Github user bhardesty commented on a diff in the pull request:

    https://github.com/apache/qpid-dispatch/pull/255#discussion_r171977372
  
    --- Diff: doc/new-book/configuration-security.adoc ---
    @@ -412,3 +414,356 @@ listener {
     
     For more information about these attributes, see 
xref:adding_sasl_authentication_to_incoming_connection[].
     --
    +
    +== Authorizing Access to Messaging Resources
    +
    +You can restrict the number of user connections, and control access to 
AMQP messaging resources by configuring _policies_.
    +
    +=== Types of Policies
    +
    +You can configure two different types of policies: _global policies_ and 
_vhost policies_.
    +
    +Global policies::
    +Settings for the router. A global policy defines the maximum number of 
incoming user connections for the router (across all vhost policies), and 
defines how the router should use vhost policies.
    +
    +Vhost policies::
    +Connection and AMQP resource limits for a messaging endpoint (called an 
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access 
on a messaging endpoint over a particular connection.
    ++
    +[NOTE]
    +====
    +A vhost is typically the name of the host to which the client connection 
is directed. For example, if a client application opens a connection to the 
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be 
`mybroker.example.com`.
    +====
    +
    +The resource limits defined in global and vhost policies are applied to 
user connections only. The limits do not affect inter-router connections or 
router connections that are outbound to waypoints.
    +
    +=== How {RouterName} Applies Policies
    +
    +When a client connects to a router, the router determines whether to 
permit the connection based on the global and vhost policies, and the following 
properties of the connection:
    +
    +* The host to which the connection is directed (the vhost)
    +* The connection's authenticated user name
    +* The host from which the client is connecting (the remote host)
    +
    +If the connection is permitted, then the router applies a vhost policy 
that matches the vhost to which the connection is directed. The vhost policy 
limits are enforced for the lifetime of the connection.
    +
    --- End diff --
    
    I reworked this section to better account for the nuances of vhost policies.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to