Github user ChugR commented on a diff in the pull request:

    https://github.com/apache/qpid-dispatch/pull/255#discussion_r171884076
  
    --- Diff: doc/new-book/configuration-security.adoc ---
    @@ -412,3 +414,356 @@ listener {
     
     For more information about these attributes, see 
xref:adding_sasl_authentication_to_incoming_connection[].
     --
    +
    +== Authorizing Access to Messaging Resources
    +
    +You can restrict the number of user connections, and control access to 
AMQP messaging resources by configuring _policies_.
    +
    +=== Types of Policies
    +
    +You can configure two different types of policies: _global policies_ and 
_vhost policies_.
    +
    +Global policies::
    +Settings for the router. A global policy defines the maximum number of 
incoming user connections for the router (across all vhost policies), and 
defines how the router should use vhost policies.
    +
    +Vhost policies::
    +Connection and AMQP resource limits for a messaging endpoint (called an 
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access 
on a messaging endpoint over a particular connection.
    ++
    +[NOTE]
    +====
    +A vhost is typically the name of the host to which the client connection 
is directed. For example, if a client application opens a connection to the 
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be 
`mybroker.example.com`.
    +====
    +
    +The resource limits defined in global and vhost policies are applied to 
user connections only. The limits do not affect inter-router connections or 
router connections that are outbound to waypoints.
    +
    +=== How {RouterName} Applies Policies
    +
    +When a client connects to a router, the router determines whether to 
permit the connection based on the global and vhost policies, and the following 
properties of the connection:
    +
    +* The host to which the connection is directed (the vhost)
    +* The connection's authenticated user name
    +* The host from which the client is connecting (the remote host)
    +
    +If the connection is permitted, then the router applies a vhost policy 
that matches the vhost to which the connection is directed. The vhost policy 
limits are enforced for the lifetime of the connection.
    +
    +=== Configuring Global Policies
    +
    +You can set the incoming connection limit for the router and define how it 
should use vhost policies by configuring a global policy.
    +
    +.Procedure
    +
    +* In the router configuration file, add a `policy` section.
    ++
    +--
    +[options="nowrap",subs="+quotes"]
    +----
    +policy = {
    +    maxConnections: 10000  // <1>
    +    enableVhostPolicy: true  // <2>
    +    policyDir: /etc/qpid-dispatch/policies/  // <3>
    +    defaultVhost: $default  // <4>
    +}
    +----
    +<1> The maximum number of concurrent client connections allowed for this 
router. This limit is always enforced, even if no other policy settings have 
been defined. The limit is applied to all incoming connections regardless of 
remote host, authenticated user, or targeted vhost. The default value is 
`65535`.
    +
    +<2> Enables the router to enforce the connection denials and resource 
limits defined in the configured vhost policies. The default is `false`, which 
means that the router will not enforce any vhost policies.
    ++
    +[NOTE]
    +====
    +Setting `enableVhostPolicy` to `false` improves the router's performance.
    +====
    +
    +<3> The absolute path to a directory that holds vhost policy definition 
files in JSON format (`*.json`). The router processes all of the vhost policies 
in each JSON file that is in this directory. For more information, see 
xref:configuring-vhost-policies-json[].
    +
    +<4> The name of the default vhost policy, which is applied to any 
connection for which a vhost policy has not been configured. The default is 
`$default`. If `defaultVhost` is not defined, then default vhost processing is 
disabled.
    +--
    +
    +=== Configuring Vhost Policies
    +
    +You configure vhost policies to define the connection limits and AMQP 
resource limits for a messaging endpoint.
    +
    +A vhost policy consists of the following:
    +
    +* Connection limits
    ++
    +These limits control the number of users that can be connected to the 
vhost simultaneously.
    +
    +* User groups
    ++
    +A user group defines the messaging resources that the group members are 
permitted to access. Each user group defines the following:
    +
    +** A set of users that can connect to the vhost (the group members)
    +** The remote hosts from which the group members may connect to the router 
network
    +** The AMQP resources that the group members are permitted to access on 
the vhost
    +
    +You can configure vhost policies directly in the router configuration 
file, or create them as JSON files.
    +
    +[[configuring-vhost-policies-router]]
    +==== Configuring Vhost Policies in the Router Configuration File
    +
    +You can configure vhost policies in the router configuration file by 
configuring `vhost` entities. However, if multiple routers in your router 
network should be configured with the same vhost configuration, you will need 
to add the `vhost` configuration to each router's configuration file.
    +
    +.Procedure
    +
    +. In the router configuration file, add a `vhost` section and define the 
connection limits for it.
    ++
    +--
    +The connection limits apply to all users that are connected to the vhost. 
These limits control the number of users that can be connected simultaneously 
to the vhost.
    +
    +[options="nowrap",subs="+quotes"]
    +----
    +vhost = {
    +    id: example.com  // <1>
    +    maxConnections: 10000  // <2>
    +    maxConnectionsPerUser: 1000  // <3>
    +    maxConnectionsPerHost: 1000  // <4>
    +    allowUnknownUser: false  // <5>
    +    ...
    +}
    +----
    +
    +<1> The host name of the vhost. This vhost policy will be applied to any 
client connection that is directed to the hostname that you specify.
    +
    +<2> The global maximum number of concurrent client connections allowed for 
this vhost. The default is `65535`.
    +
    +<3> The maximum number of concurrent client connections allowed for any 
user. The default is `65535`.
    +
    +<4> The maximum number of concurrent client connections allowed for any 
remote host (the host from which the client is connecting). The default is 
`65535`. 
    +
