Re: Review Request 64645: authorization support for sasl delegation plugin

Fri, 15 Dec 2017 13:42:05 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64645/#review193976
-----------------------------------------------------------



This seems like a decent approach for starters.

It may have an issue when multiple vhosts come in to the router on the same 
port. All of the connections then are sent to the same authServicePlugin 
authService port for authentication and authz. In the current policy scheme the 
policy is decided later when the AMQP Open frame's hostname field is used as 
the name of the vhost policy. Then the user name is looked up in that vhost 
policy section.


tests/system_tests_authz_service_plugin.py
Lines 67 (patched)
<https://reviews.apache.org/r/64645/#comment272670>

    My system gets an error running authservice.py as the file is not in 
os.getcwd() but four levels of directory up. It works with
    
    cls.tester.popen([os.path.join(os.path.dirname(os.path.abspath(__file__)), 
'authservice.py'), '-a', '127.0.0.1:%d' % cls.auth_service_port, '-c', 
os.getcwd()], expect=Process.RUNNING)
    
    and having 'chmod +x authservice.py'


- Chug Rolke


On Dec. 15, 2017, 6:20 p.m., Gordon Sim wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64645/
> -----------------------------------------------------------
> 
> (Updated Dec. 15, 2017, 6:20 p.m.)
> 
> 
> Review request for qpid, Chug Rolke, Ganesh Murthy, and Ted Ross.
> 
> 
> Bugs: DISPATCH-901
>     https://issues.apache.org/jira/browse/DISPATCH-901
> 
> 
> Repository: qpid-dispatch
> 
> 
> Description
> -------
> 
> If the client specifies its desire for the ADDRESS-AUTHZ capacbility, the 
> authorization service, if it supports this, will return a set of permissions 
> in the properties of the open frame. The properties will have an 
> address-authz key, whose value is a map of address (or wildcard pattern) to 
> an array of permissions. The only permissions recognised at present by this 
> patch are 'send' and 'recv'.
> 
> 
> Diffs
> -----
> 
>   src/policy.c 22cc79f 
>   src/remote_sasl.c e3c969b 
>   tests/CMakeLists.txt 0c6454c 
>   tests/authservice.py PRE-CREATION 
>   tests/system_tests_authz_service_plugin.py PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/64645/diff/2/
> 
> 
> Testing
> -------
> 
> Added new systems tests using proton python based dummy auth service.
> 
> 
> Thanks,
> 
> Gordon Sim
> 
>

Reply via email to