[
https://issues.apache.org/jira/browse/QPID-4123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14073274#comment-14073274
]
Chuck Rolke commented on QPID-4123:
-----------------------------------
IP address connection control is mixed in with some other refactoring and three
pieces probably need to go together.
{noformat}
QPID-4123 - ACL creates too many rules
QPID-4947 - ACL needs to control IP addresses (this bz)
QPID-5890 - ACL compiles static code dozens of times (needs refactor)
The commits of interest are:
commit QPID QPID QPID Description
number 4123 4947 5890
======== ==== ==== ==== ==========
1612874 XX XX XX Use refactored PropertyDefs to qualify rules
Better document how ACL works
Improve startup logging
1611776 XX Bugfix - strip IPv6 decoration on incoming connection
1611409 XX Get rid of boost::make_shared RHEL5 failure
1611059 XX Self test - detect if no IPv6 is present
1610992 XX Self test fails if no IPv6. no-op the test
1610874 XX Land QPID-4947 functionality
1610700 XX Add missing properties, reorganize
1610697 XX Add missing properties
1610681 XX XX Document keyword host=all
1610547 XX XX Update documentation
Adds CREATE CONNECTION description
1610195 XX Remove old unused validationMap
1609900 XX Improve Acl.cpp selftest
1609828 XX Refactor
1609728 XX Refactor - adds AclLexer
{noformat}
> C++ Broker Acl creates too many run-time rules
> ----------------------------------------------
>
> Key: QPID-4123
> URL: https://issues.apache.org/jira/browse/QPID-4123
> Project: Qpid
> Issue Type: Improvement
> Components: C++ Broker
> Affects Versions: 0.16
> Reporter: Chuck Rolke
> Assignee: Chuck Rolke
> Priority: Minor
> Fix For: 0.29
>
>
> The Acl module creates a table rules in a two dimensional array. The typical
> reference to this table is: actionList[action][objType].
> When an Acl rule from the file is processed and the action or objType is '*'
> then the rule is propagated into the actionList table at every row or column
> even when the action/object pair will never be references.
> For example a rule such as
> acl allow bob publish * name=X routingkey=a.b.c
> will put the rule into publish/queue, publish/exchange, publish/broker, etc.
> even when only publish/exchange will ever be referenced.
> In AclModule.h a validationMap is created that identifies which intersections
> in the actionList are ever used but this map is not used.
> With 5 objects and 9 actions there are 45 actionList entries. Of these only
> 13 are ever referenced for authorise lookups.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
