[jira] [Updated] (QPID-7935) [Java Broker] [ACL] Allow legacy ACL rule set to specify a default result of defer

Keith Wall (JIRA) Thu, 28 Sep 2017 09:08:45 -0700

     [ 
https://issues.apache.org/jira/browse/QPID-7935?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Keith Wall updated QPID-7935:
-----------------------------
    Description: 
When access control providers are installed at both the Broker and VirtualHost, 
the one at the VirtualHost needs to DEFER if no decision is made about an 
access decision.  This gives the Broker's  access control provider the 
opportunity to make a decision instead.

Currently, the legacy ACL file format supports a CONFIG directive that allows 
the default result of the ruleset to be configured as {{ALLOW}} or {{DENY}}, 
but not {{DEFER}}.  If no CONFIG directive is specified the default result is 
always {{DENY}}.

If the user is using RuleBasedVirtualHostAccessControlProvider#loadFromFile to 
populate their virtualhost rule-set, the users has to additionally remember to 
reset the {{defaultResult}} to {{DEFER}} otherwise the co-operation between 
Broker/VirtualHost will be broken.

If the legacy ACL file format were to allow a CONFIG directive specifying 
DEFER, then this would eliminate the extra step.

The suggested changes:

# Change the legacy ACL file format to allow CONFIG to specify a default result 
of DEFER.
# Improve AbstractCommonRuleBasedAccessControlProvider#extractRules to that it 
writes a CONFIG directive within the default result, if it is not the default.

  was:
When access control providers are installed at both the Broker and VirtualHost, 
the one at the VirtualHost needs to DEFER if no decision is made about an 
access decision.  This gives the Broker's  access control provider the 
opportunity to make a decision instead.

Currently, the legacy ACL file format supports a CONFIG directive that allows 
the default result of the ruleset to be configured as {{ALLOW}} or {{DENY}}, 
but not {{DEFER}}.  If no CONFIG directive is specified the default result is 
always {{DENY}}.

If the user is using RuleBasedVirtualHostAccessControlProvider#loadFromFile to 
populate their virtualhost rule-set, the users has to additionally remember to 
reset the {{defaultResult}} to {{DEFER}} otherwise the co-operation between 
Broker/VirtualHost will be broken.

If the legacy ACL file format were to allow a CONFIG value of DEFER, then this 
would eliminate the extra step.

The suggested changes:

# Change the legacy ACL file format to allow CONFIG to specify a default result 
of DEFER.
# Improve AbstractCommonRuleBasedAccessControlProvider#extractRules to that it 
writes a CONFIG directive within the default result, if it is not the default.


> [Java Broker] [ACL] Allow legacy ACL rule set to specify a default result of 
> defer
> ----------------------------------------------------------------------------------
>
>                 Key: QPID-7935
>                 URL: https://issues.apache.org/jira/browse/QPID-7935
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>            Reporter: Keith Wall
>
> When access control providers are installed at both the Broker and 
> VirtualHost, the one at the VirtualHost needs to DEFER if no decision is made 
> about an access decision.  This gives the Broker's  access control provider 
> the opportunity to make a decision instead.
> Currently, the legacy ACL file format supports a CONFIG directive that allows 
> the default result of the ruleset to be configured as {{ALLOW}} or {{DENY}}, 
> but not {{DEFER}}.  If no CONFIG directive is specified the default result is 
> always {{DENY}}.
> If the user is using RuleBasedVirtualHostAccessControlProvider#loadFromFile 
> to populate their virtualhost rule-set, the users has to additionally 
> remember to reset the {{defaultResult}} to {{DEFER}} otherwise the 
> co-operation between Broker/VirtualHost will be broken.
> If the legacy ACL file format were to allow a CONFIG directive specifying 
> DEFER, then this would eliminate the extra step.
> The suggested changes:
> # Change the legacy ACL file format to allow CONFIG to specify a default 
> result of DEFER.
> # Improve AbstractCommonRuleBasedAccessControlProvider#extractRules to that 
> it writes a CONFIG directive within the default result, if it is not the 
> default.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

[jira] [Updated] (QPID-7935) [Java Broker] [ACL] Allow legacy ACL rule set to specify a default result of defer

Reply via email to