[ https://issues.apache.org/jira/browse/DISPATCH-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16543724#comment-16543724 ]
ASF GitHub Bot commented on DISPATCH-1067: ------------------------------------------ Github user ChugR commented on a diff in the pull request: https://github.com/apache/qpid-dispatch/pull/342#discussion_r202471950 --- Diff: docs/books/user-guide/configuration-security.adoc --- @@ -417,290 +417,367 @@ For more information about these attributes, see xref:adding-sasl-authentication == Authorizing Access to Messaging Resources -You can restrict the number of user connections, and control access to AMQP messaging resources by configuring _policies_. +You can configure _policies_ to secure messaging resources in your messaging environment. Policies ensure that only authorized users can access messaging endpoints through the router network, and that the resources on those endpoints are used in an authorized way. -=== Types of Policies - -You can configure two different types of policies: _global policies_ and _vhost policies_. +{RouterName} provides the following types of policies: Global policies:: -Settings for the router. A global policy defines the maximum number of incoming user connections for the router (across all vhost policies), and defines how the router should use vhost policies. +Settings for the router. A global policy defines the maximum number of incoming user connections for the router (across all messaging endpoints), and defines how the router should use vhost policies. Vhost policies:: -Connection and AMQP resource limits for a messaging endpoint (called an AMQP virtual host, or _vhost_). A vhost policy defines what a client can access on a messaging endpoint over a particular connection. -+ -[NOTE] -==== -A vhost is typically the name of the host to which the client connection is directed. For example, if a client application opens a connection to the `amqp://mybroker.example.com:5672/queue01` URL, the vhost would be `mybroker.example.com`. -==== +Connection and AMQP resource limits for a messaging endpoint (called an AMQP virtual host, or vhost). A vhost policy defines what a client can access on a messaging endpoint over a particular connection. The resource limits defined in global and vhost policies are applied to user connections only. The limits do not affect inter-router connections or router connections that are outbound to waypoints. -=== How {RouterName} Applies Policies +=== How {RouterName} Enforces Connection and Resource Limits -{RouterName} uses both global and vhost policies to determine whether to permit a connection, and if it is permitted, to apply the appropriate resource limits. +{RouterName} uses policies to determine whether to permit a connection, and if it is permitted, to apply the appropriate resource limits. When a client creates a connection to the router, the router first determines whether to allow or deny the connection. This decision is based on the following criteria: -* Whether the connection will exceed the router's global connection limit (defined in the global policy) -* Whether the connection will exceed the vhost's connection limits (defined in the vhost policy that matches the host to which the connection is directed) +* Whether the connection will exceed the router’s global connection limit (defined in the global policy) -If the connection is allowed, the router assigns the user (the authenticated user name from the connection) to a user group, and enforces the user group's resource limits for the lifetime of the connection. +* Whether the connection will exceed the vhost’s connection limits (defined in the vhost policy that matches the host to which the connection is directed) -=== Configuring Global Policies +If the connection is allowed, the router assigns the user (the authenticated user name from the connection) to a user group, and enforces the user group’s resource limits for the lifetime of the connection. -You can set the incoming connection limit for the router and define how it should use vhost policies by configuring a global policy. +=== Setting Global Connection Limits + +You can set the incoming connection limit for the router. This limit defines the total number of concurrent client connections that can be open for this router. .Procedure -* In the router configuration file, add a `policy` section. +* In the router configuration file, add a `policy` section and set the `maxConnections`. + -- [options="nowrap",subs="+quotes"] ---- -policy = { - maxConnections: 10000 // <1> - enableVhostPolicy: true // <2> - policyDir: /etc/qpid-dispatch/policies/ // <3> - defaultVhost: $default // <4> +policy { + maxConnections: 10000 } ---- -<1> The maximum number of concurrent client connections allowed for this router. This limit is always enforced, even if no other policy settings have been defined. The limit is applied to all incoming connections regardless of remote host, authenticated user, or targeted vhost. The default (and the maximum) value is `65535`. +`maxConnections`:: +This limit is always enforced, even if no other policy settings have been defined. The limit is applied to all incoming connections regardless of remote host, authenticated user, or targeted vhost. The default (and the maximum) value is `65535`. +-- + +=== Setting Connection and Resource Limits for Messaging Endpoints + +You can define the connection limit and AMQP resource limits for a messaging endpoint by configuring a _vhost policy_. Vhost policies define what clients can access on a messaging endpoint over a particular connection. --- End diff -- The second sentence would be clearer as "Vhost policies define what resources clients are permitted to access on a messaging endpoint over a particular connection." > Doc improvements for router policies > ------------------------------------ > > Key: DISPATCH-1067 > URL: https://issues.apache.org/jira/browse/DISPATCH-1067 > Project: Qpid Dispatch > Issue Type: Improvement > Components: Documentation > Affects Versions: 1.2.0 > Reporter: Ben Hardesty > Assignee: Ben Hardesty > Priority: Major > > The router policy doc needs to be updated to cover the following enhancements: > * Patterns for policy hostnames (DISPATCH-990) > * New policy config attributes (DISPATCH-976) > * Policy username substitution improvements (DISPATCH-1011) > * Allow vhost policies to be configured in the router configuration file > (DISPATCH-1013) -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org