[
https://issues.apache.org/jira/browse/QPID-6986?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Keith Wall updated QPID-6986:
-----------------------------
Fix Version/s: (was: qpid-java-6.1)
qpid-java-6.2
> Management: Users should not be able to view an object to which they have no
> access
> -----------------------------------------------------------------------------------
>
> Key: QPID-6986
> URL: https://issues.apache.org/jira/browse/QPID-6986
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Keith Wall
> Fix For: qpid-java-6.2
>
>
> In a managed service scenario, a single Broker may hosts applications
> belonging to different groups. For management purposes, an operator needs
> to be able to enter the management console and check on queues, messages,
> exchanges etc of his application.
> However, the Broker should have the ability to restrict an operator from
> viewing the objects of a virtual host to which he has no access permission.
> Currently the Broker enforces CRUD permissions on all objects in the
> hierarchy, but this does not impose restrictions on *view*.
> The view restriction needs to apply to the Web Management Console and the
> REST-API.
> An interesting case is Connections. Connections are children on a Port but
> become associated with a Virtualhost. A management user with access
> permission a virtual host needs to be able to see the connections associated
> with that virtual host, even if he doesn't have permission to view the Broker
> or Port directly.
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
