[
https://issues.apache.org/jira/browse/DISPATCH-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16543724#comment-16543724
]
ASF GitHub Bot commented on DISPATCH-1067:
------------------------------------------
Github user ChugR commented on a diff in the pull request:
https://github.com/apache/qpid-dispatch/pull/342#discussion_r202471950
--- Diff: docs/books/user-guide/configuration-security.adoc ---
@@ -417,290 +417,367 @@ For more information about these attributes, see
xref:adding-sasl-authentication
== Authorizing Access to Messaging Resources
-You can restrict the number of user connections, and control access to
AMQP messaging resources by configuring _policies_.
+You can configure _policies_ to secure messaging resources in your
messaging environment. Policies ensure that only authorized users can access
messaging endpoints through the router network, and that the resources on those
endpoints are used in an authorized way.
-=== Types of Policies
-
-You can configure two different types of policies: _global policies_ and
_vhost policies_.
+{RouterName} provides the following types of policies:
Global policies::
-Settings for the router. A global policy defines the maximum number of
incoming user connections for the router (across all vhost policies), and
defines how the router should use vhost policies.
+Settings for the router. A global policy defines the maximum number of
incoming user connections for the router (across all messaging endpoints), and
defines how the router should use vhost policies.
Vhost policies::
-Connection and AMQP resource limits for a messaging endpoint (called an
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access
on a messaging endpoint over a particular connection.
-+
-[NOTE]
-====
-A vhost is typically the name of the host to which the client connection
is directed. For example, if a client application opens a connection to the
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be
`mybroker.example.com`.
-====
+Connection and AMQP resource limits for a messaging endpoint (called an
AMQP virtual host, or vhost). A vhost policy defines what a client can access
on a messaging endpoint over a particular connection.
The resource limits defined in global and vhost policies are applied to
user connections only. The limits do not affect inter-router connections or
router connections that are outbound to waypoints.
-=== How {RouterName} Applies Policies
+=== How {RouterName} Enforces Connection and Resource Limits
-{RouterName} uses both global and vhost policies to determine whether to
permit a connection, and if it is permitted, to apply the appropriate resource
limits.
+{RouterName} uses policies to determine whether to permit a connection,
and if it is permitted, to apply the appropriate resource limits.
When a client creates a connection to the router, the router first
determines whether to allow or deny the connection. This decision is based on
the following criteria:
-* Whether the connection will exceed the router's global connection limit
(defined in the global policy)
-* Whether the connection will exceed the vhost's connection limits
(defined in the vhost policy that matches the host to which the connection is
directed)
+* Whether the connection will exceed the router’s global connection limit
(defined in the global policy)
-If the connection is allowed, the router assigns the user (the
authenticated user name from the connection) to a user group, and enforces the
user group's resource limits for the lifetime of the connection.
+* Whether the connection will exceed the vhost’s connection limits
(defined in the vhost policy that matches the host to which the connection is
directed)
-=== Configuring Global Policies
+If the connection is allowed, the router assigns the user (the
authenticated user name from the connection) to a user group, and enforces the
user group’s resource limits for the lifetime of the connection.
-You can set the incoming connection limit for the router and define how it
should use vhost policies by configuring a global policy.
+=== Setting Global Connection Limits
+
+You can set the incoming connection limit for the router. This limit
defines the total number of concurrent client connections that can be open for
this router.
.Procedure
-* In the router configuration file, add a `policy` section.
+* In the router configuration file, add a `policy` section and set the
`maxConnections`.
+
--
[options="nowrap",subs="+quotes"]
----
-policy = {
- maxConnections: 10000 // <1>
- enableVhostPolicy: true // <2>
- policyDir: /etc/qpid-dispatch/policies/ // <3>
- defaultVhost: $default // <4>
+policy {
+ maxConnections: 10000
}
----
-<1> The maximum number of concurrent client connections allowed for this
router. This limit is always enforced, even if no other policy settings have
been defined. The limit is applied to all incoming connections regardless of
remote host, authenticated user, or targeted vhost. The default (and the
maximum) value is `65535`.
+`maxConnections`::
+This limit is always enforced, even if no other policy settings have been
defined. The limit is applied to all incoming connections regardless of remote
host, authenticated user, or targeted vhost. The default (and the maximum)
value is `65535`.
+--
+
+=== Setting Connection and Resource Limits for Messaging Endpoints
+
+You can define the connection limit and AMQP resource limits for a
messaging endpoint by configuring a _vhost policy_. Vhost policies define what
clients can access on a messaging endpoint over a particular connection.
--- End diff --
The second sentence would be clearer as "Vhost policies define what
resources clients are permitted to access on a messaging endpoint over a
particular connection."
> Doc improvements for router policies
> ------------------------------------
>
> Key: DISPATCH-1067
> URL: https://issues.apache.org/jira/browse/DISPATCH-1067
> Project: Qpid Dispatch
> Issue Type: Improvement
> Components: Documentation
> Affects Versions: 1.2.0
> Reporter: Ben Hardesty
> Assignee: Ben Hardesty
> Priority: Major
>
> The router policy doc needs to be updated to cover the following enhancements:
> * Patterns for policy hostnames (DISPATCH-990)
> * New policy config attributes (DISPATCH-976)
> * Policy username substitution improvements (DISPATCH-1011)
> * Allow vhost policies to be configured in the router configuration file
> (DISPATCH-1013)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