    +<5> Whether unknown users (users who are not members of a defined user 
group) are allowed to connect to the vhost. Unknown users are assigned to the 
`$default` user group and receive `$default` settings. The default is `false`, 
which means that unknown users are not allowed.
    +--
    +
    +. In the `vhost` section, beneath the connection settings that you added, 
add the necessary user groups.
    ++
    +--
    +A user group defines what messaging resources the members of the group are 
allowed to access.
    +
    +[options="nowrap",subs="+quotes"]
    +----
    +vhost {
    +    ...
    +    groups: {
    +        admin: {  // <1>
    +            users: admin1, admin2  // <2>
    +            remoteHosts: 127.0.0.1, ::1  // <3>
    +            sources: *  // <4>
    +            targets: *  // <5>
    +        },
    +        ...
    +    }
    +}
    +----
    +
    +<1> The name of the user group.
    +
    +<2> A list of authenticated users for this user group. Use commas to 
separate multiple users. A user may belong to only one vhost user group.
    +
    +<3> A list of remote hosts from which the users may connect. A host can be 
a hostname, IP address, or IP address range. Use commas to separate multiple 
hosts. To allow access from all remote hosts, specify a wildcard `*`. To deny 
access from all remote hosts, leave this attribute blank.
    +
    +<4> A list of AMQP source addresses from which users in this group may 
receive messages. To specify multiple AMQP addresses, separate the addresses 
with either a comma or a space. If you do not specify any addresses, users in 
this group are not allowed to receive messages from any addresses.
    ++
    +You can use the substitution token `{user}` to specify an AMQP address 
that contains a user's authenticated user name. This enables you to allow 
access to resources specific to each user in the user group without having to 
name each user individually. You can only specify the `{user}` token once in an 
AMQP address name. If there are multiple tokens in an address, only the 
leftmost token will be substituted.
    ++
    +You can use an asterisk (`*`) wildcard to match one or more characters in 
an AMQP address. However, this wildcard is only recognized if it is the last 
character in the address name.
    ++
    +.Allowing Access to All Addresses
    +====
    +[options="nowrap"]
    +----
    +sources: *
    +----
    +====
    ++
    +.Restricting Access to All Addresses
    +====
    +[options="nowrap"]
    +----
    +sources:
    +----
    +====
    ++
    +.Allowing Access to Specific Addresses
    +====
    +[options="nowrap"]
    +----
    +sources: myaddress01, myaddress02, myaddress03
    +----
    +====
    ++
    +.Allowing Access to User-Specific Addresses
    +====
    +This definition allows access to any address that meets any of the 
following rules:
    +
    +* Starts with the prefix `tmp_` and ends with the user name
    +* Starts with the prefix `temp` followed by any additional characters
    +* Starts with the user name, is followed by `-home-`, and ends with any 
additional characters
    +
    +[options="nowrap"]
    +----
    +sources: tmp_{user}, temp*, {user}-home-*
    +----
    +====
    +
    +<5> A list of AMQP target addresses from which users in this group may 
send messages. You can specify multiple AMQP addresses and use user name 
substitution and wildcards the same way as with source addresses.
    +--
    +
    +. If necessary, add any advanced user group settings to the vhost user 
group.
    ++
    +The advanced user group settings enable you to define resource limits 
based on the AMQP connection open, session begin, and link attach phases of the 
connection. For more information, see 
link:{qdrouterdConfManPageUrl}#_vhostUserGroupSettings[Vhost User Group 
Settings^].
    +
    +[[configuring-vhost-policies-json]]
    +==== Configuring Vhost Policies as JSON Files
    +
    +As an alternative to using the router configuration file, you can 
configure vhost policies in JSON files. If you have multiple routers that need 
to share the same vhost configuration, you can put the vhost configuration JSON 
files in a location accessible to each router, and then configure the routers 
to apply the vhost policies defined in these JSON files.
    +
    +.Procedure
    +
    +. Determine where to store the vhost policy JSON files.
    ++
    +The directory should be accessible by each router that needs to apply 
these vhost policies.
    +
    +. In the directory you determined, create a JSON file for each vhost 
policy.
    ++
    +The vhost policy is configured the same way as a `vhost` entity in the 
router configuration file, only using JSON syntax. For more information about 
vhost policy attributes, see xref:configuring-vhost-policies-router[].
    ++
    +.Sample Vhost Policy JSON File
    +====
    +[source,json,options="nowrap"]
    +----
    +{
    +    "vhost": {    
    +        "name": "example.com",        
    +        "maxConnectionsPerUser": 100,        
    +        "allowUnknownUser": true,        
    +        "groups": {
    +            "admin": {
    +                "users": ["admin1", "admin2"],
    +                "sources": "*",
    +                "targets": "*"
    +            },
    +            "developers": {    
    +                "users": ["dev1", "dev2", "dev3"],
    +                "remoteHosts": "*",
    +                "sources": ["myqueue1", "myqueue2"],
    +                "targets": ["myqueue1", "myqueue2"]
    +            }
    +        }
    +    }
    +}
    +----
    +====
    +
    +. In the router configuration file, locate the `policy` entity and set the 
`policyDir` attribute to point to the directory where the vhost policy JSON 
files are stored.
    ++
    +.A `policy` Entity
    +====
    +[options="nowrap"]
    +----
    +policy = {
    +    maxConnections: 1000
    +    enableVhostPolicy: true
    +    policyDir: /etc/vhost-policies/ // <1>
    +    defaultVhost: $default
    +}
    +----
    +<1> The absolute path to a directory that holds vhost policy definition 
files in JSON format (*.json). The router processes all of the vhost policies 
in each JSON file that is in this directory.
    +====
    +
    +. Repeat the previous step for each additional router that should use the 
vhost policies located in the vhost policy directory.
    +
    +=== Example: A Vhost Policy Configuration
    --- End diff --
    
    +1


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to