Of these only
> 13 are ever referenced for authorise lookups.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
