Github user ChugR commented on a diff in the pull request:
https://github.com/apache/qpid-dispatch/pull/255#discussion_r169471170
--- Diff: doc/new-book/configuration-security.adoc ---
@@ -412,3 +414,385 @@ listener {
For more information about these attributes, see
xref:adding_sasl_authentication_to_incoming_connection[].
--
+
+== Authorizing Access to Messaging Resources
+
+You can restrict the number of user connections, and control access to
AMQP messaging resources by configuring _policies_.
+
+=== Types of Policies
+
+You can configure two different types of policies: _global policies_ and
_vhost policies_.
+
+Global policies::
+Settings for the router. A global policy defines the maximum number of
incoming user connections for the router (across all vhost policies), and
defines how the router should use vhost policies.
+
+Vhost policies::
+Connection and AMQP resource limits for a messaging endpoint (called an
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access
on a messaging endpoint over a particular connection.
++
+[NOTE]
+====
+A vhost is typically the name of the host to which the client connection
is directed. For example, if a client application opens a connection to the
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be
`mybroker.example.com`.
+====
+
+The resource limits defined in global and vhost policies are applied to
user connections only. The limits do not affect inter-router connections or
router connections that are outbound to waypoints.
+
+=== How {RouterName} Applies Policies
+
+When a client connects to a router, the router determines whether to
permit the connection based on the global and vhost policies, and the following
properties of the connection:
+
+* The host to which the connection is directed (the vhost)
+* The connection's authenticated user name
+* The host from which the client is connecting (the remote host)
+
+If the connection is permitted, then the router applies a vhost policy
that matches the vhost to which the connection is directed. The vhost policy
limits are enforced for the lifetime of the connection.
+
+=== Configuring Global Policies
+
+You can set the incoming connection limit for the router and define how it
should use vhost policies by configuring a global policy.
+
+.Procedure
+
+* In the router configuration file, add a `policy` section.
++
+--
+[options="nowrap",subs="+quotes"]
+----
+policy = {
+ maxConnections: _NUMBER_OF_CONNECTIONS_
+ enableVhostPolicy: true | false
+ policyDir: _PATH_
+ defaultVhost: _VHOST_NAME_
+}
+----
+
+`maxConnections`::
+The maximum number of concurrent client connections allowed for this
router. This limit is always enforced, even if no other policy settings have
been defined. The limit is applied to all incoming connections regardless of
remote host, authenticated user, or targeted vhost. The default value is
`65535`.
+
+`enableVhostPolicy`::
+Enables the router to enforce the connection denials and resource limits
defined in the configured vhost policies. The default is `false`, which means
that the router will not enforce any vhost policies.
++
+[NOTE]
+====
+Setting `enableVhostPolicy` to `false` improves the router's performance.
+====
+
+`policyDir`::
+The absolute path to a directory that holds vhost policy definition files
in JSON format (`*.json`). The router processes all of the vhost policies in
each JSON file that is in this directory. For more information, see
xref:configuring-vhost-policies-json[].
+
+`defaultVhost`::
+The name of the default vhost policy, which is applied to any connection
for which a vhost policy has not been configured. The default is `$default`. If
`defaultVhost` is not defined, then default vhost processing is disabled.
+--
+
+=== Configuring Vhost Policies
+
+You configure vhost policies to define the connection limits and AMQP
resource limits for a messaging endpoint.
+
+A vhost policy consists of the following:
+
+* Connection limits
++
+These limits control the number of users that can be connected to the
vhost simultaneously.
+
+* User groups
++
+A user group defines the messaging resources that the group members are
permitted to access. Each user group defines the following:
+
+** A set of users that can connect to the vhost (the group members)
+** The remote hosts from which the group members may connect to the router
network
+** The AMQP resources that the group members are permitted to access on
the vhost
+
+You can configure vhost policies directly in the router configuration
file, or create them as JSON files.
+
+[[configuring-vhost-policies-router]]
+==== Configuring Vhost Policies in the Router Configuration File
+
+You can configure vhost policies in the router configuration file by
configuring `vhost` entities. However, if multiple routers in your router
network should be configured with the same vhost configuration, you will need
to add the `vhost` configuration to each router's configuration file.
+
+.Procedure
+
+. In the router configuration file, add a `vhost` section and define the
connection limits for it.
++
+--
+The connection limits apply to all users that are connected to the vhost.
These limits control the number of users that can be connected simultaneously
to the vhost.
+
+[options="nowrap",subs="+quotes"]
+----
+vhost = {
+ id: _HOSTNAME_
+ maxConnections: _NUMBER_OF_CONNECTIONS_
+ maxConnectionsPerUser: _NUMBER_OF_CONNECTIONS_
+ maxConnectionsPerHost: _NUMBER_OF_CONNECTIONS_
+ allowUnknownUser: true | false
+ ...
+}
+----
+
+`id`::
+The host name of the vhost. This vhost policy will be applied to any
client connection that is directed to the hostname that you specify.
+
+`maxConnections`::
+The global maximum number of concurrent client connections allowed for
this vhost. The default is `65535`.
+
+`maxConnectionsPerUser`::
+The maximum number of concurrent client connections allowed for any user.
The default is `65535`.
+
+`maxConnectionsPerHost`::
+The maximum number of concurrent client connections allowed for any remote
host (the host from which the client is connecting). The default is `65535`.
+
+`allowUnknownUser`::
+Whether unknown users (users who are not members of a defined user group)
are allowed to connect to the vhost. Unknown users are assigned to the
`$default` user group and receive `$default` settings. The default is `false`,
which means that unknown users are not allowed.
+--
+
+. In the `vhost` section, beneath the connection settings that you added,
add the necessary user groups.
++
+--
+A user group defines what messaging resources the members of the group are
allowed to access.
+
+[options="nowrap",subs="+quotes"]
+----
+vhost {
+ ...
+ groups: {
+ _USER_GROUP_: {
+ users: _USERNAME_, ...
+ remoteHosts: _HOSTNAME_ | _IP_ADDRESS_ | _IP_ADDRESS_RANGE_
+ sources: _SOURCE_ADDRESS_, ...
+ targets: _TARGET_ADDRESS_, ...
+ },
+ ...
+ }
+}
+----
+
+`users`::
+A list of authenticated users for this user group. Use commas to separate
multiple users. A user may belong to only one vhost user group.
++
+.Specifying Users
+====
+[options="nowrap"]
+----
+users: user1, user2, user3
+----
+====
+
+`remoteHosts`::
+A list of remote hosts from which the users may connect. A host can be a
hostname, IP address, or IP address range. Use commas to separate multiple
hosts. To allow access from all remote hosts, specify a wildcard `*`. To deny
access from all remote hosts, leave this attribute blank.
++
+.Setting Remote Hosts
+====
+In this example, users in this user group can only connect to the vhost
from localhost:
+
+[options="nowrap"]
+----
+remoteHosts: 127.0.0.1, ::1
+----
+====
+
+`sources`::
+A list of source addresses from which users in this group may receive
messages. To specify multiple addresses, separate the addresses with either a
comma or a space. If you do not specify any addresses, users in this group are
not allowed to receive messages from any addresses.
--- End diff --
Maybe call them 'AMQP source addresses' to signal to the reader that it is
not a network address but a protocol thing. Same for targets.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
